dnscrypt-proxy: Installing on Debian / Raspbian Jessie

Update 5th Feb 2017: Before installing dnscrypt-proxy using this guide, please read dnscrypt-proxy: Alternative install method for Debian / Raspbian Jessie, which outlines an easier and arguably superior method for installation.

I’m taking a quick detour from the Windows world to the Linux world already, as I happened to notice that I’m long overdue upgrading my dnscrypt-proxy installs.

I may go into more detail on my internal DNS setup in another post, but for now what’s relevant is that I have two Raspberry Pis running Raspbian Jessie, each with dnscrypt-proxy running on them for DNS lookups in my internal network. dnscrypt is encrypted and authenticated DNS – in a manner of speaking, what HTTPS is to HTTP, dnscrypt is to DNS. It runs over UDP or TCP port 443.

The way I install it is largely as per this guide from Shell Hacks, but instead of make install, I instead use the checkinstall utility, which creates a .deb package file and then installs the .deb. There are two main advantages to this:

  1. I can manage (install / remove) the package with dpkg.
  2. I can reuse the package between my Raspberry Pis.

RPi 1 – Installing from source

Install Prerequisites

First, we install the prerequisites from Debian’s apt.

sudo apt-get install build-essential dnsutils checkinstall
  • build-essential is required for compiling dnscrypt-proxy.
  • checkinstall we want as mentioned above.
  • dnsutils is optional. It’s for dig; you’ll see why shortly.
    (I get the impression that most Linux admins would consider dig a given these days. I’m almost afraid to admit that I’m more of an nslookup person.)

Install libsodium

Next, we install libsodium. Now this appears to be available in apt as libsodium13, however last I tried I wasn’t able to get it working with this package. It’s possible that it might work now; indeed I’ve noticed that dnscrypt-proxy’s 1.9.2 release notes make reference to older versions:

Compatibility with ancient libsodium versions (1.0.0, as still shipped in Debian Jessie) has been restored.

However libsodium is an encryption library, so in my opinion it’s always best to have a modern version, or at least one that isn’t “ancient”. This isn’t an invasive system package, it’s a small library, so I don’t feel we’re risking Debian Stable becoming…er…unstable.

Download the latest libsodium (1.0.11 at the time of writing), extract, configure, make. The make takes me around 30-45 minutes on my original Model B Raspberry Pi, so be patient.

> wget https://download.libsodium.org/libsodium/releases/LATEST.tar.gz
> tar -xzf LATEST.tar.gz
> rm -f LATEST.tar.gz
> cd libsodium-*/
> ./configure
> make

Now we run checkinstall, to install the package and create our deb. Give it the description “libsodium”, and accept all other defaults.

> sudo checkinstall

checkinstall 1.6.2, Copyright 2009 Felipe Eduardo Sanchez Diaz Duran
           This software is released under the GNU GPL.


The package documentation directory ./doc-pak does not exist.
Should I create a default set of package docs?  [y]:

Preparing package documentation...OK

Please write a description for the package.
End your description with an empty line or EOF.
>> libsodium
>>

*****************************************
**** Debian package creation selected ***
*****************************************

This package will be built according to these values:

0 -  Maintainer: [ root@hostname ]
1 -  Summary: [ libsodium ]
2 -  Name:    [ libsodium ]
3 -  Version: [ 1.0.11 ]
4 -  Release: [ 1 ]
5 -  License: [ GPL ]
6 -  Group:   [ checkinstall ]
7 -  Architecture: [ armhf ]
8 -  Source location: [ libsodium-1.0.11 ]
9 -  Alternate source location: [  ]
10 - Requires: [  ]
11 - Provides: [ libsodium ]
12 - Conflicts: [  ]
13 - Replaces: [  ]

Enter a number to change any of them or press ENTER to continue:

Installing with make install...

<snip>

**********************************************************************

 Done. The new package has been installed and saved to

 /home/username/libsodium-1.0.11/libsodium_1.0.11-1_armhf.deb

 You can remove it from your system anytime using:

      dpkg -r libsodium

**********************************************************************

Finally run ldconfig; this is required.

