Dnscrypt-proxy: [Thread] Running dnscrypt-proxy on Android

Created on 27 Jan 2018  ·  130Comments  ·  Source: DNSCrypt/dnscrypt-proxy

Current status:

  • The proxy compiles without any changes using gomobile
  • It also compiles and runs fine on Termux

This is fantastic, but not enough for most Android users to easily install and use it.

Since my knowledge of Android is fairly limited, help would be welcome!

android 需要帮助

Most helpful comment

I just created magisk module here https://github.com/bluemeda/dnscrypt-proxy-magisk

All 130 comments

Exactly how do you build it with gomobile? I tried and it makes an apk which doesn't work.

I was thinking of just making a magisk module. It's either that or a root app and I don't know how to make apps. I already updated this unmaintained v1 module for the latest magisk version and some extra improvements, It should be simple enough to adapt to v2. I just need a way to make the binaries.

It requires an app.Main() function, that can just call the (actual) main function. That's all I know :)

Well the linux arm64 variant works seems to fine on my phone. Maybe we don't need android specific binaries after all.

Also I have a request, I don't know if it's possible but could you add an option to have paths relative to dnscrypt-proxy.toml? It would be useful since I'm separating the binary from the config files (can't well keep them in /system/xbin). Otherwise every path in dnscrypt-proxy.toml must be a hardcoded absolute path.

./dnscrypt-proxy
[2018-01-28 15:10:08] [NOTICE] Starting dnscrypt-proxy 2.0.0beta11
[2018-01-28 15:10:08] [NOTICE] Now listening to 127.0.0.1:5353 [UDP]
[2018-01-28 15:10:08] [NOTICE] Now listening to 127.0.0.1:5353 [TCP]
[2018-01-28 15:10:08] [NOTICE] dnscrypt-proxy is waiting for at least one server to be reachable
^C[2018-01-28 15:10:58] [NOTICE] Stopped.``

This is the binary file from release page,running on termux.(arm64)
But when I use self-compiled binary,it works fine.
(Maybe it's because I run it without setting the port to 53?Set port 5353 ).
Android 7.1.2

Edit:Works fine when I use self-compiled binary.(set port to 5353.)
And I found a similar issue on another project.It said that the software will not run on android if the domain name is set,but it can run if the ip is set
issue:https://github.com/fatedier/frp/issues/633 (Chinese)

edit(2019.11.03):.
it seems that this problem occurs when /etc/resolv.conf is missing
and Android absolutely don't have this file in that exact place.
a chroot or proot may do the trick.(use proot image or just execute dnscrypt proxy right after termux-chroot is ok,e.g. termux-chroot ./dnscrypt-proxy )

  • if you are using termux-chroot please don't forget to add ~/../usr/etc/resolv.conf and edit it.

  • You can just download linux-arm or linux-arm64 version from releases page and use it.

Hi, I am trying the arm binaries on my phone and they seem to work fine.
However i have a problem with configuration, since i receive this error:

Starting dnscrypt-proxy...
[2018-02-07 13:53:31] [NOTICE] System DNS configuration not usable yet, exceptionally resolving [download.dnscrypt.info] using fallback resolver [9.9.9.9:53]
[2018-02-07 13:53:31] [NOTICE] System DNS configuration not usable yet, exceptionally resolving [download.dnscrypt.info] using fallback resolver [9.9.9.9:53]
[2018-02-07 13:53:31] [CRITICAL] Unable use source [public-resolvers]: [read udp 10.102.21.149:50517->9.9.9.9:53: read: connection refused]
[2018-02-07 13:53:31] [FATAL] No servers configured

Here is my dnscrypt-proxy.toml: https://pastebin.com/c5HM2SMW

Is your network usable? connection refused is pretty self-explanatory; it looks like the phone doesn't have access to the internet, or that something is blocking outgoing DNS connections.

Ok thank you, the problem was that just after starting dnscrypt-proxy i tryed to divert all dns requests to localhost:

iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.1
iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1

Unfortunately, i don't know how to configure my phone to use 127.0.0.1 as dns server after starting dnscrypt-proxy :(

I added a guide to building the Android version on a non-Android OS, if anyone's interested.

https://github.com/jedisct1/dnscrypt-proxy/wiki/Building-the-Android-version-on-non-Android-OS

This is fantastic, thank you @Sporif!

@Sporif are you still planning to release a Magisk module for 15+?

@JERW86 Yeah I am, it's just going to be a while. Still writing the script that calls dnscrypt-proxy.

System: Android LOS 7.1.2 latest, amd64 compiled, root, Afwall+ (on/off) moved the folder dnscrypt-proxy to data/local/tmp, all files 777 privileges

I encountered the following error while starting it with ./dnscrypt-proxy:
[FATAL] listen udp 127.0.0.1:5353: bind: address already in use

I changed the standard configuration file:

listen_addresses = ['127.0.0.1:53', '[::1]:53']
to
listen_addresses = ['127.0.0.1:53', '127.0.0.1:53']

If not I got an error that there's no UDP connection possible

require_dnssec = false
to
require_dnssec = true

SSH:
gemini:/data/local/tmp/dnscrypt-proxy # ./dnscrypt-proxy
[2018-02-20 16:57:11] [NOTICE] Source [https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md] loaded
[2018-02-20 16:57:11] [NOTICE] dnscrypt-proxy 2.0.1
[2018-02-20 16:57:11] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
[2018-02-20 16:57:11] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
[2018-02-20 16:57:11] [FATAL] listen udp 127.0.0.1:53: bind: address already in use
255|gemini:/data/local/tmp/dnscrypt-proxy #

How can I fix this and run dnscrypt-proxy permantly?

listen_addresses = ['127.0.0.1:53', '127.0.0.1:53']

Looks like you are listening to the same IP and port twice.

Ok, changed it again to the standard listen addresses
But then getting an error again:

gemini:/ $ su
gemini:/data/local/tmp/dns/dnscrypt-proxy <
[2018-02-20 18:03:30] [NOTICE] Source [https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md] loaded
[2018-02-20 18:03:30] [NOTICE] dnscrypt-proxy 2.0.1
[2018-02-20 18:03:30] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
[2018-02-20 18:03:30] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
255|gemini:/data/local/tmp/dnsc,rypt-proxy #

Try a single address, then:

listen_addresses = ['127.0.0.1:53']

Could you sent me a copy of your compiled dns crypt? Cant get it wo work :(

@HI54U
If you haveen't already, you also need to set the dns server with iptables.

iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination $ipv4address 
iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination $ipv4address

Where $ipv4address is the ipv4 address used in listen_addresses

To remove the rules it's the same command except use iptables -t nat -D instead of iptables -t nat -A.

@Teyro what have you tried so far?

@jedisct1
thank you, that works now, no errors.

