Setting up Personal Resolving DNS with Unbound and DNSCrypt-proxy
It is very important to setup dnscrypt-proxy correctly and unbound correctly to ensure you are getting the highest security without leaks.
Arch Linux Wiki is the best wiki out there to reference for setting up just about any type of Linux Software and I use the expertise of the Arch Linux Community to ensure I understand how things work.
Arch Linux Unbound Wiki
Please reference my unbound and dnscrypt conf files for an example of how to set these up.
Important things to note.
unbound.conf any ip under
forward-zone is used to resolv your DNS queries
Please ensure only your dnscrypt-proxy ip and port you have setup are listed under the forward-zone in unbound:
#/etc/unbound/unbound.conf forward-zone: name: "." forward-addr: 127.0.0.1@5353 # dnscrypt-proxy dnscrypt.eu-dk forward-addr: 127.0.0.1#5354 # dnscrypt-proxy dnscrypt.eu-nl
Follow the Arch Linux DNSCrypt-Proxy Wiki
Make the systemd files as required, using
/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv as reference.
I have the files created in
/etc/systemd/system/ for your reference on My Github
Create the socket files for your dnscrypt resolvers, the names will come from the
dnscrypt-resolvers.csv for example, to use dnscrypt.eu-nl you would create the file
firstname.lastname@example.org in your
These socket files will contain the following:
If setting up fallback dnscrpyt resolver, ensure to change the ports for each socket, as each needs to bind to its own port, so say you want to have a primary and secondary, you would create two socket files with names to each dnscrypt resolve from dnscrypt-resolvers.csv like email@example.com and firstname.lastname@example.org each would need its own unique port to bind to like below
#email@example.com [Unit] Description=dnscrypt-proxy listening socket [Socket] ListenStream= ListenDatagram= ListenStream=127.0.0.1:5353 ListenDatagram=127.0.0.1:5353 [Install] WantedBy=sockets.target
For the secondary file if you want to create a fallback
#firstname.lastname@example.org [Unit] Description=dnscrypt-proxy listening socket [Socket] ListenStream= ListenDatagram= ListenStream=127.0.0.1:5354 ListenDatagram=127.0.0.1:5354 [Install] WantedBy=sockets.target
Note: we use ports larger than 1000 so the system does not need root to bind and dnscrypt can be started as user, in this case user dnscrypt
You will then create
dnscrypt-proxy@.service file in
/etc/systemd/system/ which overrides the orginal in
This file is rather simple and just contains the start information
[Unit] Description=DNSCrypt client proxy Documentation=man:dnscrypt-proxy(8) Requires=dnscrypt-proxy@%i.socket [Service] User=dnscrypt CapabilityBoundingSet=CAP_NET_BIND_SERVICE Type=notify NonBlocking=true ExecStart=/usr/bin/dnscrypt-proxy --ephemeral-keys --resolver-name=%i Restart=always
Once complete just enable and start. On bootup the sockets will start the services automatically.
systemctl enable email@example.com systemctl enable firstname.lastname@example.org systemctl enable unbound systemctl start email@example.com systemctl start firstname.lastname@example.org systemctl start unbound
Finally, to ensure NetworkManager does not try to change your
resolv.conf file, change the line
dns=none and add
nohook resolv.conf to
/etc/dhcpcd.conf. For good measure to ensure no system process overwrites or adds to resolv.conf I use chattr
sudo chattr +i /etc/resolv.conf.
Finally ensure you configure your iptables correctly to only allow certain connections.
My iptables rules are included as well.