[HowTo] Install dnscrypt in OSMC

Hi,
this is a reviewed HowTo that replaces the previous one.

Why dnscrypt is important?

In the same way the SSL turns HTTP web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks. extract.

This DNSCrypt installation has been tested successfully on RPI and RPI2 with the stable release OSMC

Install necessary system packages and reboot:

sudo apt-get update

sudo apt-get install build-essential locate bash-completion tcpdump dnsutils libsodium-dev

sudo reboot

Compile dnscrypt from source and install:

mkdir -p dnscrypt

cd dnscrypt

wget http://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-proxy-1.5.0.tar.gz

tar -xf dnscrypt-proxy-1.5.0.tar.gz

cd dnscrypt-proxy-1.5.0

sudo ldconfig

./configure

make

sudo make install

Configure the system
Preparing resolv.conf:

sudo mv /etc/resolv.conf /etc/resolv.conf.ORIGINAL

sudo nano /etc/resolv.conf

Then paste and save the following:

nameserver 127.0.0.2

Lock resolv.conf file

sudo chattr +i /etc/resolv.conf

Starts dnsproxy in daemon mode automatically in systemd (create & edit systemd service file, credits to: [hypechaotic][4]):

sudo touch /etc/systemd/system/multi-user.target.wants/dnscrypt-proxy.service 

sudo nano /etc/systemd/system/multi-user.target.wants/dnscrypt-proxy.service 

and paste & save the following:

[Unit]
Description=Secure connection between your computer and DNS resolver
After=network.target network-online.target

[Service]
Type=forking
Restart=always
RestartSec=5
PIDFile=/var/run/dnscrypt-proxy.pid
ExecStart=/usr/local/sbin/dnscrypt-proxy --daemonize \
-a 127.0.0.2 \
-R dnscrypt.eu-dk \
--edns-payload-size=4096 \
-p /var/run/dnscrypt-proxy.pid

[Install]
WantedBy=multi-user.target

Then reboot the RPI

sudo reboot

Test dnscrypt

sudo journalctl -u dnscrypt-proxy

You’ll get a similar output:

Apr 12 10:31:44 osmc dnscrypt-proxy[235]: Starting dnscrypt-proxy 1.4.3
Apr 12 10:31:44 osmc dnscrypt-proxy[235]: Initializing libsodium for optimal performance
Apr 12 10:31:44 osmc dnscrypt-proxy[235]: Generating a new key pair
Apr 12 10:31:44 osmc dnscrypt-proxy[235]: Done
Apr 12 10:31:49 osmc dnscrypt-proxy[235]: Server certificate #808864433 received
Apr 12 10:31:49 osmc dnscrypt-proxy[235]: This certificate looks valid
Apr 12 10:31:49 osmc dnscrypt-proxy[235]: Chosen certificate #808864433 is valid from [2014-09-11] to [2015-09-11]
Apr 12 10:31:49 osmc dnscrypt-proxy[235]: Server key fingerprint is 6231:4AFE:4AA3:7E6F:9B8C:DAA6:6F6E:E8x5:F8xB:10A8:6DB1:C5CB:
Apr 12 10:31:49 osmc dnscrypt-proxy[235]: Proxying from 127.0.0.2:53 to 176.56.x.x:443

Notes on this configuration:
I’ve choose as resolver name a DNS located in Denmark (dnscrypt.eu-dk); you can choose a different resolver here the list https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv the resolver name to use is the one in the first column; plus I’ve choose a different local address (127.0.0.2) in order to avoid possible conflicts with 127.0.0.1 already taken by other network daemon of the system. Change your systemd service with your values.

That’s all folks! Happy crypt

2 Likes

Nice guide gonna mess around with this been looking at dnscrypt alot just havent gotten around to it

Hehe i went a step further and implemented into my router instead of just OSMC :smiley:

Thank you! :smile:

Thank you for the guide.
If you want you can update it to the last release which is dnscrypt-proxy-1.6.0.tar.gz

SKAL

Hi,

This is a great guide. Followed it and DNSCrypt was working. However I turned off the Pi and went away for a week and it seemed that the certificate expired whilst I was away and the Pi was off. This meant that I could not get the Pi online and in turn meant that the system date was not updated. Tried all sorts and was getting frustrated, but it seemed that I was able to update the system time with the following command:

sudo timedatectl set-time “2015-09-21 21:15:16”

After a reboot everything seemed to connect up again. Was this the correct way to fix the issue?

So, this brings a few questions which I hope someone might be able to help out with:

  1. How to prevent certificates expiring?
  2. How to temporarily disable DNSCrypt? (to allow to connect to internet and fix stuff)
  3. Just incase, how to uninstall DNSCrypt?

Also, seeing Skal’s note:

  1. How to upgrade 1.5.0 to 1.6.0?

Would one have to uninstall first? Or turn off temporarily? Or could one just complete all the steps again, but wget ver 1.6.0 instead?

How would the Pi know which version to use or would it automatically use the highest version?

Finally, I suppose one could make 1.6.0 in the previously created 1.5.0 folder, but it seems a bit messy to do it this way.

I hope someone will have a few ideas for these questions. Please explain in simple terms as I’m not familiar with Linux.

Many thanks.

To upgrade to 1.6 is the same process you’ve did for install 1.5; I suggest to download new version, then uninstall the 1.5, if you still have the sources of the 1.5 go in that place and uninstall with the command:

sudo make uninstall

Then proceed with 1.6 as you did for 1.5 till the part of

sudo make install

Then reboot your RPI

For the expiring certificate I don’t know what can I say; it is supposed that when you use dnscrypt the certificate should renew if expired; a little trick is to change (even temporally) the dns server stated in /etc/systemd/system/multi-user.target.wants/dnscrypt-proxy.service sorry but I do not have experience on that…

To disable dnscrypt you can re-enable resolv.conf

sudo chattr -i /etc/resolv.conf

Then

nameserver 127.0.0.1

Reboot

by
den

Would it be possible to use dnscrypt only for traffic to/from Transmission, not for any other application or service? That’s how I intend to setup OpenVPN (only for Transmission and Flexget or Sickrage).

Continuing the discussion from [HowTo] Install dnscrypt in OSMC:

Hi, I really don’t know if this is possible, by instance DNS is a system call and not an application call one; but maybe someone here have a solution for this.

But, what this for? DNSCrypt do not hide the connection destination, but prevent the attacks MID or spoofing between your box and target responses, authenticating the target traffic.

by
Den