@Teyro
amd64 V2.0.1
https://files.fm/u/f9w8h4gg

@Sporif
thank you for the advice, already changed the Afwall+ startup script

What is the best way to start dnscrypt-proxy automatic and not manual in a shell for Android 7.1.2? Init.d script?

Yes an init.d script, or if you use magisk add the script to /sbin/.core/img/.core/service.d

ok, made a simple userinit script in system/etc/init.d

99userinit.sh

!/system/bin/sh

cd data/local/tmp/dnscrypt-proxy
./dnscrypt-proxy

then started it with universal init.d

And I found an non-root solution,the app can use Vpnservice on android to modify dns traffic

  1. set port 5353 in "dnscrypt-proxy.toml" configuration file.
  2. set port 5353 and 127.0.0.1 as server address in daedalus app.
  3. start dnscrypt-proxy in termux(or any other terminal emulator.
  4. finally you can start daedalus app and run it without root permission.
    (it should also work on other non-root ports)

Project:
https://github.com/iTXTech/Daedalus

(Only tested on Android 7.1.2 LOS.)
aarch64.
And it should work on Lollipop(5.0) and higher.

Using Termux to compile the binary file.

but it seemed that it is a bit complicated. :|

and if port 5353 doesn't work,set other non root ports is ok.

Following this discussion closely, hoping to get dnscrypt-proxy to work with OpenDNS on my rooted (Magisk) OPT3 running Oreo 8.1, but it's just a little over my head.

I believe i was able to successfully build dnscrypt-proxy using Sporif's excellent guide.

Edited the example-dnscrypt-proxy.toml to:
dnscrypt-proxy.toml
server_names = ['cisco-ipv6']
and
listen_addresses = ['127.0.0.1:5353', '[::1]:5353']

Now i can't seem to start the service, iv'e tried a few things without result.

P.s. Looking forward to Sportif's release of a Magisk module.

I just created magisk module here https://github.com/bluemeda/dnscrypt-proxy-magisk

@bluemeda
Thx for your work, downloaded the file from v saw only the sources try to flash in magisk 16... said no vailed file?!?! Did i need to compile it?

@bluemeda Thank you!
but,
Same result as @Teyro and thus same question.

@Teyro @gideion You have to re-zip the files so they are not contained in a folder. To flash in Magisk Manager, the zip file needs to be signed.

@bluemeda
I downloaded the zip from github, extracted the files, edited dnscrypt-proxt.toml removing the # on the line:
# server_names = ['scaleway-fr', 'google', 'yandex'] and replaced 'scaleway-fr', 'google', 'yandex'
with 'cisco-ipv6' to use OpenDNS so now the line reads:
server_names = ['cisco-ipv6']
zipped the file (no compression) and signed it using ZipSigner
I was able to successfully flash the zip using Magisk Manager v16, and then rebooted, however after testing using https://dnsleaktest.com/ it says that i am still using the local ISP for DNS and connecting to 6+ servers so it does not look like dnscrypt-proxy is working.
What am i doing wrong/missing?

Thanks for your help, it is appreciated.

@Teyro & @gideion

Here is the module from @bluemeda, signed and working (at least for me using Magisk 16.0).
dnscrypt-proxy_Magisk.zip

@gideion I haven't that issue. I'll check later.

My repo has been added to Official Magisk Repo. You can download it in Magisk Manager app.
https://github.com/Magisk-Modules-Repo/dnscrypt-proxy-magisk

@bluemeda
I sucessfully installed your module from the official repo, cleared my browser cache and rebooted, unfortunately however the results were the same as when i built it myself, it does not seem to be working.
See attached screenshot for my results from https://dnsleaktest.com/

screenshot_firefox_20180304-120920

@gideion
please make sure if dnscrypt-proxy is running. Check it with ps -A | grep dnscrypt-proxy

@bluemeda
ps -A | grep dnscrypt-proxy
gives the result
15798 u0_a174 0:00 grep dsncrypt-proxy

@gideion run as root ps -ef | grep dnscrypt-proxy to see full arguments of the process

for example:

root@android:/storage/emulated/0 # ps -ef | grep dnscrypt-proxy
root           655     1 0 13:28:43 ?     00:00:00 dnscrypt-proxy -config /sbin/.core/img/dnscrypt-proxy/system/etc/dnscrypt-proxy/dnscrypt-proxy.toml
root         13232 13199 15 13:41:35 pts/2 00:00:00 grep dnscrypt-proxy

@bluemeda
ps -A | grep dnscrypt-proxy root 1024 1 39704 17180 futex_wait_queue_me 109e0ce9b8 S dnscrypt-proxy

@gideion hmm.... it seems that it was running

how about iptables?
iptables -L -t nat

@bluemeda
`iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
oem_nat_pre all -- anywhere anywhere

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:domain to:127.0.0.1:5353
DNAT udp -- anywhere anywhere udp dpt:domain to:127.0.0.1:5353

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
natctrl_nat_POSTROUTING all -- anywhere anywhere

Chain natctrl_nat_POSTROUTING (1 references)
target prot opt source destination

Chain oem_nat_pre (1 references)
target prot opt source destination
`

Magisk Module workes great but have to add

37.59.238.213 download.dnscrypt.info

to my /etc/hosts (because use hosts magisk adblock)

And i need to start dnscrypt by hand in adb shell / terminal by useing

./dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
Because the init.d script doenst find the config, added that doenst work.... :(

There is a typo in magisk module's service.sh, dnsproxy is called with -config instead of --config.
I've removed the entire while construct there and it ran on startup with zero problems.

I am working on an updated root-version, flashable zip for Android based off 'dnscrypt-proxy-android-armv7-a-1.9.4' (last version I had from the old proxy). Will try to get it done this weekend. If interested in posting this, let me know.

The key for me getting this to work is not setting up the iptables with 127.0.0.1 in a separate script or afWall+. I believe it is already done in the config (dnscrypt-proxy.toml).

Looks like there is another issue with the Magisk module: https://github.com/jedisct1/dnscrypt-proxy/issues/226#issuecomment-373721309

Any reasons to use a different port?

@palmuse I would be interested.

@gideion I uploaded a copy of the updated zip. Based on dnscrypt 1.9.4 and dnscrypt-proxy 2.0.7.

Be warned this is my first venture in updating a flash zip. It worked on my device. (LineageOS 14.1 on Galaxy Note 3). Might not be the best implementation, but works for my needs.

Note: I use OverrideDNS to set my DNS to localhost. Everything else should work out of the box.

A nice site to test with is here (lists all servers):
https://ipleak.net/

https://www.dropbox.com/s/ym684cyhawbyumd/dnscrypt-proxy-android-armv7-2.0.7-signed.zip?dl=0

My Internet can not be used after install dnscrypt v2,1.3 from magisk manager.
Redmi 4 prime running Android 7.1.2 Unoffciall Crdroid

I use overridedns and set to opendns(port443) everything is working now.
But if i change to another dns without port 443,my internet is unuseable.
Sorry for mybad english

Next update, I will create option in installation progress to let users make their decision

  • use iptables script by default
  • no iptables rules (you have to set dns manually with 3rd party apps (AfWall, OverrideDNS, etc)).

