[SOLVED] Can't make dnsmasq work with dnscrypt-proxy

adventurer · 2015-09-21 11:34:44

Hello,

I'm using dnsmasq as a DNS cache as described in the wiki:

/etc/dnsmasq.conf contains

listen-address=127.0.0.1

and this is my /etc/resolv.conf :

nameserver 127.0.0.1
nameserver 208.67.222.222
nameserver 8.26.56.26

This works beautifully: All DNS queries are successfully cached.

However, after adding dnscrypt-proxy it doesn't work anymore. The configuration is exactly as the wiki suggests.

The override.conf file in /etc/systemd/system/dnscrypt-proxy.socket.d is:

[Socket]
ListenStream=
ListenDatagram=
ListenStream=127.0.0.1:40
ListenDatagram=127.0.0.1:40

And /etc/dnsmasq.conf now contains:

no-resolv
server=127.0.0.1#40
listen-address=127.0.0.1

sytemctl status dnsmasq reports:

dnsmasq.service - A lightweight DHCP and caching DNS server
Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; vendor preset: disabled)
Active: active (running) since Mo 2015-09-21 13:09:58 CEST; 15min ago
Docs: man:dnsmasq(8)
Process: 1807 ExecStartPre=/usr/bin/dnsmasq --test (code=exited, status=0/SUCCESS)
Main PID: 1810 (dnsmasq)
CGroup: /system.slice/dnsmasq.service
└─1810 /usr/bin/dnsmasq -k --enable-dbus --user=dnsmasq --pid-file
Sep 21 13:09:58 MYARCH systemd[1]: Starting A lightweight DHCP and caching DNS server...
Sep 21 13:09:58 MYARCH dnsmasq[1807]: dnsmasq: syntax check OK.
Sep 21 13:09:58 MYARCH systemd[1]: Started A lightweight DHCP and caching DNS server.
Sep 21 13:09:58 MYARCH dnsmasq[1810]: started, version 2.75 cachesize 500
Sep 21 13:09:58 MYARCH dnsmasq[1810]: compile time options: IPv6 GNU-getopt DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect inotify
Sep 21 13:09:58 MYARCH dnsmasq[1810]: DBus support enabled: connected to system bus
Sep 21 13:09:58 MYARCH dnsmasq[1810]: using nameserver 127.0.0.1#40
Sep 21 13:09:58 MYARCH dnsmasq[1810]: read /etc/hosts - 4 addresses

systemctl status dnscrypt-proxy reports:

dnscrypt-proxy.service - DNSCrypt client proxy
Loaded: loaded (/usr/lib/systemd/system/dnscrypt-proxy.service; enabled; vendor preset: disabled)
Active: active (running) since Mo 2015-09-21 13:05:55 CEST; 21min ago
Main PID: 580 (dnscrypt-proxy)
CGroup: /system.slice/dnscrypt-proxy.service
└─580 /usr/bin/dnscrypt-proxy -R dnscrypt.eu-nl
Sep 21 13:05:55 MYARCH dnscrypt-proxy[580]: [NOTICE] Starting dnscrypt-proxy 1.6.0
Sep 21 13:05:55 MYARCH dnscrypt-proxy[580]: [INFO] Generating a new session key pair
Sep 21 13:05:55 MYARCH dnscrypt-proxy[580]: [INFO] Done
Sep 21 13:06:10 MYARCH dnscrypt-proxy[580]: [ERROR] Unable to retrieve server certificates
Sep 21 13:06:12 MYARCH dnscrypt-proxy[580]: [INFO] Refetching server certificates
Sep 21 13:06:12 MYARCH dnscrypt-proxy[580]: [INFO] Server certificate #808464433 received
Sep 21 13:06:12 MYARCH dnscrypt-proxy[580]: [INFO] This certificate looks valid
Sep 21 13:06:12 MYARCH dnscrypt-proxy[580]: [INFO] Chosen certificate #808464433 is valid from [2015-09-11] to [2016-09-10]
Sep 21 13:06:12 MYARCH dnscrypt-proxy[580]: [INFO] Server key fingerprint is E7AC:5C21:A4E6:6A90:B254:DD73:5229:3BA1:5BE9:8EB3:4E8F:E538:52DE:A2FB:DDB6:1357
Sep 21 13:06:12 MYARCH dnscrypt-proxy[580]: [NOTICE] Proxying from 127.0.0.1:40 to 176.56.237.171:443

And systemctl status dnscrypt-proxy.socket reports:

dnscrypt-proxy.socket - dnscrypt-proxy listening socket
Loaded: loaded (/usr/lib/systemd/system/dnscrypt-proxy.socket; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/dnscrypt-proxy.socket.d
└─override.conf
Active: active (running) since Mo 2015-09-21 13:05:55 CEST; 22min ago
Listen: 127.0.0.1:40 (Stream)
127.0.0.1:40 (Datagram)
Sep 21 13:05:55 MYARCH systemd[1]: Listening on dnscrypt-proxy listening socket.

