Help Setting Up DNSCrypt with PiHole

Blackconvoy · May 14, 2018, 8:45pm

Hi,

Firstly, apologies if what I am writing here is redundant as I did search and see other entries for DNSCrypt, but none really addressing the issue I am having. Apologies also if this is outside of the scope of this PiHole forum, but I am at my wits end trying to get this figured out.

Now, for the issue. I've followed the guide posted here several times (the latest of which was a complete OS re-install) to a T and have gotten absolutely nowhere.

I have previously gotten to the point where I at least had DNSCrypt running separately from PiHole (and was able to ping and resolve using command line), but it seems like presently it's failing out with some kind of error, but I have no understanding on how to figure out what the error is or how to fix it.

When running "sudo systemctl status dnscrypt-proxy" I get:

● dnscrypt-proxy.service - Encrypted/authenticated DNS proxy
Loaded: loaded (/etc/systemd/system/dnscrypt-proxy.service; enabled; vendor preset: enabled)
Active: activating (auto-restart) (Result: exit-code) since Mon 2018-05-14 13:18:05 PDT; 24s ago
Process: 1248 ExecStart=/opt/dnscrypt-proxy/dnscrypt-proxy (code=exited, status=255)
Main PID: 1248 (code=exited, status=255)

May 14 13:18:05 Corpus_Colossus systemd[1]: dnscrypt-proxy.service: Failed with result 'exit-code'.

The other thing, which I am finding separately odd, is that I moved to the FTLDNS branch of PiHole explicitly in hopes of finding the "Local DNS server on custom port" option in the admin interface, but it is still not there (and I did confirm that I was on latest FTL for both core and admin console). The only thing I can think of is this option isn't available if the DNSCrypt service isn't running, but otherwise its absence is baffling to me as I've seen screenshots where it exists.

To help save the sanity of anyone trying to help, I'm not super familiar with *nix standards and practices, but on this latest attempt I made sure to make duplicate original files and document all changes that I made before editing, so I at least have that going for me.

Also, because I am a novice, please don't assume that I will know about ANY step or command that is not explicitly called out. I can follow instructions no problem, but I'm in the early stages where you don't know what you don't know, if that makes sense.

Thank you very much for your time/insight!

Mcat12 · May 14, 2018, 8:48pm

I'm not sure about DNSCrypt, but the local DNS option was modified so that all the custom DNS fields can now take on a port number (host#port).

Blackconvoy · May 14, 2018, 8:49pm

Well that at least explains one part of the mystery, so thank you for that!

Edit: Is that only on the FTLDNS branch that it was setup to do that? Trying to figure out the pros and cons of staying where I am vs reverting back to the standard version.

Edit the sequel: Maybe I'm a bit of a simpleton, but it might be cool to have a little tooltip or something saying that? I was losing my mind trying to figure out why the option that I'd seen screenshots of didn't exist at all.

DL6ER · May 14, 2018, 8:53pm

Yes, most recent development is only available on the development branches in in the FTLDNS beta testing branch.

mibere · May 15, 2018, 6:28am

Hi,

I think you're running dnscrypt-proxy 2.0.12, right?

What's the output of

dnscrypt-proxy -check

Blackconvoy · May 15, 2018, 6:47am

Yes, running 2.0.12

The check command returned the following:

[2018-05-14 23:44:35] [NOTICE] Source [public-resolvers.md] loaded
[2018-05-14 23:44:35] [NOTICE] Configuration successfully checked

Edit: Only semi-related, but I am trying to learn as much from this as I can along the way to getting what I actually want working. I had to add "./" before "dnscrypt-proxy -check" to get it to run. Is there a simple explanation for why? My understanding is that tells the system that the command is being run from the current working directory, but isn't that obvious since I'm in that directory?

Thanks again for your time and input on this!

mibere · May 16, 2018, 6:24pm

Did you try to start it with log_level = 0 in dnscrypt-proxy.toml for more information?

Blackconvoy · May 16, 2018, 7:20pm

I did now that I know that's a thing

[2018-05-16 12:14:23] [NOTICE] Source [public-resolvers.md] loaded
[2018-05-16 12:14:23] [NOTICE] dnscrypt-proxy 2.0.12
[2018-05-16 12:14:24] [FATAL] listen udp 127.0.0.1:5353: bind: address already in use

mibere · May 16, 2018, 7:24pm

Now you have to find out what's already running on port 5353

sudo netstat -tulpen | grep 5353

or change your dnscrypt-proxy.toml

listen_addresses = ['127.0.0.1:7053', '[::1]:7053']

Replace 7053 with your favored port.