@bluemeda Dude which zip we should download? I'v downloaded this:
https://github.com/Magisk-Modules-Repo/dnscrypt-proxy-magisk/archive/v2.1.2.zip
Then tried to flash it via Magisk Manager, It says "This zip is not Magisk Module".

@runo280 download it via Magisk Manager apps. If you wanna download from github, try download https://github.com/Magisk-Modules-Repo/dnscrypt-proxy-magisk/archive/master.zip extract it then go to root folder and re-zip.

I am trying to run dnscrypt-proxy-android_arm-2.0.8 on my android phone, running marshmallow.

I configured it to use only google DNS. However, I get an error saying Certificate Hash not found for [google].

Could someone help?

[2018-03-30 10:31:25] [NOTICE] Source [public-resolvers.md] loaded
[2018-03-30 10:31:25] [NOTICE] dnscrypt-proxy 2.0.8
[2018-03-30 10:31:25] [NOTICE] Now listening to 127.0.0.2:53 [UDP]
[2018-03-30 10:31:25] [NOTICE] Now listening to 127.0.0.2:53 [TCP]
[2018-03-30 10:31:28] [ERROR] Certificate hash [f25c6adc73978d79c27c9e8989089faae9e08b4c49fa6c789cd2158653061068] not found for [google]
[2018-03-30 10:31:28] [NOTICE] dnscrypt-proxy is waiting for at least one server to be reachable

It ran error free a couple of times, after that. However, now it is showing another error.

[2018-03-30 12:17:05] [NOTICE] Source [public-resolvers.md] loaded
[2018-03-30 12:17:05] [NOTICE] dnscrypt-proxy 2.0.8
[2018-03-30 12:17:05] [NOTICE] Now listening to 127.0.0.2:53 [UDP]
[2018-03-30 12:17:05] [NOTICE] Now listening to 127.0.0.2:53 [TCP]
[2018-03-30 12:17:09] [ERROR] read udp 100.71.31.223:45908->9.9.9.9:53: i/o timeout
[2018-03-30 12:17:09] [NOTICE] dnscrypt-proxy is waiting for at least one server to be reachable

I am using Android 8.1, with AfWall+ (only IPv4), DnsCrypt 2.0.6.
The Afwall-Script is directing everything to local host
$IPTABLES -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.1
$IPTABLES -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1

If I shut down the phone ie for recharging and reboot after some hours the Internet connection is lost.

Then I need to set a different DNS for some moments
$IPTABLES -t nat -I OUTPUT -p tcp --dport 53 -j DNAT --to-destination 85.214.20.141:53
$IPTABLES -t nat -I OUTPUT -p udp --dport 53 -j DNAT --to-destination 85.214.20.141:53

After that I change back to localhost and dnscrypt-proxy is working again.

What is the reason of this behaviour and does anybody knows how I can automatically change the DNS if this happens (maybe setting also an alternative DNS)?

I added this to my in it.d script for this very reason.

iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 9.9.9.9:53
iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 9.9.9.9:53
iptables -t nat -D OUTPUT -p tcp --dport 53 -j DNAT --to-destination 9.9.9.9:53 || true
iptables -t nat -D OUTPUT -p udp --dport 53 -j DNAT --to-destination 9.9.9.9:53 || true
iptables -t nat -I OUTPUT -p tcp --dport 53 -j DNAT --to-destination 9.9.9.9:53
iptables -t nat -I OUTPUT -p udp --dport 53 -j DNAT --to-destination 9.9.9.9:53

I put this at the beginning of the script, then start dnscrypt-proxy which then sets the iptables to 127.0.0.1:53.

Might not need all of this, but it works for me.

Hello there.

I tried to install the service but failed, there is an error:

[FATAL] Failed to install DNSCrypt client proxy: open /etc/init.d/dnscrypt-proxy: read-only file system

Am i miss something?

Dear palmuse thank you for your suggested Init.d script!
I tested it (with V2.06 and actual 2.08) and it updates the serverlists and there's no error in the log!!
My toml config is different from the standard config:
listen_addresses = ['127.0.0.1:53']
require_dnssec = true
ignore_system_dns = true (tested both)
block_ipv6 = true (tested both)

If I check with dnsleaktest.com it's always the same US Servers (woodynet-1 - woodynet IP 74.x.x.x). It looks like that it's the Quad9 fallback server 9.9.9.9. ...

Can you please check with dnsleaktest.com what Dns server will be used with your config?
It's always the same Dns servers or does it change?

@Frank
Thank you for the update 2.08!!!!
Is this a typo in the .toml ....? urls instead of url?
Got an error message unknown command in the log

[sources]
[sources.'public-resolvers']
urls =

@HI54U There are no typos: version 2.0.8 supports multiple URLs, for redundancy.

But the url property still works for backward compatibility.

@HI54U I am using the public servers list. I get a long list of active DNS servers when I test. Are you using an app to set the DNS? I use OverrideDNS to set DNS path everyone my network changes. This is a key part to getting all of this to work on Android. Otherwise you will see the default servers. Also, I have dnssec set to false. I think this set to true will limit your server options.

Is there a solution for non-rooted Android devices (those also running Android N or below)? I can get it run on Termux, listen to non-53 ports, but no way to specifiy mobile network to listen to it.

AdGuard doesn't require a rooted device.

Drony includes DNSCrypt v1 that doesn't require root

@palmuse can you update your flashable zip please? thanks!

I will update the flash zip tonight. Sorry for the delay on that. Did not see the request. Will post when it is ready.

With latest V16 I my log has always:
[FATAL] listen upd 127.0.0.1:53: bind: address already in use

the config has:
listen_addresses = ['127.0.0.1:53']

Then I have an Afwall Script for the fallback server
$iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 9.9.9.9:53
$iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 9.9.9.9:53
$iptables -t nat -D OUTPUT -p tcp --dport 53 -j DNAT --to-destination 9.9.9.9:53 || true
$iptables -t nat -D OUTPUT -p udp --dport 53 -j DNAT --to-destination 9.9.9.9:53 || true
$iptables -t nat -I OUTPUT -p tcp --dport 53 -j DNAT --to-destination 9.9.9.9:53
$iptables -t nat -I OUTPUT -p udp --dport 53 -j DNAT --to-destination 9.9.9.9:53

I tried different ports like 54, 5453, 5354 but I always get this error. Is there Any solution to solve this?