> sudo ldconfig

Install dnscrypt-proxy

Now, we download the latest dnscrypt-proxy (1.9.4 at the time of writing). If you want you can compare its checksum with a corresponding signed DNS TXT record using dig. You used to be able to do this for libsodium downloads too, but it seems they no longer create TXT records for new versions.

> wget https://download.dnscrypt.org/dnscrypt-proxy/LATEST.tar.gz
> dig +dnssec +short txt LATEST.tar.gz.download.dnscrypt.org
"be9827f66401f38fd4bdb372046eff9b5802ab5f3d188878a0dcd7bd20074c09"
> shasum -a 256 LATEST.tar.gz
40543efbcd56033ac03a1edf4581305e8c9bed4579ac55e6279644f07c315307  LATEST.tar.gz

…uuh?

> dig +short +dnssec txt dnscrypt-proxy-1.9.4.tar.gz.download.dnscrypt.org
 
> dig +short +dnssec txt dnscrypt-proxy-1.7.0.tar.gz.download.dnscrypt.org
"be9827f66401f38fd4bdb372046eff9b5802ab5f3d188878a0dcd7bd20074c09"

…and it seems dnscrypt stopped updating their TXT records after version 1.7.0, making this entirely pointless. Ah well. I guess TCP means we’re unlikely to have a corrupt file, and the HTTPS download link proves we’re definitely downloading from download.dnscrypt.org. Assuming you trust CAs, anyway.

Now around 15-25 minutes for the configure and make. Yawn.

> tar -xzf LATEST.tar.gz
> rm -rf LATEST.tar.gz
> cd dnscrypt-proxy-*
> ./configure
> make

Checkinstall again. Give it the description “dnscrypt-proxy”, and make sure to say it requires libsodium.

> sudo checkinstall

checkinstall 1.6.2, Copyright 2009 Felipe Eduardo Sanchez Diaz Duran
           This software is released under the GNU GPL.


The package documentation directory ./doc-pak does not exist.
Should I create a default set of package docs?  [y]:

Preparing package documentation...OK

Please write a description for the package.
End your description with an empty line or EOF.
>> dnscrypt-proxy
>>

*****************************************
**** Debian package creation selected ***
*****************************************

This package will be built according to these values:

0 -  Maintainer: [ root@hostname ]
1 -  Summary: [ dnscrypt-proxy ]
2 -  Name:    [ dnscrypt-proxy ]
3 -  Version: [ 1.9.4 ]
4 -  Release: [ 1 ]
5 -  License: [ GPL ]
6 -  Group:   [ checkinstall ]
7 -  Architecture: [ armhf ]
8 -  Source location: [ dnscrypt-proxy-1.9.4 ]
9 -  Alternate source location: [  ]
10 - Requires: [  ]
11 - Provides: [ dnscrypt-proxy ]
12 - Conflicts: [  ]
13 - Replaces: [  ]

Enter a number to change any of them or press ENTER to continue: 10
Enter the additional requirements:
>> libsodium

This package will be built according to these values:

0 -  Maintainer: [ root@hostname ]
1 -  Summary: [ dnscrypt-proxy ]
2 -  Name:    [ dnscrypt-proxy ]
3 -  Version: [ 1.9.4 ]
4 -  Release: [ 1 ]
5 -  License: [ GPL ]
6 -  Group:   [ checkinstall ]
7 -  Architecture: [ armhf ]
8 -  Source location: [ dnscrypt-proxy-1.9.4 ]
9 -  Alternate source location: [  ]
10 - Requires: [ libsodium ]
11 - Provides: [ dnscrypt-proxy ]
12 - Conflicts: [  ]
13 - Replaces: [  ]

Enter a number to change any of them or press ENTER to continue:

Installing with make install...

<snip>

**********************************************************************

 Done. The new package has been installed and saved to

 /home/username/dnscrypt-proxy-1.9.4/dnscrypt-proxy_1.9.4-1_armhf.deb

 You can remove it from your system anytime using:

      dpkg -r dnscrypt-proxy

**********************************************************************

And that’s dnscrypt-proxy installed. To quickly test it works, pick your favourite server from dnscrypt-resolvers.csv, pick your favourite port, run it and perform a DNS lookup. If you get a response back, it’s working!

