DNSCrypt-Proxy

From Alpine Linux
Revision as of 22:55, 28 March 2019 by Ianu (talk | contribs)

Overview

This article provides a short guide to setting up a DNSCrypt-Proxy server on Alpine Linux.

Also see dnscrypt.info. Source code on github.com/jedisct1/dnscrypt-proxy

Features

  • DNS traffic encryption and authentication. Supports DNS-over-HTTPS (DoH) using TLS 1.3, and DNSCrypt.
  • DNS query monitoring, with separate log files for regular and suspicious queries
  • Filtering: block ads, malware, and other unwanted content. Compatible with all DNS services
  • Time-based filtering, with a flexible weekly schedule
  • Transparent redirection of specific domains to specific resolvers
  • DNS caching, to reduce latency and improve privacy

and more...

Installation

Install the dnscrypt-proxy package:

apk add dnscrypt-proxy dnscrypt-proxy-openrc

Also see Alpine Linux package management .

Service commands

Enable the dnscrypt-proxy service so that it starts at boot:

rc-update add dnscrypt-proxy

Start the dnscrypt-proxy service immediately:

/etc/init.d/dnscrypt-proxy start

Note: If you are running from RAM, ensure you save your settings using the 'lbu ci' command as necessary. See Alpine local backup.
Note: Configuration options are shown in /etc/dnscrypt-proxy/dnscrypt-proxy.toml. The file includes comments that explain many of the options.

Also see Alpine Linux Init System.

Exposing the service on the local network

The main configuration file is /etc/dnscrypt-proxy/dnscrypt-proxy.toml. Any line starting with "#" will be ignored by dnscrypt-proxy. Replace

listen_addresses = ['127.0.0.1:53', '[::1]:53']

With

listen_addresses = [':53']

Then restart the service with

/etc/init.d/dnscrypt-proxy restart

Forwarding internal traffic to a local DNS server

You'd want to do this if you use hostnames on your local network - normally this is managed by your home router. The main configuration file is /etc/dnscrypt-proxy/dnscrypt-proxy.toml. Remove the "#" from the beginning of this line

# forwarding_rules = '/etc/dnscrypt-proxy/forwarding-rules.txt'
forwarding_rules = '/etc/dnscrypt-proxy/forwarding-rules.txt'

The copy the example file

cp /usr/share/dnscrypt-proxy/example-forwarding-rules.txt /etc/dnscrypt-proxy/forwarding-rules.txt

Then edit the file, and add a line for your local network. If your network is configured as ".home", and your home router is at 192.168.1.1 then add

home 192.168.1.1

Then restart the service with

/etc/init.d/dnscrypt-proxy restart

Creating a Family Friendly DNS Service

Some providers have their own adult content blocking filters. They don't all use the same system, so researching may be worthwhile. The list of providers can be found here public-servers. It might be unwise to select only one service in case it becomes unavailable. Edit /etc/dnscrypt-proxy/dnscrypt-proxy.toml and make an adjustment like this in the Global Settings

# server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']
server_names = ['cleanbrowsing-family']

Then restart the service with

/etc/init.d/dnscrypt-proxy restart