When I install dnscrypt-proxy, I found no dnscrypt-proxy.service here. I write a bash to launch it, and write a desktop file here, ~/.config/autostart/dnscrypt.desktop #!/bin/bash zenity --password --title="sudo"|tr -d '\n'|sudo -S dnscrypt-proxy -R cisco -a 127.0.0.2:53 -u whoami But it no work after input password. I can not found gksudo and gnome-keyring-query in the repo, so I use zenity.

Given this discussion: https://github.com/DNSCrypt/dnscrypt-proxy/discussions/2410 It seems that **dnscrypt-proxy** has a dependency called powerman used only for testing and not useful in the main pagackage that made it unable to compile and it was not fixed before the last freeze of ***debian 12 bookworm***. The end result of having the package dnscrypt-proxy not present in debian 12 !!! --- For my config I need dnscrypt-proxy package. **The remaining options are:** - Install it from http://deb.debian.org/debian/pool/main/d/dnscrypt-proxy/ however that would be a static installation, hence making it not updated in case of security fixes. - Otherwise because it was fixed after debian12 release it is possible to pull it from debian **sid**. (I searched and it seems that isn't available from backports) --- **What is the best practice that allows me to not break the debian installation integrating that only package from sid ? Should I use apt pinning ?** Bard suggested me also this syntax for *sources.list*: deb http://deb.debian.org/debian/sid main/dnscrypt-proxy but it clearly doesn't work.

I have a debian small server setup with bind9 and dnscrypt both on the same machine. Bind9 runs on port 53, dnscrypt on 5000. The regular bind9 server performs some checks then forward the requests to the dnscrypt one. It worked fine until now however since some days it can't boot, and crash with the follow lines showing in journalctl -xe Mar 19 16:00:46 myhost named: ../../../lib/dns/name.c:2487: REQUIRE((((dest) != ((void *)0)) && (((const isc__magi Mar 19 16:00:46 myhost named: #0 0x559ba65cbd80 in ?? Mar 19 16:00:46 myhost named: #1 0x7f0525f9e9aa in ?? Mar 19 16:00:46 myhost named: #2 0x7f0527688f36 in ?? Mar 19 16:00:46 myhost named: #3 0x7f05277069ba in ?? Mar 19 16:00:46 myhost named: #4 0x7f052770828e in ?? Mar 19 16:00:46 myhost named: #5 0x7f05277085e1 in ?? Mar 19 16:00:46 myhost named: #6 0x7f0527764bf5 in ?? Mar 19 16:00:46 myhost named: #7 0x7f0527774591 in ?? Mar 19 16:00:46 myhost named: #8 0x7f0525fc2a23 in ?? Mar 19 16:00:46 myhost named: #9 0x7f05259694a4 in ?? Mar 19 16:00:46 myhost named: #10 0x7f0524dbad0f in ?? Mar 19 16:00:46 myhost named: exiting (due to assertion failure) If I disable the forwarding option inside **/etc/bind/named.conf.options** it works back again, once I enable the forwarding it crashes. forward only; forwarders { 127.0.0.1 port 5000; }; What it could be? I tried to understand better if is something cache related, if I could clean the installation and get back to the working status but nothing... No matter if i try to forward the requests to another server like 208.67.222.222 OpenDNS server, it crashes the same. :(

When it comes to encrypting DNS queries using dnscrypt-proxy, people also tend to use dnsmasq on their linux machines. The main goal of this setup in the past was to provide cache for DNS queries, but the DNS cache is now implemented in dnscrypt-proxy itself. So it looks like that dnscrypt-proxy is all people need these days. But I noticed that people usually add the following line (or something similar) to the dnsmasq config: server=/pool.ntp.org/1.1.1.1 The purpose of this line is to send DNS queries for the time server domain directly to the DNS server and hence skip the whole encryption process (it's just a regular DNS query). Some people once told me that these queries should go as fast as possible to provide a better time sync. So, does this approach make any sense?

I am using dnscrpyt-proxy as a local stub for using DoH. Resolving subdomains claims that they "probably" don't exist or are blocked by the proxy but the IP returned is correct. I am not sure if this is to be expected or indicative of some issue. **How is the output for below two examples to be interpreted?**

generic@motorbrot:/etc$ /opt/dnscrypt-proxy-2.0.44/dnscrypt-proxy -resolve docs.google.com
Resolving [docs.google.com]

Domain exists:  probably not, or blocked by the proxy
Canonical name: docs.google.com.
IP addresses:   216.58.200.14, 2404:6800:4005:805::200e
TXT records:    google-site-verification=Ea9DtyEruwUPQhZm6VkAeu8Ww7RdLyfV-ounIdQlkuY
Resolver IP:    104.238.170.136 (104.238.170.136.vultr.com.)

generic@motorbrot:/etc$ /opt/dnscrypt-proxy-2.0.44/dnscrypt-proxy -resolve drive.google.com
Resolving [drive.google.com]

