Anonymized-DNS through DNScrypt with Pi-Hole integration

Would you like to beef up your security and privacy of your whole network?

Why should I?
tl;dr: The adressbook (DNS that turn IP’s into adressess) of the interwebz is open for everyone to see, your ISP, the gov, “the man” and so forth.
One possible solution, DNSCrypt; read the FAQ here.

How does this make my DNS usage anonymous? Read the FAQ here

More in-depth less technical, what is the issue(s)?
Arstechnica article link.
Wire article link.

Why, oh why, on my dear CoreELEC box?
Well, its often ON and you can have your whole network use it.

A VPN of your choice and the following how to, will certainly elevate said factors.
If you use squid proxy described in this howto, you can omit the dnsserver line in the squid.conf and you will have Anonymized-DNS through DNScrypt.

Tools:
Putty or the like. (Required, How to use putty)
Entware enabled. (Required)
Winscp (Nice to have. You can browse your way to configs, transfer files for backup and edit files with ease with any editor, say notepad++ .)

Log in to your CoreELEC with putty.

opkg update
opkg install dnscrypt-proxy2

nano /storage/.opt/etc/dnscrypt-proxy.toml
OR, use winscp and favorite editor of choice.

My working config:
(BUT, you need to change DNS1, DNS2 and the IP of your CoreELEC):

server_names = ['ams-dnscrypt-nl', 'arvind-io', 'bcn-dnscrypt', 'd0wn-tz-ns1', 'd0wn-is-ns2', 'dnscrypt.ca-1', 'dnscrypt.ca-2', 'dnscrypt.eu-nl', 'dnscrypt.uk-ipv4', 'ffmuc.net', 'faelix-ch-ipv4', 'faelix-uk-ipv4', 'publicarray-au', 'publicarray-au2', 'opennic-R4SAS', 'freetsa.org', 'opennic-rico4514', 'opennic-bongobow', 'meganerd', 'yofiji-se-ipv4', 'scaleway-fr', 'scaleway-ams', 'ventricle.us', 'qualityology.com', 'ev-ve', 'soltysiak', 'dnscrypt.eu-dk', 'acsacsar-ams-ipv4', 'dnscrypt.eu-nl', 'ibksturm', 'sth-dnscrypt-se', 'opennic-luggs2', 'skyfighter-dns', 'v.dnscrypt.uk-ipv4']
  
listen_addresses = ['127.0.0.1:53', 'YOURCOREELECIP:53']
 
max_clients = 250

#user_name = 'nobody'
 
ipv4_servers = true
ipv6_servers = false
dnscrypt_servers = true
doh_servers = true
 
require_dnssec = true
require_nolog = true
require_nofilter = true
disabled_server_names = []
  
force_tcp = false
 
timeout = 5000
 
keepalive = 30

lb_strategy = 'p2'

lb_estimator = true

cert_refresh_delay = 240
    
fallback_resolvers = ['DNS1:53', 'DNS2:53']
 
ignore_system_dns = true
  
netprobe_timeout = 60
 
netprobe_address = 'DNS1:53'
 
log_files_max_size = 10
log_files_max_age = 7
log_files_max_backups = 1
   
block_ipv6 = false
 
block_unqualified = true
 
block_undelegated = true
 
reject_ttl = 600
   
 
cache = true
 
cache_size = 4096
 
cache_min_ttl = 2400
 
cache_max_ttl = 86400
 
cache_neg_min_ttl = 60
 
cache_neg_max_ttl = 600
  
[local_doh]
   
[query_log]
 
format = 'tsv'
  
[nx_log]
 
format = 'tsv'
    
  
[schedules]
    
[sources]
 
  [sources.'public-resolvers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
  cache_file = 'public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  prefix = ''
 
  [sources.'relays']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/relays.md', 'https://download.dnscrypt.info/resolvers-list/v2/relays.md']
  cache_file = 'relays.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 72
  prefix = ''
   
[broken_implementations]
  
fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip4-nofilter-pri', 'quad9-dnscrypt-ip6-filter-pri', 'quad9-dnscrypt-ip6-nofilter-pri', 'cleanbrowsing-adult', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-security']
  
#[doh_client_x509_auth]
   
