You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I haven't seen much information on using systemd-resolved and dnscrypt-proxy together aside from advice advising to disable it. I have managed to get it work, but I'm not sure if there's any "holes" in my setup so I'm requesting feedback.
First off, I'm using the stub resolver so /etc/resolv.conf is going to be the default:
Then in network manager I have my DNS server set to 127.0.0.1 and I added an additional config file called /etc/systemd/resolved.conf.d/dns_servers.conf which has:
[Resolve]
DNS=127.0.0.1
Domains=~.
This is because systemd-resolved will try fallback resolvers (i.e, bypass dnscrypt-proxy). I set it up like this to ensure that all queries go through dnscrypt-proxy or fail.
Note that systemd-resolved does not do caching of its own if it detects another resolver doing it, so the statistics will be wrong. Furthermore, if you try to enable DNSSEC it will complain that the upstream resolver does not support it. However, my testing with a DNSSEC website, edns, qname minimization and query blocking seems to show that everything seems to work correctly. Wonder if anyone else had some thoughts.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I haven't seen much information on using systemd-resolved and dnscrypt-proxy together aside from advice advising to disable it. I have managed to get it work, but I'm not sure if there's any "holes" in my setup so I'm requesting feedback.
First off, I'm using the stub resolver so
/etc/resolv.confis going to be the default:Then in network manager I have my DNS server set to
127.0.0.1and I added an additional config file called/etc/systemd/resolved.conf.d/dns_servers.confwhich has:This is because systemd-resolved will try fallback resolvers (i.e, bypass dnscrypt-proxy). I set it up like this to ensure that all queries go through dnscrypt-proxy or fail.
Note that systemd-resolved does not do caching of its own if it detects another resolver doing it, so the statistics will be wrong. Furthermore, if you try to enable DNSSEC it will complain that the upstream resolver does not support it. However, my testing with a DNSSEC website, edns, qname minimization and query blocking seems to show that everything seems to work correctly. Wonder if anyone else had some thoughts.
Beta Was this translation helpful? Give feedback.
All reactions