Domain exists:  probably not, or blocked by the proxy
Canonical name: drive.google.com.
IP addresses:   172.217.16.142, 2404:6800:4005:802::200e
TXT records:    google-site-verification=pGMCXdTAsGW_L3o1ks9eToJ4g1R-l3r8TcXdkcA9RqY
Resolver IP:    185.95.216.116

generic@motorbrot:/etc$ /opt/dnscrypt-proxy-2.0.44/dnscrypt-proxy -resolve eric.mink.li
Resolving [eric.mink.li]

Domain exists:  probably not, or blocked by the proxy
Canonical name: eric.mink.li.
IP addresses:   80.74.154.155
TXT records:    -
Resolver IP:    185.95.216.116

generic@motorbrot:/etc$ /opt/dnscrypt-proxy-2.0.44/dnscrypt-proxy -resolve mink.li
Resolving [mink.li]

Domain exists:  yes, 3 name servers found
Canonical name: mink.li.
IP addresses:   80.74.154.155
TXT records:    -
Resolver IP:    185.95.216.116

It's also interesting to note that not all subdomains exhibit this behaviour. For example this other website:

generic@motorbrot:/etc$ /opt/dnscrypt-proxy-2.0.44/dnscrypt-proxy -resolve eric.mink.com
Resolving [eric.mink.com]

Domain exists:  yes, 2 name servers found
Canonical name: eric.mink.com.
IP addresses:   69.172.201.153
TXT records:    -
Resolver IP:    185.95.216.116

These subdomains are all accessible in the browser (the eric.mink.com example is a redirect though).

I have been doing an effort to go full on DNSSEC on my system with the following setup: - dnscrypt-proxy installed, up and running on 127.0.0.1 with require_dnssec = true - systemd-resolved running, with DNSSEC=yes and DNS=127.0.0.1 - only nameserver 127.0.0.1 in /etc/resolv.conf - connected through NetworkManager to a WiFi network about which I know DHCP configuration sets 8.8.8.8 and 8.8.8.4 as DNS servers /run/systemd/resolve/resolv.conf lists 8.8.8.8 and 8.8.8.4 below 127.0.0.1. resolvectl status shows DNSSEC setting: yes DNSSEC supported: yes Current DNS Server: 127.0.0.1 DNS Servers: 127.0.0.1 in the Global section, but DNSSEC setting: yes DNSSEC supported: yes Current DNS Server: 8.8.8.8 DNS Servers: 8.8.8.8 8.8.8.4 in my interface's section (why?). tcpdump shows no activity at all on udp:53 when using a web browser, dig, or other normal usage. This I take to mean that my local dnscrypt-proxy is dealing with all DNS requests on my system. I also assume that because of the configuration settings mentioned above, I am going DNSSEC all the way. However, from time to time the journal contains lines like: Nov 30 09:10:41 tuxifaif systemd-resolved: DNSSEC validation failed for question v.dropbox.com IN SOA: failed-auxiliary Nov 30 09:10:41 tuxifaif systemd-resolved: DNSSEC validation failed for question bolt.v.dropbox.com IN DS: failed-auxiliary Nov 30 09:10:41 tuxifaif systemd-resolved: DNSSEC validation failed for question bolt.v.dropbox.com IN SOA: failed-auxiliary Nov 30 09:10:41 tuxifaif systemd-resolved: DNSSEC validation failed for question bolt.v.dropbox.com IN A: failed-auxiliary Nov 30 09:10:43 tuxifaif systemd-resolved: DNSSEC validation failed for question v.dropbox.com IN SOA: failed-auxiliary Nov 30 09:10:43 tuxifaif systemd-resolved: DNSSEC validation failed for question d.v.dropbox.com IN A: failed-auxiliary Nov 30 09:10:43 tuxifaif systemd-resolved: DNSSEC validation failed for question v.dropbox.com IN SOA: failed-auxiliary Nov 30 09:10:43 tuxifaif systemd-resolved: DNSSEC validation failed for question d.v.dropbox.com IN A: failed-auxiliary Nov 30 09:10:43 tuxifaif systemd-resolved: DNSSEC validation failed for question d2e801s7grwbqs.cloudfront.net IN SOA: failed-auxiliary Nov 30 09:10:43 tuxifaif systemd-resolved: DNSSEC validation failed for question d2e801s7grwbqs.cloudfront.net IN A: failed-auxiliary - resolvectl query v.dropbox.com results in the same DNSSEC validation error - dig v.dropbox.com works just fine - dig v.dropbox.com @8.8.8.8 also works just fine (of course resulting in two lines of output for tcpdump) I also checked https://dnsleaktest.com , which tells me that a lot of 172.253.x.x servers are receiving a request to resolve domain names I enter into my webbrowser. These IPs seem to be owned by Google. So, what does this mean? Is there any (non DNSSEC) querying going on on this system? Any insights are appreciated!

I have been using dnscrypt-proxy for some time and the latency for responses I've been monitoring for months is typically several times slower than if I used google, opendns, cloudflare, or quad 9. Is this typical? My average response time with dnscrypt is about 500ms (1/2 second), whereas with others, it is generally around 100ms or less. After my records are cached, this is a non-issue, but prior, it is a major annoyance to have additional latency that I think would be avoidable.