[anonymized_dns]
  
routes = [
{ server_name='*', via=['anon-acsacsar-ams-ipv4', 'anon-ams-nl', 'anon-bcn', 'anon-cs-ca2', 'anon-cs-de2', 'anon-cs-fr', 'anon-cs-fr2', 'anon-cs-md', 'anon-cs-nl', 'anon-cs-nl2', 'anon-cs-pt', 'anon-cs-se', 'anon-cs-se', 'anon-cs-sk', 'anon-cs-usca', 'anon-cs-usga', 'anon-cs-usnc', 'anon-cs-usnv', 'anon-cs-usor', 'anon-cs-ustx', 'anon-dnscrypt.uk-ipv4', 'anon-ev-to', 'anon-ev-va', 'anon-ibksturm', 'anon-inconnu', 'anon-kama', 'anon-meganerd', 'anon-publicarray', 'anon-scaleway', 'anon-scaleway-ams', 'anon-skyfighter', 'anon-sth-se', 'anon-tiarap', 'anon-v.dnscrypt.uk-ipv4', 'anon-yofiji-se-ipv4'] }
   ]
skip_incompatible = false
    
#[dns64]

[static]

Check sanity of the config:

dnscrypt-proxy -config /storage/.opt/etc/dnscrypt-proxy.toml -check

Looks good? Great!

Now, the next thing to do, is to change your network settings in CoreELEC and set to a static IP adress & set your DNS server to 127.0.0.1.

This change to DNS server 127.0.0.1 also applies to any VPN’s you have configured!

Reboot your CoreELEC
Login with putty again.

Try pinging 8.8.8.8
ping 8.8.8.8
Did you get a reply? Yes = GOOD! (internet is working)
Try pinging google.com
ping google.com
Did you get a: ping: bad address 'google.com' GOOD!

If you got a ping from google.com, try this:
/storage/.opt/etc/init.d/S09dnscrypt-proxy2 stop

Try pinging google.com
ping google.com
Did you get a: ping: bad address 'google.com' GOOD!

Start the service
/storage/.opt/etc/init.d/S09dnscrypt-proxy2 start
Try:
dnscrypt-proxy -resolve google.com
Did you get: Domain exists: yes, X name servers found

Good dnscrypt-proxy works!

Lets make the service accessible for your whole network!

iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
iptables-save >/storage/.config/iptables/rules.v4

Now you can set your CoreELEC’s IP, either each computers DNS settings or tell your router to do it by DHCP.

Check if things work on: https://ipleak.net or https://www.dnsleaktest.com (extended test)
If you have the kodi addon “DNS Leak-test” you should get results as well.

Think things go slow?

N.B, dnscrypt-proxy v2 already measures and sorts servers by latency.

Check the public list (sort protocol DNScrypt) here, find and note locations near you. Open the: /storage/.opt/etc/dnscrypt-proxy.toml and delete everything exept those locations near you in “server names” and under section “routes”.

1 Like

This can of course be combined with other things such as pi-hole:

Change the listening port to something else than 53:

listen_addresses = ['127.0.0.1:53', 'YOURCOREELECIP:53']

In: nano /storage/.opt/etc/dnscrypt-proxy.toml

Restart: /storage/.opt/etc/init.d/S09dnscrypt-proxy2 restart

Check that its now quiet around 53 & 80 is free and clear:
netstat -nltup | grep ‘Proto|:53 |:67 |:80 |:471’

Install pie-hole:

docker run -d \
    --name pihole \
    -p 53:53/tcp -p 53:53/udp \
    -p 80:80 \
    -p 443:443 \
    -e TZ="America/Chicago" \
    -v "$(pwd)/etc-pihole/:/etc/pihole/" \
    -v "$(pwd)/etc-dnsmasq.d/:/etc/dnsmasq.d/" \
    --dns=127.0.0.1 --dns=1.1.1.1 \
    --restart=unless-stopped \
    pihole/pihole:latest
docker ps
docker exec -it batsoup32e1 /bin/bash
./start.sh

Apply this fix if it the admin site does not show up!

