Some nothing to do project is re-purposing my old Raspberry Pi 2 B and I was thinking to moved my local DNS server to this Pi. This note will contain few steps to play with Dnscrypt and Pihole one of my priority reason to combine with Dnscrypt is I hate “ads” and take my freedom about “privacy” tracking from social media, vendor (ISP’s) and whatever they calling (yeah trying ROFL!).

First you should boot your image into SD-Card to your Rpi’s, it’s pretty straightforward like first setup some Linux boxes but in here I using Raspbian (Raspberry OS) . Then don’t forget to setup the IP to static on /etc/dhcpcd.conf

Just some example here.

# My interface
interface eth0
static ip_address=192.168.30.2/29
static routers=192.168.30.1
static domain_name_servers=1.1.1.1 127.0.0.1

The next is install Pihole

curl -sSL https://install.pi-hole.net | bash

Try first to using Google DNS or Cloudflare DNS to set up your DNS forwarding to Raspberry Pi.

Dnscrypt

This section will download and install package Dnscrypt on Raspbian. For this i will using /opt directory

cd /opt

Grab the latest version of Dnscrypt-Proxy from release package and be careful to choose the processor architecture.

wget https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.0.44/dnscrypt-proxy-linux_arm-2.0.44.tar.gz

Extract the prebuilt binary then rename it

# Extract
tar xzvf dnscrypt-proxy-linux_arm-2.0.44.tar.gz

# Rename
mv linux-arm dnscrypt-proxy

Enter directory dnscrypt-proxy and create main config Dnscrypt with .toml format

cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml

Next steps is choosing Dnscrypt provider, you can also check it on Dnscrypt.info . Some my recommended provider based on my location is :

• doh.tiar.app github
• blahdns.com github

Change some parameter like:

server_names = ['doh-sg-blahdns', 'doh-sg-blahdns-v6', 'dnscrypt-sg-blahdns-ipv4', 'dnscrypt-sg-blahdns-ipv6']

listen_addresses = ['127.0.0.1:5053']

fallback_resolvers = ['1.1.1.1:53', '8.8.8.8:53']

[static]

  # [static.'myserver']
  # stamp = 'sdns:AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'

## Publickey: 5384E8144314293E56DD1B140A1EF172AD47BDBA1799C8957294953D034EB5C7
## Singapore
[static.'blahdns-sg-doh']
stamp = 'sdns://AgMAAAAAAAAADjEzOS4xODAuMTQxLjU3ABJkb2gtc2cuYmxhaGRucy5jb20KL2Rucy1xdWVyeQ'
[static.'blahdns-sg-doh-v6']
stamp = 'sdns://AgMAAAAAAAAAKFsyMDAxOjE5ZjA6NDQwMDo2YmVkOjU0MDA6MmZmOmZlYjE6ZjlmYV0AEmRvaC1zZy5ibGFoZG5zLmNvbQovZG5zLXF1ZXJ5'
[static.'blahdns-sg-dnscrypt-v4']
stamp = 'sdns://AQMAAAAAAAAAEzEzOS4xODAuMTQxLjU3Ojg0NDMgU4ToFEMUKT5W3RsUCh7xcq1HvboXmciVcpSVPQNOtccbMi5kbnNjcnlwdC1jZXJ0LmJsYWhkbnMuY29t'
[static.'blahdns-sg-dnscrypt-v6']
stamp = 'sdns://AQMAAAAAAAAALVsyMDAxOjE5ZjA6NDQwMDo2YmVkOjU0MDA6MmZmOmZlYjE6ZjlmYV06ODQ0MyBThOgUQxQpPlbdGxQKHvFyrUe9uheZyJVylJU9A061xxsyLmRuc2NyeXB0LWNlcnQuYmxhaGRucy5jb20'

Because Pihole already used port 53, you must make it different port for Dnscrypt service like use port: 5053. For some additional config you can chek to their Repo’s.

Next is install and start dnscrypt-proxy as service into systemd family’s.

# Install
./dnscrypt-proxy -service install

# Start and enable
./dnscrypt-proxy -service start

Try to resolve some domain with these command:

./dnscrypt-proxy -resolve example.com

# OR

dig @localhost -p 5053 example.com

Last steps, login to your Pihole admin website and change the Upstream DNS Server to dnscrypt service

And let’s your router or Access Point consume the DNS (Raspberry IP)

…

Thanks!

Notes

• You can check the DNS already work on this site dnsleak DNSSEC Resolver Test
• For checking dnscrypt-service systemctl status dnscrypt-proxy.service
• If you using Mikrotik as a router try check this tutorial to enforce the traffic to Pihole + Dnscrypt links