-
No Time Check:
I don't really think it is a good idea to use the dnssec-no-timecheck setting without implementing a solution to notify dnsmasq, time synchronization has been established. This will ensure correct DNSSEC validation. I've listed a possible solution here, but somebody on the raspberrypi.org forum suggested a better solution:
<quote>
if you make ntpd.conf DNS- independant (not the hardest thing to do), and insert the statement "ntpd -gq" right before starting the named daemon (in the start- part of /etc/init.d/bind9, see my solution 3), you don't have to wait for some 15 minutes, as your system time is correct immediately thereafter (ntpd may not yet be running yet at that moment)...
</quote>
unfortunately, I haven't been successful in implementing this, some help from a linux guru is welcome here... -
dnsmasq:
you seem to have read this topic, to upgrade to the latest (working - running it for 2 months now) dnsmasq version. I've also wrote a script (if you use this, run it with sudo) to automate installation (I always install dnsmasq and dnscrypt before installing pihole), however, beware, there is no error handling!
3.dnscrypt:
If you tried to install dnscrypt using this wiki and these instructions, using the rar file I provided, you may want to use this script to install everything you need to get it working, again, beware, there is no error handling!
# rng tools (required for dnscrypt)
sudo apt-get -yq install rng-tools
sudo sed -i '/#HRNGDEVICE=\/dev\/null/a HRNGDEVICE=\/dev\/urandom' /etc/default/rng-tools
#dnscrypt-proxy
sudo apt-get -yq install build-essential
sudo apt-get -yq install tcpdump
sudo apt-get -yq install dnsutils
sudo apt-get -yq install libsodium-dev
sudo apt-get -yq install locate
sudo apt-get -yq install bash-completion
sudo apt-get -yq install libsystemd-dev
sudo apt-get -yq install pkg-config
file=dnscrypt-proxy-1.9.4
mkdir -p dnsproxy
cd dnsproxy
wget https://download.dnscrypt.org/dnscrypt-proxy/$file.tar.bz2
tar -xf $file.tar.bz2
cd $file
sudo ldconfig
./configure --with-systemd
make
sudo make install
cd ..
cd ..
sudo useradd -r -d /var/dnscrypt -m -s /usr/sbin/nologin dnscrypt
As explained here, Put all five dnscrypt-proxy@ files in /lib/systemd/system and 04-dnscrypt.conf in /ec/dnsmasq.d.
Something I never mentioned (because it is mentioned in the wiki): You need to enable and start the proxies. This is how (assuming you used the rar file, otherwise you need to edit the instructions - correct the proxy names):
- enable the four proxies:
sudo systemctl enable dnscrypt-proxy@d0wn-at-ns1
sudo systemctl enable dnscrypt-proxy@d0wn-nl-ns3
sudo systemctl enable dnscrypt-proxy@d0wn-de-ns1
sudo systemctl enable dnscrypt-proxy@d0wn-se-ns1
- start the four proxies
sudo systemctl start dnscrypt-proxy@d0wn-at-ns1
sudo systemctl start dnscrypt-proxy@d0wn-nl-ns3
sudo systemctl start dnscrypt-proxy@d0wn-de-ns1
sudo systemctl start dnscrypt-proxy@d0wn-se-ns1
If everything went well, you should find four (4) symbolic links (one for each proxy) in /etc/systemd/system/multi-user.target.wants
and another four (4 - one for each proxy) in /etc/systemd/system/sockets.target.wants
You can check the status of the proxies, using:
sudo systemctl status -l dnscrypt-proxy@*
or, for the individual proxies:
sudo systemctl status dnscrypt-proxy@d0wn-at-ns1
sudo systemctl status dnscrypt-proxy@d0wn-nl-ns3
sudo systemctl status dnscrypt-proxy@d0wn-de-ns1
sudo systemctl status dnscrypt-proxy@d0wn-se-ns1
You should see something like this (example for one proxy):
dnscrypt-proxy@d0wn-at-ns1.service - DNSCrypt client proxy
Loaded: loaded (/lib/systemd/system/dnscrypt-proxy@.service; enabled)
Active: active (running) since Fri 2017-04-14 01:09:02 CEST; 10h ago
Docs: man:dnscrypt-proxy(8)
Main PID: 8204 (dnscrypt-proxy)
CGroup: /system.slice/system-dnscrypt\x2dproxy.slice/dnscrypt-proxy@d0wn-at-ns1.service
└─8204 /usr/local/sbin/dnscrypt-proxy --resolver-name=d0wn-at-ns1 --syslog-prefix=d0wn-at-ns1 --user=dnscrypt --ephemeral-keys --edns-payload-size=4096 --logfile=/var/log/dnscry...
Apr 14 01:09:02 raspberrypi systemd[1]: Started DNSCrypt client proxy.
Apr 14 01:09:02 raspberrypi dnscrypt-proxy[8204]: Fri Apr 14 01:09:02 2017 [INFO] d0wn-at-ns1 + DNS Security Extensions are supported
Apr 14 01:09:02 raspberrypi dnscrypt-proxy[8204]: Fri Apr 14 01:09:02 2017 [INFO] d0wn-at-ns1 + Provider supposedly doesn't keep logs
Notice the active (running)
Another thing I never mentioned (because it is mentioned in the wiki): Your proxies might not start because your dnscrypt-resolvers.csv is outdated
You have to create update_resolvers.sh (I've placed in /home/pi) and make it executable.
- execute the script: sudo ./update_resolvers.sh
- create a cron file in /etc/cron.d/dnscrypt (or whatever you want to call it):
09 1 * * * root PATH="$PATH:/home/pi/" /home/pi/update_resolvers.sh
A last remark: the proxies will NOT start if your pi's time is incorrect, so you need to ensure time is as accurate as possible. If time is "way of" you'll find some certificate messages in /var/log/dnscrypt-proxy.log (that is if you used the rar file configuration, which enables logging)