> /usr/local/sbin/dnscrypt-proxy -R cisco --ephemeral-keys --local-address=127.0.0.1:51234
Sat Jan 28 23:01:36 2017 [INFO] - [cisco] does not support DNS Security Extensions
Sat Jan 28 23:01:36 2017 [WARNING] - [cisco] logs your activity - a different provider might be better a choice if privacy is a concern
Sat Jan 28 23:01:36 2017 [NOTICE] Starting dnscrypt-proxy 1.9.4
Sat Jan 28 23:01:36 2017 [INFO] Ephemeral keys enabled - generating a new seed
Sat Jan 28 23:01:36 2017 [INFO] Done
Sat Jan 28 23:01:36 2017 [INFO] Server certificate with serial #1463092899 received
Sat Jan 28 23:01:36 2017 [INFO] This certificate is valid
Sat Jan 28 23:01:36 2017 [INFO] Chosen certificate #1463092899 is valid from [2016-05-12] to [2017-05-12]
Sat Jan 28 23:01:37 2017 [INFO] The key rotation period for this server may exceed the recommended value. This is bad for forward secrecy.
Sat Jan 28 23:01:37 2017 [INFO] Server key fingerprint is ABA1:F000:D394:8045:672D:73E0:EAE6:F181:19D0:2A62:3791:EFAD:B04E:40B7:B6F9:C40B
Sat Jan 28 23:01:37 2017 [NOTICE] Proxying from 127.0.0.1:51234 to 208.67.220.220:443

> nslookup --port=51234 google.com 127.0.0.1
[0] > nslookup -port=51234 google.com 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#51234

Non-authoritative answer:
Name:   google.com
Address: 216.58.211.14

RPi 2 – Installing from our precompiled binaries

Now that we’ve compiled the binaries for one Raspberry Pi, we can use them on our next one and save 45-60 minutes. Copy your .deb files over, and then install with dpkg:

> sudo dpkg -i libsodium_1.0.11-1_armhf.deb
> sudo dpkg -i dnscrypt-proxy_1.9.4-1_armhf.deb

Then try starting it, and…

> /usr/local/sbin/dnscrypt-proxy -R cisco --ephemeral-keys --local-address=127.0.0.1:51234
/usr/local/sbin/dnscrypt-proxy: error while loading shared libraries: libsodium.so.18: cannot open shared object file: No such file or directory

Heh, of course. There was one command that checkinstall did not capture, and that was invoking ldconfig. All we have to do is run it first:

> sudo ldconfig
> /usr/local/sbin/dnscrypt-proxy -R cisco --ephemeral-keys --local-address=127.0.0.1:51234
Sat Jan 28 22:54:33 2017 [INFO] - [cisco] does not support DNS Security Extensions
Sat Jan 28 22:54:33 2017 [WARNING] - [cisco] logs your activity - a different provider might be better a choice if privacy is a concern
Sat Jan 28 22:54:33 2017 [NOTICE] Starting dnscrypt-proxy 1.9.4
Sat Jan 28 22:54:33 2017 [INFO] Ephemeral keys enabled - generating a new seed
Sat Jan 28 22:54:33 2017 [INFO] Done
Sat Jan 28 22:54:33 2017 [INFO] Server certificate with serial #1463092899 received
Sat Jan 28 22:54:33 2017 [INFO] This certificate is valid
Sat Jan 28 22:54:33 2017 [INFO] Chosen certificate #1463092899 is valid from [2016-05-12] to [2017-05-12]
Sat Jan 28 22:54:33 2017 [INFO] The key rotation period for this server may exceed the recommended value. This is bad for forward secrecy.
Sat Jan 28 22:54:33 2017 [INFO] Server key fingerprint is ABA1:F000:D394:8045:672D:73E0:EAE6:F181:19D0:2A62:3791:EFAD:B04E:40B7:B6F9:C40B
Sat Jan 28 22:54:33 2017 [NOTICE] Proxying from 127.0.0.1:51234 to 208.67.220.220:443

> nslookup -port=51234 google.com 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#51234

Non-authoritative answer:
Name:   google.com
Address: 216.58.208.142

And that’s it, installed on both Pis.

This has already been a fairly long post, so I will leave more in-depth configuration of dnscrypt-proxy for another day.

Leave a Comment

Your e-mail address will not be published. Required fields are marked *