Sorry the necropost, but I just installed dnscrypt on my raspi with dietpi and pihole and wanted to share my experience to give feedback for:
https://github.com/Fourdee/DietPi/issues/163
First of all there is a nice howto on pihole wiki
but I find an easier way here
https://blog.milne.it/2017/02/05/dnscrypt-proxy-alternative-install-method-for-debian-raspbian-jessie/
it’s really simple; just replace jessie with stretch in
sed -i 's/jessie/stretch/' /etc/apt/sources.list
apt-get update
apt-get install dnscrypt-proxy
sed -i 's/stretch/jessie/' /etc/apt/sources.list
apt-get update
it will install only three packages: libltdl7 libsodium18 dnscrypt-proxy
after that you can read the guide from pi-hole.
Because I used opennic dns I share my experiance
cp -t /etc/systemd/system/ -- /lib/systemd/system/dnscrypt-proxy.s*
edit the two files:
dnscrypt-proxy.socket
[Unit]
Description=dnscrypt-proxy listening socket
Documentation=man:dnscrypt-proxy(8)
Wants=dnscrypt-proxy-resolvconf.service
[Socket]
ListenStream=127.10.10.1:41
ListenDatagram=127.10.10.1:41
[Install]
WantedBy=sockets.target
because 53 was used by dnsmasq of pihole
dnscrypt-proxy.service
[Unit]
Description=DNSCrypt client proxy
Documentation=man:dnscrypt-proxy(8)
Requires=dnscrypt-proxy.socket
After=network.target
Before=nss-lookup.target
[Install]
Also=dnscrypt-proxy.socket
WantedBy=multi-user.target
[Service]
Type=simple
NonBlocking=true
User=_dnscrypt-proxy
ExecStart=/usr/sbin/dnscrypt-proxy /etc/dnscrypt-proxy/dnscrypt-proxy.conf
Restart=always
dnscrypt-proxy.service from /lib/systemd/system/ had more options
[Unit]
Description=DNSCrypt client proxy
Documentation=man:dnscrypt-proxy(8)
Requires=dnscrypt-proxy.socket
After=network.target
Before=nss-lookup.target
[Install]
Also=dnscrypt-proxy.socket
WantedBy=multi-user.target
[Service]
Type=notify
NonBlocking=true
User=_dnscrypt-proxy
ExecStart=/usr/sbin/dnscrypt-proxy /etc/dnscrypt-proxy/dnscrypt-proxy.conf
Restart=always
ProtectSystem=strict
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
but probably because an old version of systemd they were not recognized.
/etc/dnscrypt-proxy/dnscrypt-proxy.conf
# A more comprehensive example config can be found in
# /usr/share/doc/dnscrypt-proxy/examples/dnscrypt-proxy.conf
## Manual settings, only for a custom resolver not present in the CSV file
## this DNS - https://servers.opennicproject.org/edit.php?srv=ns7.nh.nl.dns.opennic.glue
ProviderName 2.dnscrypt-cert.opennic.peer3.famicoman.phillymesh.net
ProviderKey B88F:4860:5517:3696:A3D2:BFE0:ECC7:6175:198F:E012:E101:B4FE:869C:1E9C:4C35:E74F
ResolverAddress 146.185.176.36:5353
#ResolverName random
## [NOT AVAILABLE ON WINDOWS] Start the process, bind the required ports, and
## run the server as a less-privileged system user.
## The value for this parameter is a user name.
#User _dnscrypt-proxy
For reason I don’t know User option did’n work (some error about can’t access the $HOME, even if it was a valid directory with right permissions).
After that is just a
systemctl enable dnscrypt-proxy.service
systemctl start dnscrypt-proxy.service
and to check if it’s working
systemctl status dnscrypt-proxy.service
journalctl -u dnscrypt-proxy.service -b
Remember to change DNSMasq config as explained here
Final consideration
whene dietpi stretch will be released dnscrypt could be easily integrated or could be a replacement for pihole with its filtering capabilities
Home · DNSCrypt/dnscrypt-proxy Wiki · GitHub even if:
Contrary to other systems, responses to blacklisted queries do not contain fake IP addresses, but use the standard REFUSED DNS error code.