network manager - How to cache dnscrypt-proxy with dnsmasq+resolvconf?

Due to my ISP intercepting some DNS requests and return 'redirected' A records, I want to use dnscrypt-proxy on my computer (my workstation, actually, running Ubuntu 16.04)

What I have done is install dnscrypt-proxy and point it to one of the public dnscrypt servers available. Then I change the DNS Server settings in Network Manager to point to 127.0.2.1 (the default listening address of dnscrypt-proxy)

It works, but it seems that every single resolve of FQDN goes to the dnscrypt server, and no caching is being performed.

So, I want to cache DNS resolution done by dnscrypt. I know I can do this using unbound, but dnsmasq is already installed on my workstation, so I want to use that instead. However, I'm a bit confused with the interaction between dnsmasq & resolvconf & Network Manager.

That leads to My Questions:

How do I configure my system so DNS Resolution will be done by dnscrypt-proxy but cached by dnsmasq?

1 Answer

  1. Randall- Reply

    2019-11-14

    You should first edit the NetworkManager config file in /etc/NetworkManager/NetworkManager.conf and change the line that says dns=dnsmasq to dns=none. Then restart the NetworkManager service using sudo systemctl restart NetworkManager.

    Install dnsmasq with sudo apt update && sudo apt install dnsmasq -y. Edit the dnsmasq config in /etc/dnsmasq.conf using your preferred editor.
    Delete the whole config, and replace it with this:

    listen-address=127.0.0.1  
    port=53  
    domain-needed  
    bogus-priv  
    dnssec  
    proxy-dnssec  
    strict-order  
    no-resolv  
    no-poll  
    server=127.0.2.1  
    cache-size=1000  
    neg-ttl=3600  
    dns-forward-max=150  
    bind-interfaces
    

    Then, stop and disable resolvconf using sudo systemctl stop resolvconf && sudo systemctl disable resolvconf and restart and enable dnsmasq using sudo systemctl restart dnsmasq && sudo systemctl enable dnsmasq. Edit /etc/resolv.conf using your preferred editor. Change it to only have one line:

    nameserver 127.0.0.1

    Now, test your internet connection by pinging a web address, for example google.com. If you get a response, it means that your setup is working!

Leave a Reply

Your email address will not be published. Required fields are marked *

You can use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>