Changes in pie-hole: Settings - DNS
Uncheck all checked upstream DNS’s
Add custom DNS coreelecIP#YOURPORT

Lists be here, which also suggest this pi-hole:latest + autoupdate tool (read instructions)

Same deal, but use this when pulling the pi-hole latest docker:

docker run -d \
    --name pihole \
    -p 53:53/tcp -p 53:53/udp \
    -p 80:80 \
    -p 443:443 \
    -e TZ="America/Chicago" \
    -v "$(pwd)/etc-pihole/:/etc/pihole/" \
    -v "$(pwd)/etc-dnsmasq.d/:/etc/dnsmasq.d/" \
    -v "$(pwd)/etc-pihole-updatelists/:/etc/pihole-updatelists/" \
    --dns=127.0.0.1 --dns=1.1.1.1 \
    --restart=unless-stopped \
    jacklul/pihole:latest

That’s it.

Hi thanks for this guide. i managed to follow all your setting even got the ping running perfectly but i had trouble when try to start the service. everytime i run the command /storage/.opt/etc/init.d/S09dnscrypt-proxy2 start
i got
Starting dnscrypt-proxy... failed.
do you how could i start the service?

Try:
/storage/.opt/etc/init.d/S09dnscrypt-proxy2 restart
or
/storage/.opt/etc/init.d/S09dnscrypt-proxy2 stop
then
/storage/.opt/etc/init.d/S09dnscrypt-proxy2 start again.

I tried both command, here what i got

TX3CoreELEC:~ #  /storage/.opt/etc/init.d/S09dnscrypt-proxy2 restart
 Starting dnscrypt-proxy...              failed.
TX3CoreELEC:~ #  /storage/.opt/etc/init.d/S09dnscrypt-proxy2 stop
 Checking dnscrypt-proxy...              dead.
TX3CoreELEC:~ #

Is your config ok?
dnscrypt-proxy -config /storage/.opt/etc/dnscrypt-proxy.toml -check

here is my config

TX3CoreELEC:~ #  dnscrypt-proxy -config /storage/.opt/etc/dnscrypt-proxy.toml -c
heck
[2020-09-20 00:29:42] [NOTICE] dnscrypt-proxy 2.0.44
[2020-09-20 00:29:42] [NOTICE] Source [public-resolvers] loaded
[2020-09-20 00:29:42] [NOTICE] Source [relays] loaded
[2020-09-20 00:29:42] [NOTICE] Anonymized DNS: routing everything via [anon-acsacsar-ams-ipv4 anon-ams-nl anon-bcn anon-cs-ca2 anon-cs-de2 anon-cs-fr anon-cs-fr2 anon-cs-md anon-cs-nl anon-cs-nl2 anon-cs-pt anon-cs-se anon-cs-se anon-cs-sk anon-cs-usca anon-cs-usga anon-cs-usnc anon-cs-usnv anon-cs-usor anon-cs-ustx anon-dnscrypt.uk-ipv4 anon-ev-to anon-ev-va anon-ibksturm anon-inconnu anon-kama anon-meganerd anon-publicarray anon-scaleway anon-scaleway-ams anon-skyfighter anon-sth-se anon-tiarap anon-v.dnscrypt.uk-ipv4 anon-yofiji-se-ipv4]
[2020-09-20 00:29:42] [NOTICE] Configuration successfully checked
TX3CoreELEC:~ #

Give it a reboot.

reboot the device and try running the service again. still no luck

TX3CoreELEC:~ # /storage/.opt/etc/init.d/S09dnscrypt-proxy2 start
 Starting dnscrypt-proxy...              failed.

Check your port settings & go through things again.
If something else is using port 53 and the one you have chosen in the config, it won’t start.

ss -tulwn

i’m sorry but how can i check the port setting in win 10? i tried run the command you shared but it not recognised by cmd.

edit: manage to check my network port. there is no port 53 used on my network

No in putty on your coreelec.
opkg install ss

It’s important you set your coreelec’s ip & dns as instructed and you get the ping reply’s like described.

deleted

edited: managed to install ss and run ss -tulwn

port 53 not being used

Have a look at the official documentation: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux

If you spot anything different. Don’t follow the commands blindly, try to understand the “what’s & why’s”.
Not sure if I remember the ss parameters correctly.

Will check the documentation. Thanks for the help anyway

I made an install on another my device (not CE) and on the main CoreElec install and I’m afraid it’s a some sort of pebcak on my part, because even though I wiped the device (yay fast backup’s) and did a replay, I could not really see were any error were in the instructions.

It is though very important one get the right “non reply pings” on coreelec, as setting ip/dns is not by a twist of the hand and “the long road” is well worth taking.

What annoys me about as much, is that I can’t seem to get it working as ‘nobody’. Much ‘grrr’.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.