*My setup is getting more complex, generally I tend to divide things in pieces and assemble them together by myself. But it seems this time I need more help to get the whole gears working together. That's why I was requested by user @Rui F Ribeiro to ask this one as a separate question.* --- What I'm trying to achieve? Basically what I found called on the internet as DNS Firewall. I need a BIND server configured with this features: - It want it to being able to FORWARD by default all the requests to an external DNS (in my case OpenDNS: 208.67.222.222, 208.67.220.220) - It must NOT for and for any case query the ROOT-SERVERS, because OpenDNS have some useful function of domain blocking/manipulating. So, if my bind server starts to ask things to OpenDNS and Root Servers randomly I will have different results each time. **(note: this forward must be done in encrypt mode for various reasons, including not getting intercepted and further manipulated by other servers in between)** - The bind server also has to serve as cache, it's ok send the queries to OpenDNS but if I have already fresh data is unnecessary to query again and again wasting bandwidth and time. - **Here come my other main request that is making my config even more complex:** I want to setup a RPZ zone with a huge list of domains i don't want them be able to be resolved, basically i want to have them resolving as 127.0.0.1 or another ip/host of my lan that should serve as catch-all http server for ad purpose and so on. How can I achieve a so complex configuration ? There's my config files, I guess something here is not working as necessary, so please help me with the config. --- # named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; # named.conf.options acl "trusted" { 127.0.0.1/8; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; ::1; }; options { directory "/var/cache/bind"; # bind cache directory recursion yes; # enables resursive queries allow-query { trusted; } ; allow-recursion { trusted; }; # allows recursive queries from "trusted" clients //listen-on { 0.0.0.0; }; # interfaces where to listen allow-transfer { none; }; # disable zone transfers by default // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. forward only; forwarders { 208.67.222.222; 208.67.220.220; }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-enable no; dnssec-validation no; dnssec-lookaside auto; auth-nxdomain no; # conform to RFC1035 #listen-on-v6 { any; }; response-policy { zone "rpz-white" policy PASSTHRU; // my own white list zone "rpz-foreign"; // obtained from producer }; }; zone "rpz-white" { type master; file "/etc/bind/rpz-white.db"; }; zone "rpz-foreign" { type master; file "/etc/bind/rpz-foreign.db"; }; # named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; # named.conf.default-zones // prime the server with knowledge of the root servers //zone "." { // type hint; // file "/etc/bind/db.root"; //}; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; };

I would like for dnscrypt-proxy to run as a [dynamic user](http://0pointer.net/blog/dynamic-users-with-systemd.html) instead of as root. But I would also like to use a firewall rule in nftables where I specify the user dnscrypt-proxy, to allow it to connect to the upstream dns provider. Now the problem is that nftables wants to run before the network is up, which is good and needed, but it complains that the dnscrypt-proxy user doesn't exist. The dnscrypt-proxy service only runs after the network is up, and thus the user only gets created after the network is up. What would be the standard/best way to deal with it? - Should I try to specify a fixed user for the dnscrypt-proxy instead of a dynamic one and set the other security options mentioned [here](http://0pointer.net/blog/dynamic-users-with-systemd.html) manually? - Should I detect the service by some other means than it's user name in nftables? - Could I just manually create the dnscrypt-proxy user on my system and will systemd just use it without deleting it because it already existed? - Should I create a service that runs before nftables on every boot and creates that user, which would then be deleted by systemd when the dnscrypt service stops? What would happen if the firewall is already running and dnscrypt service is stopped? Would the firewall crash or get into some kind of trouble because a user-id mentioned in it's ruleset no longer exists?

In elementaryOS Loki, I have only been able to make DnsCrypt to work properly (when manually setting the DNS server address in the gui Network Settings to 127.0.0.1 or whatever other address starting with 127.0.0...) by commenting the line in **/etc/NetworkManager/NetworkManager.conf** that says > dns=dnsmasq I still don't properly understand what dnsmasq does. What could be negative consequences/downsides of disabling dnsmasq? What is one giving up, by disabling its use by the Network Manager?

I have installed dnscrypt-proxy and am using and dnssec enabled provider; however, when testing my configuration, I'm not getting back dnssec information: dig @127.0.0.1 -p 5300 weather.com +dnssec +multi ; > DiG 9.11.0-P3 > @127.0.0.1 -p 5300 weather.com +dnssec +multi ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 256 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;weather.com. IN A ;; ANSWER SECTION: weather.com. 20 IN A 23.199.61.218 ;; Query time: 112 msec ;; SERVER: 127.0.0.1#5300(127.0.0.1) ;; WHEN: Tue Mar 07 10:27:54 EST 2017 ;; MSG SIZE rcvd: 56 Any ideas?

Is there a way to resolve DNS through HTTP/HTTPS, the case was: my ISP redirecting every DNS request to their own DNS and poisoning the DNS records. all I need is a software that could resolve requests using http or https, for example, when I set /etc/resolv.conf to nameserver 127.0.0.1 there would be a program/service that listens to 127.0.0.1:53 and submit HTTP requests containing DNS queries to another server