This looks all correct to me. But when I execute dig archlinux.org I get:

; <<>> DiG 9.10.3 <<>> archlinux.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60037
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;archlinux.org. IN A
;; ANSWER SECTION:
archlinux.org. 27207 IN A 66.211.214.131
;; Query time: 51 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Mo Sep 21 13:29:31 CEST 2015
;; MSG SIZE rcvd: 58

Obviously the second nameserver in /etc/resolv.conf is used and not 127.0.0.1, the request is not cached and not done through dnscrypt-proxy. But why?

I must be missing something very obvious.

Last edited by adventurer (2015-09-22 16:58:58)

adventurer · 2015-09-22 16:58:30

I solved the problem by disabling dnscrypt-proxy.socket:

systemctl stop dnscrpyt-proxy.socket
systemctl disable dnscrpyt-proxy.socket

and modifying the override.conf for dnscrypt-proxy:

[Unit]
Requires=

[Install]
Also=

[Service]
ExecStart=
ExecStart=/usr/bin/dnscrypt-proxy --ephemeral-keys --resolver-name=dnscrypt.eu-nl --local-address=127.0.0.1:40 --user=nobody

Now it works with dnsmasq as it should.

So my guess is that either the ...socket part of the dnscrypt-proxy package is broken somehow or the instructions on the dnscrypt wiki page are incorrect. I can't tell.

Anyways I'll mark this issue as solved.

ice · 2016-01-06 04:15:59

adventurer wrote:

I solved the problem by disabling dnscrypt-proxy.socket:
systemctl stop dnscrpyt-proxy.socket
systemctl disable dnscrpyt-proxy.socket
and modifying the override.conf for dnscrypt-proxy:
[Unit]
Requires=

[Install]
Also=

[Service]
ExecStart=
ExecStart=/usr/bin/dnscrypt-proxy --ephemeral-keys --resolver-name=dnscrypt.eu-nl --local-address=127.0.0.1:40 --user=nobody
Now it works with dnsmasq as it should.
So my guess is that either the ...socket part of the dnscrypt-proxy package is broken somehow or the instructions on the dnscrypt wiki page are incorrect. I can't tell.
Anyways I'll mark this issue as solved.

hi buddy,
when changing the port 40 in dnscrypt-proxy.socket , automatically cease to have internet connection. Why can it be?

adventurer · 2016-01-07 11:47:14

ice wrote:

hi buddy,
when changing the port 40 in dnscrypt-proxy.socket , automatically cease to have internet connection. Why can it be?

Sorry, I don't know. As mentioned in my post above I disable dnscrypt-proxy.socket. I had problems using it, too. I suggest to try my approach - it works flawlessly for me.

ice · 2018-06-18 00:59:33

adventurer wrote:

ice wrote:
hi buddy,
when changing the port 40 in dnscrypt-proxy.socket , automatically cease to have internet connection. Why can it be?
Sorry, I don't know. As mentioned in my post above I disable dnscrypt-proxy.socket. I had problems using it, too. I suggest to try my approach - it works flawlessly for me.

Does it make a downgrade?

Arch Linux

#1 2015-09-21 11:34:44

[SOLVED] Can't make dnsmasq work with dnscrypt-proxy

#2 2015-09-22 16:58:30

Re: [SOLVED] Can't make dnsmasq work with dnscrypt-proxy

#3 2016-01-06 04:15:59

Re: [SOLVED] Can't make dnsmasq work with dnscrypt-proxy

#4 2016-01-07 11:47:14

Re: [SOLVED] Can't make dnsmasq work with dnscrypt-proxy

#5 2018-06-18 00:59:33

Re: [SOLVED] Can't make dnsmasq work with dnscrypt-proxy

Board footer