Another issue I have (after shutdown while recharging and reboot):
read udp 10.148.191.161:46025 -> 9.9.9.9:53: read: connection refused
[FATAL] No servers configured

if I change 127.0.0.1 to another IP manual I got
[public-resolvers]write upd 10.175.76.23:37231 -> 9.9.9.9:53: write: operation not permitted
[FATAL] No servers configured

I had the same problem of
"[FATAL] listen upd 127.0.0.1:5353: bind: address already in use" on my Honor 8. I noticed android apk com.google.android.gms still holding the port 5353 even termux exited, dnscrypt-proxy works again after stop the google gms manually.

@late-latte NetGuard

Read how to run, it applies to Termux too https://github.com/smarek/android-unbound-dns/issues/18

Friends, I'm using dnscrypt proxy v2 magisk module on android 8.1.0.
Can I use it along with cloudflare DNS?
I've installed cloudflare DNS module along with dnscrypt. When I checked online, DNS shows cloudflare but how do I know that dnscrypt is working and the DNS included in the module isn't conflicting with cloudflare DNS?

@Sporif, @jedisct1, Maybe it will be useful for new gentoo users to know about requirement?
Please, check it:
[1] sys-libs/ncurses version 5 with USE="tinfo"
[2] dev-lang/go maybe needs USE="gccgo"
[3] sys-devel/gcc maybe needs USE="go"

my startup script dnscrypt
https://github.com/uzen/dnscrypt-android/releases/
2.0.17

@uzen Nice work. Command line options look great. Going to check it out!

@uzen I flashed the zip after modifying dnscrypt-proxy.toml by:
uncommenting and changing server_names
changing [static.'google'] stamp = 'sdns://******* with the data from public-resolvers.md for the resolver of my choice
setting require_dnssec = true
I entered in AFWall+ the custom script . /system/etc/init.d/99dnscrypt.sh start &
and . /system/etc/init.d/99dnscrypt.sh stop & as shutdown script
dnsleaktest.com shows I'm still using my ISP's DNS servers
Currently on LineageOS 14.1

@J316
comment out the lines in 99dnscrypt.sh

if ! wait_for_daemon _wfd_call; then
log_error_msg "the resolvers file couldn't be uploaded?"
set_prop "dnscrypt-resolvers" ""
return 10
fi

instead add sleep 5 #or 10

UPD
check the rules for iptables in the file / system / etc / dnscrypt-proxy / init-functions
you can change them like this
$IPTABLES -t nat -A OUTPUT -p tcp ! -d 1.1.1.1 --dport 53 -j DNAT --to-destination 127.0.0.1:$PROXY_PORT
$IPTABLES -t nat -A OUTPUT -p udp ! -d 1.1.1.1 --dport 53 -j DNAT --to-destination 127.0.0.1:$PROXY_PORT

I do not use the ipv6 protocol. Add the appropriate rules for it or block in afwall.

@uzen still using ISP's servers

@J316
what's your afwall setup?
preferences - binaries - dns proxy should be disable dns via netd
build in iptables/busybox (latest ie from fdroid store)
maybe a logcat can help too...
deleting cache and checking dnsleaktest.com could help too

I am testing 2.0.17 original version of dnscrypt proxy with 5 static servers and its working atm pretty well also after shutdown and recharging.

@HI54U "Allow selected" mode (only system stuff allowed are ntp, tethering and vpn)
iptables binary - auto, built-in busybox, DNS proxy - auto, App version 2.9.9

@J316
I had issues with Afwall+ 2.9.9 and I am using 2.9.8 and the final Beta of V3.0
Did you tried recommend Afwall settings above?
WiFi an Mobile connection - same result?
maybe also different settings in toml or afwall script which are not compatible with your mobile settings or Router settings.
Good luck!

@HI54U what are the recommended settings? (I also tried these commands in terminal, it didn't work)

@uzen I tried it, there was no DNS resolution, IPs still worked, then thinkered a bit in AFWall+ and DNS resolved through ISP servers, don't recall what I did, anyway DNSCrypt was not working

Afwall+ try 2.98 or actual beta 3.0 from github
preferences - binaries - dns proxy should be disable dns via netd
-> build in iptables and busybox

@HI54U @uzen I managed to get it to work. Just disabling DNS via netd made blocked the DNS resolution,I had to allow (root) - Apps running as root to make DNS resolution possible. I also tried to revert DNS via netd to auto and even to allow it, and the resolution was still working, I don't know why, perhaps some internal caching. Anyway it works on AFWall+ 2.99 with installer 1.2.2. Thanks a lot for the help

updated the script https://github.com/uzen/dnscrypt-android/releases/tag/1.3

  • dnscrypt shows more information if something goes wrong
  • no binding to the file name for the -r flag

As far as I can figure out, no one has yet written an Android app that makes using dnscrypt-proxy easy for everybody.

Well, I'm writing on behalf of the Blokada team: we are studying how to add support for DNSCrypt protocol into Blokada, and integrating dnscrypt-proxy directly into the app seems a really nice idea. Would you care discussing it further? Don't know which channel is more appropriate, so I just write here to let the ball start rolling!

Antonio

@ant9000 Integration would be nice.

I've used it (old version bufore the Rust rewrite) as a separate app with local VPN DNS redirection via NetGuard ( https://github.com/smarek/android-unbound-dns/issues/18 ) with some success. ;)

@jedisct1 - dnscrypt-proxy- android arm64-2.0.19.zip is not listed. Is there a reason why? I would like to use the latest update on my phone. I am running ArrowOS 9.0 64 bit ROM on Moto G4 XT1625.

For some reason, Github wasn't able to store that file. Everything has been reuploaded, and the file is there.

where can i download latest flashable zip or apk? is there any gui or terminal?

Worked fine for me (Android 8.1), starting up fine with the system boot. the only other problem is how to allow uid 0 apps only to connect to dnscrypt servers. Custom script does not work.

How do you run the dnscrypt proxy permanently? Already compiled it but still struggle with script that run on start up using magisk still didn't work. And after a while the dnscrypt proxy seems to stop or something, the internet immediately not receiving data after a long idle.

@uzen Flashed your script with success on Pie and using Afwall+ 3.0.3+custom start-stop scripts.
Can i safely update System/xbin/dnscryp-proxy with version 2.0.19?
or wait for you to update your zip?

Android arm64 v2.0.19 (with linker /system/lib/linker64) works perfect on Pie.

@jedisct1 version2.0.28 working fine as magisk module.
Could you pls add option for primary, secondary, tertiary fallback_resolver & netprobe_address?

The magisk module is unavailable. Magisk apparently moved it into the module grave (though I cannot find any reason)

I hv the 2.0.28 working fine on my local repo.

https://github.com/lindroidux/dnscrypt-proxy2-android.