Blackconvoy · May 16, 2018, 7:48pm

Lovely, I guess avahi-daemon uses port 5353....?

Since I am apparently capable of winning the fail lottery while getting struck by lightning and eaten by a shark, is there a way to modify your command to show what ports are taken by anything so that I can firmly remove that from the equation?

mibere · May 16, 2018, 8:32pm

Replace the port in the command with any number. If there is no output, the port is free.

For example sudo netstat -tulpen | grep 7053

Then use this port in the listen_addresses of dnscrypt-proxy.toml.

Blackconvoy · May 16, 2018, 8:43pm

Yeah, I figured that, but was hoping for something with maybe a wildcard that would list all used ports.

In any case, I changed to 5354 and dnscrypt is now at least starting, so thank you again for that as I would have never realized that port was in use (I'm actually going to add a line to run this command in the Wiki so newbies like myself will know if the port they intend to use is in use).

That said I'm still not able to resolve or ping anything.

Making progress though!

Edit: When I ping something now, the failure is slightly different as it says "Temporary failure in name resolution".

Mcat12 · May 16, 2018, 9:14pm

You can just take off the pipe to see all used ports: sudo netstat -tulpen

Blackconvoy · May 16, 2018, 9:24pm

Great, thank you!

I feel like I'm making progress and really learning a bunch of useful things and how they interact along the way, which is fantastic.

Still need to work out why I can't resolve anything, but I'm at least getting somewhere.

mibere · May 16, 2018, 10:38pm

The command

dig @127.0.0.1 -p 5354 youtube.com +short

should print an IP (172.217.16.206 in my case).

Blackconvoy · May 16, 2018, 10:53pm

That returned the IP 216.58.217.46

mibere · May 16, 2018, 11:05pm

It's different because you're in another country, I think.

As it returns an IP, dnscrypt-proxy is listening and working. If you're on FTLDNS you can now set it as DNS server in the Pi-hole web interface:

Blackconvoy · May 16, 2018, 11:33pm

I've tried that and still no luck. Not sure if it helps, but the status indicators for both "DNS service not running" and "FTL" are both red on the PiHole admin console.

I've also tried the method of directly editing the 3 specific config files as specified in the wiki I linked, but that didn't give any change in result. I did make sure to uncheck the custom field before modifying the config files, as well as reverting the changes on the config files before re-enabling the custom field.

The current state is the config files are not commented and the custom field is checked with 127.0.0.1#5354 entered.

I also saw a post somewhere about enabling the "Listen on all interfaces" option, but this also did not appear to have an impact, so I reverted to "Listen only on interface wlan0".

Blackconvoy · May 17, 2018, 10:27pm

The only other idea I had was to try pihole -r, which I did with no success.

When it ran through the process, the last few lines of output are:

[✗] DNS service is not running
[✓] Starting DNS service
[i] Time until retry: 111
[i] Time until retry: 106
[✗] DNS resolution is not available

I feel like this is so close to working, but just not quite. Very frustrating, but thank you again to anyone contributing trying to get this going.

Edit: On a related note, not having PiHole working has REALLY made me appreciate when it was. There are so many ads being rammed down my throat from every angle that the internet feels broken and bordering on unusable.

Blackconvoy · May 18, 2018, 4:21am

Ok, so I think I've made it maybe a half a step farther?

I commented out the line listen_addresses = ['127.0.0.1:5354', '[::1]:5354'] in the dnscrypt-proxy.toml file

The positive results are:

DNS requests work from within the RBP
Pinging works from the RBP
Ad-blocking via pIhole appears to be working from the RBP when I use Chromium

Negative results are:

No devices that point to pihole for DNS requests are resolving
FTL is shown as offline in the dashboard
None of the graphs function in the dashboard

All of that said I don't know how to interpret this information, so I suspect the questions are 1) now that we know DNSCrypt is working, should that line be commented out if the FTL build of pihole is being used? 2) should the etc/dnsmasq.d/02-dnscrypt.conf be created with the server=IP#port listed if the FTL build of pihole is being used? 3) what else might be causing this setup to fail on the pihole side?

Apologies if this seems like flailing and/or stream of consciousness. I am doing whatever I can to either make further progress or learn something about the setup and/or what I am doing wrong in-between the helpful replies from folks here.

it's only fair that if you are going to be nice enough to take the time to help that I put in at least the same effort on my end. Thanks again.