dnscrypt-proxy: Alternative install method for Debian / Raspbian Jessie

In a previous post dnscrypt-proxy: Installing on Debian / Raspbian Jessie, I went through the steps to install dnscrypt-proxy and its dependency using checkinstall, so that they can be managed with dpkg. I’ve recently discovered an alternative installation method, which a fair bit easier, and possibly a better practice.

On my Raspberry Pis, I have a few packages that are not from the Debian / Raspbian stable repository. These include:

When installing fail2ban, I followed this suggestion to download the latest Debian testing package, install it with dpkg, and then resolve the missing dependencies. Now, installing testing packages on Debian stable is something Debian strongly recommend against – FrankenDebian they call it. Personally my takeaway from this is that you do so at your own risk, you need to pay (more) attention whenever you run a dist-upgrade, and the more a package ties into a system, and the more dependencies a package has (especially if those dependencies are not in Debian stable), the riskier it is. But also I believe that 99% of the risk they speak of is using any software outside Debian Stable – and that whether you compile it from source, download a standalone binary, or use Debian testing packages is neither here-nor-there. Well in that case, I’m keen to have my packages managed by the system as much as possible. “If you’re going to do something wrong, do it right”.

I felt that fail2ban was not too risky a package to mix; it’s not really tied into the system, and it didn’t require any dependencies outside Debian stable. But for some reason, rclone and dnscrypt-proxy I have installed the raw source / binaries rather than using their Debian testing packages. I believe the only reason for this is that originally installed them before fail2ban, and simply wasn’t aware of the technique.

I have removed my manually installed rclone and dnscrypt-proxy and used the Debian testing packages. rclone is even easier than fail2ban – it only has one dependency with version in Debian stable and is likely already installed (libc6), so I won’t go into that. But dnscrypt-proxy requires a bit more effort – it has two dependencies for which the versions in stable are too old, so you need the testing packages.

The packages required are:

All of dnscrypt-proxy’s other direct dependencies’ versions are in Debian stable and are probably already installed. Similarly, libltdl7 and libsodium18 only have one dependency (libc6) with versions in Debian stable, probably already installed.

First, if you have dnscrypt-proxy and libsodium installed using checkinstall as per my previous post, remove them using dpkg. This is so easy that it really goes to show you why using checkinstall was a good idea over make install.

> sudo dpkg -r dnscrypt-proxy libsodium

Then we download the packages. For example in Raspbian:

> wget http://mirrordirector.raspbian.org/raspbian/pool/main/libt/libtool/libltdl7_2.4.6-2_armhf.deb
> wget http://mirrordirector.raspbian.org/raspbian/pool/main/libs/libsodium/libsodium18_1.0.11-1_armhf.deb
> wget http://mirrordirector.raspbian.org/raspbian/pool/main/d/dnscrypt-proxy/dnscrypt-proxy_1.9.1-1_armhf.deb

We install one-by-one with dpkg, ensuring we get no errors.

> sudo dpkg -i libltdl7_2.4.6-2_armhf.deb
> sudo dpkg -i libsodium18_1.0.11-1_armhf.deb
> sudo dpkg -i dnscrypt-proxy_1.9.1-1_armhf.deb

We ask apt to resolve / install any other missing dependencies. I did not have anything further to install with dnscrypt-proxy (I did with fail2ban).

> sudo apt-get -f install

At this point you can begin configuring dnscrypt-proxy. Now the debian package actually includes a default systemd unit, which, rather than taking options from the command line, reads from a config file /etc/dnscrypt-proxy/dnscrypt-proxy.conf. (I believe config file functionality didn’t exist when I originally installed dnscrypt-proxy version 1.6, hence why I didn’t use this previously).

[Unit]
Description=DNSCrypt client proxy
Documentation=man:dnscrypt-proxy(8)
Requires=dnscrypt-proxy.socket
After=network.target
Before=nss-lookup.target

[Install]
Also=dnscrypt-proxy.socket
WantedBy=multi-user.target

[Service]
Type=notify
NonBlocking=true
User=_dnscrypt-proxy
ExecStart=/usr/sbin/dnscrypt-proxy /etc/dnscrypt-proxy/dnscrypt-proxy.conf
Restart=always
ProtectSystem=strict
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
MemoryDenyWriteExecute=true
RestrictRealtime=true

So if you just want to set up the one resolver, you can go ahead and configure dnscrypt-proxy by editing /etc/dnscrypt-proxy/dnscrypt-proxy.conf. There is a sample / template configuration file at /usr/share/doc/dnscrypt-proxy/examples/dnscrypt-proxy.conf.gz.

For me requiring two resolvers, I don’t believe you can configure multiple resolvers in a single config file, so I would need to create a second custom systemd unit anyway. Since both my existing custom systemd units work fine, I didn’t see a need to use the built-in one, and so I disabled it.

# Stop the service
sudo systemctl stop dnscrypt-proxy.service
sudo systemctl stop dnscrypt-proxy.socket
# Disable it from starting automatically on startup
sudo systemctl disable dnscrypt-proxy
# Mask it to prevent it from being started manually or in any way.
sudo systemctl mask dnscrypt-proxy.service
sudo systemctl mask dnscrypt-proxy.socket

In my opinion this is the “better” method to install dnscrypt-proxy on Debian or Raspbian, and is what I intend to use moving forward.

Leave a Comment

Your e-mail address will not be published. Required fields are marked *