For note: DNSCrypt is available in InviZible - https://github.com/Gedsh/InviZible (it's something like combiner with dnscrypt-proxy, tor and i2pd on board).
Requires root on device to start.
(idk why @Gedsh still doesn't write here about app ;) )

why @Gedsh still doesn't write here about app

I think there may be some difficulties without a good manual in English. But I still will not find time to write it.

I'm not an Android user, but that new app looks pretty interesting:

https://github.com/Gedsh/InviZible

@jedisct1
trying to build for android-9 aarch64
ndk20, go1.13.3

mkdir dnscrypt-proxy-src
cd dnscrypt-proxy-src
git clone https://github.com/DNSCrypt/dnscrypt-proxy.git src
$env:GOPATH=$PWD
$env:GOOS='android'
$env:GOARCH='arm64'
$NDK="c:/Users/Pasha/AppData/Local/Android/Sdk/ndk-bundle"
$env:Path += ";$NDK/toolchains/llvm/prebuilt/windows-x86_64/bin"
$env:CC="clang.exe --target=aarch64-linux-android28 -fno-addrsig"
$env:CCX="clang++.exe --target=aarch64-linux-android28 -fno-addrsig"
$env:CGO_ENABLED=1
cd src/dnscrypt-proxy
go clean
go build -ldflags="-s -w" -o $env:GOPATH/android-arm64/dnscrypt-proxy

error:

# net
c:\go\src\net\cgo_android.go:9:10: fatal error: 'netdb.h' file not found
#include <netdb.h>
         ^~~~~~~~~
1 error generated.

netdb.h is in
c:/Users/Pasha/AppData/Local/Android/Sdk/ndk-bundle/sysroot/usr/include
introduced
$env:CGO_CFLAGS="-I/c:/Users/Pasha/AppData/Local/Android/Sdk/ndk-bundle/sysroot/usr/include" - did not work

You can simply download a precompiled binary :)

The one for android/aarch64 is compiled with the following command-ilne:

env CC=aarch64-linux-android-clang CXX=aarch64-linux-android-clang++ \
CGO_ENABLED=1 GOOS=android GOARCH=arm64 go build -mod vendor -ldflags="-s -w"

@jedisct1
without creating a standalone toolchain, it worked like this:
Windows10, NDK from android studio 3.5.1, Go 1.13.3

mkdir dnscrypt-proxy-src
cd dnscrypt-proxy-src
git clone https://github.com/DNSCrypt/dnscrypt-proxy.git src
$env:GOPATH=$PWD
$env:GOOS='android'
$env:GOARCH='arm64'
$NDK="c:\Users\Pasha\AppData\Local\Android\Sdk\ndk-bundle"
$env:Path += ";$NDK/toolchains/llvm/prebuilt/windows-x86_64/bin"
$env:CCX="$NDK/toolchains/llvm/prebuilt/windows-x86_64/bin/aarch64-linux-android28-clang++"
$env:CC="$NDK/toolchains/llvm/prebuilt/windows-x86_64/bin/aarch64-linux-android28-clang"
$env:CGO_ENABLED=1
cd src/dnscrypt-proxy
go clean
go build -ldflags="-s -w" -o $env:GOPATH/android-arm64/dnscrypt-proxy
gci $env:GOPATH/src/dnscrypt-proxy/example-* | cp -dest $env:GOPATH/android-arm64

android-arm64.zip

I'm not an Android user, but that new app looks pretty interesting:

https://github.com/Gedsh/InviZible

Thanks for the feedback. I have added precompiled apps for the new beta version. So everyone can easily use it now with a rooted device.

I added a wiki for the InviZible project. DNSCrypt can be used with both a rooted and non-rooted device now. Who is interested, visit the wiki for details.

Is there any way to setup DNSCrypt without root privs on Android without 3rd party nonsense like InviZible or DNS Manager? I only see working root variants of installation, never seen proper user-level setup.

Build whole system yourself and integrate dnscrypt-proxy.

DNS resolver is hardcoded in /system/etc/resolve.conf to 8.8.8.8 and 8.8.4.4.

Okay, workaround was easier than I thought.
Due to the fact all storages (both external and emulated) are mounted with noexec the only way to execute raw binary is copy it into /data/local/tmp. Then you can run it normally and point out config somewhere on SDcard/whatever.
Make sure to choose port above 1024 since no root privs available.
Then setup DNS-query redirects via https://www.zenz-solutions.de/personaldnsfilter/

The worst part about this setup is that you need something to run the SH script on boot or app autostart since /tmp/ is cleared each reboot (something else as well might clear it during runtime). It should not be too hard to write a wrapper for dnscrypt much like personalDNSfilter does but I'm not too arsed.

Alternatively, you can run it as Termux widget.

First of all thanks again to the Team of DnsCrypt for your hard work!!!
I am using a LOS version Android 7.12 with actual security updates, rooted with AfWall+.
There's still an issue that I am not getting solved. I am not able to get a fallback resolver working with actual version 42. I always need to manual set a direct dns server adress directly in Afwall+ (i.e. 9.9.9.9). It's working in Version 22 without issues ( because of maybe a bug which was corrected in 23).

Debug V42:
[2020-04-19 08:04:34] [NOTICE] dnscrypt-proxy 2.0.42
[2020-04-19 08:04:34] [NOTICE] Network not available yet -- waiting...
[2020-04-19 08:04:50] [NOTICE] Network connectivity detected
[2020-04-19 08:04:50] [NOTICE] System DNS configuration not usable yet, exceptionally resolving [raw.githubusercontent.com] using fallback resolvers over tcp
[2020-04-19 08:04:50] [NOTICE] Fallback resolvers didn't respond - Trying with the system resolver as a last resort
[2020-04-19 08:04:50] [ERROR] Unable to resolve [raw.githubusercontent.com] - Make sure that the system resolver works, or that fallback_resolver has been set to a resolver that can be reached
[2020-04-19 08:04:50] [NOTICE] System DNS configuration not usable yet, exceptionally resolving [download.dnscrypt.info] using fallback resolvers over tcp
[2020-04-19 08:04:50] [NOTICE] Fallback resolvers didn't respond - Trying with the system resolver as a last resort
[2020-04-19 08:04:50] [ERROR] Unable to resolve [download.dnscrypt.info] - Make sure that the system resolver works, or that fallback_resolver has been set to a resolver that can be reached
[2020-04-19 08:04:50] [FATAL] lookup download.dnscrypt.info: No address associated with hostname

After I set manual a dns adress (i.e. 9.9.9.9) it's working
[2020-04-19 08:07:55] [NOTICE] dnscrypt-proxy 2.0.42
[2020-04-19 08:07:55] [NOTICE] Network not available yet -- waiting...
[2020-04-19 08:08:12] [NOTICE] Network connectivity detected
[2020-04-19 08:08:15] [NOTICE] Source [public-resolvers] loaded
[2020-04-19 08:08:16] [NOTICE] Source [relays] loaded
...
And then switching back to 127.0.0.1 in Afwall+

With old version 22 there aren't any problems with the resolver. There's critical message but the sources are still downloading. What is the difference concerning this issue between those versions?

