Use for a Raspberry Pi – Dnscrypt and PiHole

Like many I got a Raspberry Pi and then it sat in a draw for years while I tried to think of a project for it.
So I finally got around to a use for my raspberry pi.

Updated to include new crontab for updaing pi hole and adding i-blocklists to pihole.

Its now used for encryption of DNS requests and an Ad Blocker.

Actually quite simple reall. and I got caught with a couple of undocumented gotchas.
So this is how I setup my dnscrypt and piHole from blank pi to Fully working.

Fresh system install & Prep

Download Raspbian Jessie Lite from Raspberrypi.org and install it onto your microSD card.
I used WinDisk32Imager to write the .img to my microSD.

After first boot.
Optimize Raspberry Pi. sudo raspi-config
Select 2 Change User Password to change the default password.
Select 3 Boot Options -> B1 Desktop / CLI -> B2 Console Autologin
Select 5 Interfacing Options -> P2 SSH -> Yes

So now assuming your pi is picking up a DHCP ip address from your router.
you can now putty/ssh on to the pi from another machine network connected.

Ensure the Pi’s updated
Just to makesure your running the latest kernel and packages

Install Pi-Hole

Install Pi-Hole using their installer script. This is actually really easy and well done. simply run the command follow the instructions and you will get a functioning ad blocker.

Once Installed reset the admin password with

Setup Pi-Hole

Edit /etc/dnsmasq.conf

Modify #listen-address= to: listen-address=127.0.0.1, 192.168.xxx.xxx
Replace the second IP with your Raspberry Pi local network IP and the third IP is the tun0 interface.

Restart DNSMasq

Install DNSCrypt
Mostly sourced from https://github.com/pi-hole/pi-hole/wiki/DNSCrypt
With sections from https://itchy.nl/raspberry-pi-3-with-openvpn-pihole-dnscrypt

Install the necessary System components

Build DNS Crypt

Configure DNS Crypt

This is where things differ depending on what DNS servers you want to use.

Firstly make a user to run dnscrypt under

So this is where I deviate from the links above about configuring DnsCrypt

Take a look at the resolvers file located at https://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-resolvers.csv and pick some dnsCrypt resolvers based on things like location and if the resolver logs you.
You can do as many or as few of these as you want.. I went with 4 resolvers but I’d recommend a min of 2.

So I selected servers that I wanted to use.. as
dnscrypt.org-fr
dnscrypt.eu-dk
dnscrypt.eu-nl
dnscrypt.nl-ns0

Now copy the socket file dnscrypt-proxy.socket to dnscrypt-proxy@dnscrypt resolver.socket
and copy the dnscrypt-proxy.service to dnscrypt-proxy@.service

Now each file in turn needs editing

I added to the description the name of the reverse proxy (not necessary to do this )
and I went with the following Local IP’s / Ports for the reverse proxys.

dnscrypt.org-fr 127.10.10.1:41
dnscrypt.eu-dk 127.10.20.1:41
dnscrypt.eu-nl 127.10.30.1:41
dnscrypt.nl-ns0 127.10.40.1:41

You need to modify the ListenSteam and ListenDatagram to an IP address and Portnumber to use.

so edit the dnscrypt-proxy@<resolver>.socket
e.g

So my File dnscrypt-proxy@dnscrypt.org-fr.socket now contains

File dnscrypt-proxy@dnscrypt.eu-dk.socket now contains

File dnscrypt-proxy@dnscrypt.eu-nl.socket now contains

File dnscrypt-proxy@dnscrypt.nl-ns0.socket now contains

Starting with the dnscrypt-proxy@.service

Change the contents to match (references to why you change it to these values are in the other blogs referenced earlier)

Copy the modified configuration files to the correct folders

Enable the files and reboot.

After reboot you can check the DNScrypt with the command

It should come back green “active” but mine came back as “dead”
I also had to

and reboot again.

Now when you test with sudo systemctl status -l dnscrypt-proxy@\* it should come back with something like.

Were interested in the Active: and the state should be active (running)

Modify DNSMasq configurations

Create a additional DNSMasq configuration file.

My 02-dnscrypt.conf now looks like

Edit 01-pihole.conf

Comment (#) out all server references.
#server=...

Edit setupVars.conf

Comment (#) out all piholeDNS references.
#piholeDNS1=...
#piholeDNS2=...

Restart DNSMasq

Reboot Raspberry Pi.

At this point I found that my piHole has stopped working and if I used the Pi as DNS nothing gets resolved.
To Fix this run

Choose “Repair This will retain existing settings” and then reboot when finished.

You can now change your router to use the Pi as its DNS server.

Testing
Try looking online for a DNS leak test like https://www.dnsleaktest.com/
Run the resolvers and make sure that the tests come back with your dnscrypt resolvers.

Additional Optional Configuration.
since piHole 2.9.4 if you add your resolvers to the hosts file then they also show up nicely in PiHole admin interface.

Edit the hosts file

Add nice entries for your dnscrypt resolvers. (eg)

Setup a Cronjob to update the resolvers.

To automate this process you can write a simple shell script:

Now Set the execution property of the script so it can be Executed.

To setup a Cronjob to execute the script weekly and to update pihole.

Add to the bottom of the file

Once setup I’d recommend shutting down thi pi. Taking out the micro sd card and then taking an image of your SD for backup.

(it will save having to do it all again incase of corruption.  I had a power cut that corrupted my pi SD)

Additional PiHole Config

Under settings in pihole admin http://<your pi ip address>/admin
look under “Pi-Hole’s Block Lists” You can add lists from i-blocklists here.

Adding the mircosoft list will block microsoft ips from your pihole.

http://list.iblocklist.com/?list=xshktygkujudfnjfioro&fileformat=p2p&archiveformat=gz

Resources

Lots of information on the following two blogs. Especially around why you set things.
https://github.com/pi-hole/pi-hole/wiki/DNSCrypt
and
https://itchy.nl/raspberry-pi-3-with-openvpn-pihole-dnscrypt

Enjoy your Encrypted DNS