DebugV22:
[2020-04-19 07:57:27] [NOTICE] Network not available yet -- waiting...
[2020-04-19 07:57:47] [NOTICE] Network connectivity detected
[2020-04-19 07:57:47] [CRITICAL] Unable to use source [public-resolvers]: [read udp 10.xxx.xxx.xx:xxx->9.9.9.9:53: read: connection refused]
[2020-04-19 07:57:47] [NOTICE] dnscrypt-proxy 2.0.22
[2020-04-19 07:57:47] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
[2020-04-19 07:57:47] [NOTICE] Now listening to 127.0.0.1:53 [TCP]

I tried a lot of different settings in the setup:

Port 53 - The listening address in Linux is fixed to this Port 53. Fallback server needs also to be Port53? Tried different Ports without success / Netprobe can be a different Port

I thought that it's maybe the "Filters"
block_unqualified = false/true
block_undelegated = false/true
-> Tried both alternatives without success

Setting a manual DNS with a resolv.conf to system/etc and system/etc/initd -> without success
getprop net.dns1
127.0.0.1
getprop net.dns2
empty

My DnsCrypt-settings are:
server_names = ['....','....']
listen_addresses = ['127.0.0.1:53']

max_clients = 250
ipv4_servers = true
ipv6_servers = false
dnscrypt_servers = true
doh_servers = false
require_dnssec = true
require_nolog = true
require_nofilter = true
disabled_server_names = []
force_tcp = false
timeout = 4500
keepalive = 30
cert_refresh_delay = 240
ignore_system_dns = true
fallback_resolvers = ['9.9.9.9:53', '8.8.8.8:53']
netprobe_timeout = 60
etprobe_address = '9.9.9.9:53'
log_files_max_size = 10
log_files_max_age = 7
log_files_max_backups = 1
block_ipv6 = true(false)
block_unqualified = false (true)
block_undelegated = false (true)

Afwall settings:
$IPTABLES -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:53
$IPTABLES -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:53

DnsCrypt is stored in /data/local/dnscrypt-proxy and will be started with a script
./dnscrypt-proxy

Is there something I setup wrong.
How do I get the fallback server properly working in the actual version without manual intervention???

The afwall script should be
iptables -t nat -A OUTPUT -p tcp ! -d 9.9.9.9 --dport 53 -j DNAT --to-destination 127.0.0.1:53
iptables -t nat -A OUTPUT -p udp ! -d 9.9.9.9 --dport 53 -j DNAT --to-destination 127.0.0.1:53
The fallback resolver 9.9.9.9 is not reachable from certain place, try changing to 1.1.1.1

The afwall script should be
iptables -t nat -A OUTPUT -p tcp ! -d 9.9.9.9 --dport 53 -j DNAT --to-destination 127.0.0.1:53
iptables -t nat -A OUTPUT -p udp ! -d 9.9.9.9 --dport 53 -j DNAT --to-destination 127.0.0.1:53
The fallback resolver 9.9.9.9 is not reachable from certain place, try changing to 1.1.1.1
Thank you! Exactly, it's working now as it should be :)

How can I force running DNSCrypt to re-read blacklist (or config) on Android? Is the a signal I can send to it, because "service" functionality wont work (I'm running it through init.rc as custom service)

Restart init service:
setprop ctl.restart <service_name>

but the dnscrypt binary itself is now gonna send quires through VPN as well

VPN filtering occurs on per UID basis. Run dnscrypt with non-root UID and filter that using iptables -m owner. See https://github.com/DNSCrypt/dnscrypt-proxy/issues/866#issue-460738233 and https://android.stackexchange.com/a/207647/218526

how would I make a generic rule that targets every VPN interface + cover both mobile/wifi ?

May be I'm not getting what you want to achieve. You need to handle UIDs, not interfaces (unless you want to do something specifically to interfaces). It covers all possible cases including WiFi, Mobile Data and VPN with any of the both.

That's gotta be routing, I cant just use iptabels here?

Routing on Android is far more complex than on an ordinary Linux PC. With VPN, it becomes even more complicated. There are UID ranges and SOcket_MARKs involved. With network events netd keeps on creating and destroying routing tables and RPDB rules. main table is not used at all.
So you don't need to indulge in this whole mess without any purpose. NetFilter (iptables) comes on top of VPN (TUN interfaces) in OSI model. So former is never bypassed whether you are using VPN or not. Updating iptables rules on network events is simpler (just add custom AFWall+ script) than updating routing tables and policies. And you are already using iptables for NATing DNS queries. So there's no need to manipulate routing.

nslookup and dig both return responses from 8.8.8.8 which defeats the point of having DNScrypt _if it can be so easily bypassed_

Don't say ever to Linus Torvalds that nslookup and dig are bypassing iptables NAT. He may get really upset

Is there any easy way to run dnscrypt with an unique UID? Are there plans to realize this from an update of dnscrypt-android itself?
https://github.com/DNSCrypt/dnscrypt-proxy/issues/41#issuecomment-631275865
https://github.com/DNSCrypt/dnscrypt-proxy/issues/1149#issuecomment-574331140
https://github.com/DNSCrypt/dnscrypt-proxy/issues/1149#issuecomment-574346166

Is there any easy way to run dnscrypt with an unique UID? Are there plans to realize this from an update of dnscrypt-android itself?
#41 (comment)

The link in the comment you mentioned explains in very detail how to run dnscrypt as init service with any non-root UID, dropped Linux capabilities and restricted SELinux context: https://android.stackexchange.com/a/207647/218526. It works, I've been using it since long. However one may not find it easy.

Is there any easy way to run dnscrypt with an unique UID? Are there plans to realize this from an update of dnscrypt-android itself?
#41 (comment)

The link in the comment you mentioned explains in very detail how to run dnscrypt as init service with any non-root UID, dropped Linux capabilities and restricted SELinux context: https://android.stackexchange.com/a/207647/218526. It works, I've been using it since long. However one may not find it _easy_.

It should be noted that the directions for adding a sepolicy mentioned above require Magisk. It would be nicer if the directions above did not require Magisk. Magisk is overwriting "neverallow" sepolicy.

It should be noted that the directions for adding a sepolicy mentioned above require Magisk. It would be nicer if the directions above did not require Magisk. Magisk is overwriting "neverallow" sepolicy.

I just used Magisk's supolicy tool (in step 4 here) to inject my own custom context (named u:r:dns_crypt:s0) to SELinux policy. Using supolicy or magiskpolicy tool doesn't require rooting the device. You can patch SELinux policy file on PC too. Another similar (but less efficient) tool is sepolicy-inject. And another helpful resource is How to manually root a phone?. But rooting the device is not required at all to run dnscrypt-proxy as init service. iptables redirection of port 53 may also be controlled from within init's .rc file, though with some complexity (to handle changes on network events).

Don't get me wrong. It's an impressive tutorial which I tried before, but could only get it to work in setting SELinux permissive on boot by adding a line temporarily to dnscrypt-proxy.rc.

I am hanging atm in step 4 of you tutorial
https://android.stackexchange.com/questions/207484/how-to-fix-selinux-avc-denied-errors-when-launching-dnscrypt-as-init-d-script/207647#207647

That seems to work for me
supolicy --live 'create dns_crypt' # create new context
supolicy --live 'allow init dns_crypt process *' # let init handle the service
supolicy --live 'allow dns_crypt dns_crypt * *' # allow mutual love
supolicy --live 'allow dns_crypt system_file dir { read open }'
supolicy --live 'allow dns_crypt system_file file { lock entrypoint execute_no_trans }'
supolicy --live 'allow dns_crypt node tcp_socket { node_bind }'
supolicy --live 'allow dns_crypt node udp_socket { node_bind }'
supolicy --live 'allow dns_crypt port tcp_socket { name_bind name_connect }'
supolicy --live 'allow dns_crypt port udp_socket { name_bind }'
supolicy --live 'allow dns_crypt proc_net file { open read }'
supolicy --live 'allow dns_crypt proc_stat file { read }'
supolicy --live 'allow dns_crypt properties_device dir { read }'
supolicy --live 'allow dns_crypt devpts chr_file { open read write }'

output: "Load policy from: /sys/fs/selinux/policy"

Step 5. Save and load policy file.
I set /sys/fs/selinux/policy from permission 444 to 666

supolicy --save /sys/fs/selinux/policy
output:
Load policy from: /sys/fs/selinux/policy
* write failed with 22: Invalid argument *

Would be great to get this working :)

You can patch SELinux policy file on PC too.

The whole process does not sound pleasant

The whole process does not sound pleasant

Yes, if you want to go the hard way, following something proposed 4 years back. What I proposed recently in How to manually root a phone? goes like this:

  • Download latest magiskinit (static) binary for x86 from here: https://github.com/topjohnwu/Magisk/releases
  • Create a symlink supolicy to magiskinit.
  • Copy loaded policy /sys/fs/selinux/policy or policy file /sepolicy or wherever it is on your phone to PC.
  • Run
    supolicy --load policy --save policy.patched 'create my_custom_context' 'allow my_custom_context ...' 'allow ...' 'allow ...'
    and so on.
  • Put policy.patched file back to your phone where it's supposed to be loaded on boot.

Also what has been written in your linked answer isn't applicable (at least fully) today. Android's SELinux implementation is very near to mainline Linux kernel now. And all tools designed for the latter also work on Android. I use sesearch regularly on my phone. So please learn and take things practically, don't suppose theoratically.

open: /etc/selinux/sepolicy failed with 30: Read-only file system

Why are you patching /etc/selinux/sepolicy? Patch loaded policy file /sys/fs/selinux/policy using supolicy --live ... statements.

Step 4 I did in an adb shell
supolicy --live 'create dns_crypt'
supolicy --live 'allow init dns_crypt process *'
supolicy --live 'allow dns_crypt dns_crypt * *'

supolicy --live 'allow dns_crypt system_file dir { read open }'
supolicy --live 'allow dns_crypt system_file file { lock entrypoint execute_no_trans }'

supolicy --live 'allow dns_crypt node tcp_socket { node_bind }'
supolicy --live 'allow dns_crypt node udp_socket { node_bind }'
supolicy --live 'allow dns_crypt port tcp_socket { name_bind name_connect }'
supolicy --live 'allow dns_crypt port udp_socket { name_bind }'

supolicy --live 'allow dns_crypt proc_net file { open read }'
supolicy --live 'allow dns_crypt proc_stat file { read }'
supolicy --live 'allow dns_crypt properties_device dir { read }'
supolicy --live 'allow dns_crypt devpts chr_file { open read write }'

got after every rule "Load policy from: /sys/fs/selinux/policy"

Step 5. Save and load policy file

supolicy --save /sys/fs/selinux/policy
Load policy from: /sys/fs/selinux/policy
* write failed with 22: Invalid argument *

added to dnscrypt-proxy.rc

enforcing custom SELinux policy loading after reboot

on property:init.svc.netd=running
exec u:r:magisk:s0 root root -- /system/bin/load_policy /sys/fs/selinux/policy
start dnscrypt-proxy

After a reboot it works like before, but now I have a separate UID 999 for Dnscrypt and disabled Apps as root (0) permission and got Internet Access.

But :)
Is this normal that I got this write failed & "Load policy from: /sys/fs/selinux/policy"?
What can I do to verify that the custom rules are written to the policy rules?

So if I can't patch it "live" with supolicy in Android system I need to patch it with magiskinit from PC

Android supolicy errors
supolicy --live 'create dns_crypt'
Load policy from: /sys/fs/selinux/policy
Error in: create dns_crypt

supolicy --live 'allow init dns_crypt process *'
Load policy from: /sys/fs/selinux/policy

supolicy --save /sys/fs/selinux/policy
Load policy from: /sys/fs/selinux/policy
write failed with 22: Invalid argument

Followed the description here for patchin supolicy on PC (Linux)
https://github.com/DNSCrypt/dnscrypt-proxy/issues/41#issuecomment-642457972

but

supolicy --load policy --save policy.patched 'create dns_crypt'
Load policy from: policy
Error in: create dns_crypt

supolicy --load policy --save policy.patched 'create dns_crypt' 'allow init dns_crypt process *' 'allow dns_crypt dns_crypt * *' 'allow dns_crypt system_file dir { read open }' 'allow dns_crypt system_file file { lock entrypoint execute_no_trans }' 'allow dns_crypt node tcp_socket { node_bind }' 'allow dns_crypt node udp_socket { node_bind }' 'allow dns_crypt port tcp_socket { name_bind name_connect }' 'allow dns_crypt port udp_socket { name_bind }' 'allow dns_crypt proc_net file { open read }' 'allow dns_crypt proc_stat file { read }' 'allow dns_crypt properties_device dir { read }' 'allow dns_crypt devpts chr_file { open read write }'

Load policy from: policy
target type dns_crypt does not exist
Error in: allow init dns_crypt process (null)
source type dns_crypt does not exist

Can someone please help to patch policy.

It seems that's not a policy problem, because if I run dnscrypt in permissive mode by adding in the rc-script there's no difference. I've got Internet access, but not through dnscrypt-proxy.

AfWall grant access through UID999 (custom script):
iptables -I OUTPUT -m owner --uid-owner 999 -j ACCEPT

rc-script adding:
on property:init.svc.netd=running
exec u:r:magisk:s0 root root -- /system/bin/setenforce 0
start dnscrypt-proxy

  1. Resolver problem
    dnscrypt-proxy -check -config /system/etc/dnscrypt-proxy/dnscrypt-proxy.toml

[2020-06-20 10:42:54] [NOTICE] dnscrypt-proxy 2.0.44
[2020-06-20 10:42:54] [NOTICE] Network not available yet -- waiting...
[2020-06-20 10:43:26] [NOTICE] Network connectivity detected
[2020-06-20 10:43:26] [NOTICE] System DNS configuration not usable yet, exceptionally resolving [raw.githubusercontent.com] using fallback resolvers over tcp
[2020-06-20 10:43:27] [NOTICE] Fallback resolvers didn't respond - Trying with the system resolver as a last resort
[2020-06-20 10:43:27] [ERROR] Unable to resolve [raw.githubusercontent.com] - Make sure that the system resolver works, or that fallback_resolver has been set to a resolver that can be reached
[2020-06-20 10:43:27] [NOTICE] System DNS configuration not usable yet, exceptionally resolving [download.dnscrypt.info] using fallback resolvers over tcp
[2020-06-20 10:43:28] [NOTICE] Fallback resolvers didn't respond - Trying with the system resolver as a last resort
[2020-06-20 10:43:28] [ERROR] Unable to resolve [download.dnscrypt.info] - Make sure that the system resolver works, or that fallback_resolver has been set to a resolver that can be reached
[2020-06-20 10:43:28] [FATAL] lookup download.dnscrypt.info: No address associated with hostname
Setting up different resolvers doesn't solve it.

I copied the files manual to the /system/etc/dnscrypt-proxy directory and dnscrypt is running as a service

[2020-06-20 11:21:15] [NOTICE] dnscrypt-proxy 2.0.44
[2020-06-20 11:21:15] [NOTICE] Network connectivity detected
[2020-06-20 11:21:15] [NOTICE] Source [public-resolvers] loaded
[2020-06-20 11:21:15] [NOTICE] Source [relays] loaded
[2020-06-20 11:21:15] [NOTICE] Anonymized DNS: routing everything via [anon-]
[2020-06-20 11:21:15] [NOTICE] Configuration successfully checked

  1. AfWall
    custom script: iptables -I OUTPUT -m owner --uid-owner 999 -j ACCEPT
    Internet access to root apps (0) off

I got Internet access, but not through dnscrypt-proxy. How should I configure AfWall and dnscrypt to get the Internet access through dnscrypt again and that's the resolver can update the files properly.

@mirfatif
Can you elaborate on how to make dnscrypt bypass VPN using iptables/AFWall+? I dont understand what is to target besides the userid, like, VPN, when established, does not add any special rules. I can target dncrypt owner id but what for?

There is an issue with DNSCrypt not letting phone to go to sleep and as far as I know you can't solve with any exiting methods, it has to be implemented on the application side.

AFWall+ anti-leaking boot script - Fallback resolver stuck (HELP NEEDED)

Probably you know about anti-leaking script that AFWall+ can put into startup directory and make the OS booting much safer.
This is realy effective thing, but main disadvantage is a breakage of the Fallback resolver. As soon as the script located inside the startup directory for the scripts, then fallback resolver is unable to resolve [raw.githubusercontent.com], [download.dnscrypt.info] and other errors like "write: operation not permitted".

I have tried some workarounds like granting the access through the extra IPTABLES rules (additional script), but they didn't work for me. It would be nice to find a way making this script working in conjunction with the dnscrypt-proxy.

AFWall+ v3.4.0 - Anti-leaking boot script

#!/system/bin/sh

export PATH=/system/bin

if [ -e /data/data/dev.ukanth.ufirewall/app_bin/iptables ]; then
  path="dev.ukanth.ufirewall"
elif [ -e /data/data/dev.ukanth.ufirewall.donate/app_bin/iptables ]; then
  path="dev.ukanth.ufirewall.donate"
else
  log -p i -t afwall "AFWall does not seem to be installed, waited for $((endDt-startDt)) seconds."
  exit
fi

doit() {
  for i in "$@"
  do
    if [ -x "$i" ]
    then
      "$i" -w -P INPUT DROP
      "$i" -w -P OUTPUT DROP
      "$i" -w -P FORWARD DROP
      return
    fi
  done
}

doit /system/bin/iptables /data/data/$path/app_bin/iptables
doit /system/bin/ip6tables /data/data/$path/app_bin/ip6tables
log -p i -t afwall "IPv4/6 policy set to DROP"

P.S. Interensting fact (over the years): if I have any kind of troubles with Fallback resolver, manual launching dnscrypt-proxy using adb always works... It would be nice to have the equal reliability by default...


I need your help, freinds.
May be correct IPTABLES allow rules (new script)? Or may be some edits just inside the AFWall+ anti-leaking script?

Before I can configure it (I had dnscrypt-proxy v1 running with custom init/config scripts just fine on my OnePlus), I need to have it built / build it for Android ARM7. My current toolchain is deprecated (OSX & go is depreicated), and I cannot build it in a VM for the same reason. Can someone please build for Android ARM7 and post? Thanks.

@tehcog - for Arm7, would the alpine build work?
Latest stable has 2.0.42. https://uk.alpinelinux.org/alpine/latest-stable/community/armv7/
Edge has 2.0.44 https://uk.alpinelinux.org/alpine/edge/community/armv7/
APKs should just untar. armhf is available there too.

Hey,

I try to run dnscrypt-proxy without root privileges (sudo dnscrypt-proxy -config dnscrypt-proxy.toml -netprobe-timeout 0)
Details about my installation and config can be found from https://github.com/DNSCrypt/dnscrypt-proxy/issues/1563.

_dnscrypt-proxy_ user in inet group with <permission name="android.permission.INTERNET" /> permission, but the proxy fails to connect as seen from log:

...
dial udp <ip>:443: socket: permission denied.
dnscrypt-proxy is waiting for at least one server to be reachable
...

Any ideas how to resolve this?

Use dmesg and see where selinux restricts it, then add exception to policy or permission? Though, if you are wrapping dnscrypt binaries into your own user-app you must understand what it only will wrap user-queries (that go through user-defined VPN, since this is the only way you can route them that way), all system queries and built-in google spyware will go through whatever is currently defined and used by the system.

Hey,

I try to run dnscrypt-proxy without root privileges (sudo dnscrypt-proxy -config dnscrypt-proxy.toml -netprobe-timeout 0)
Details about my installation and config can be found from #1563.

_dnscrypt-proxy_ user in inet group with <permission name="android.permission.INTERNET" /> permission, but the proxy fails to connect as seen from log:

...
dial udp <ip>:443: socket: permission denied.
dnscrypt-proxy is waiting for at least one server to be reachable
...

Any ideas how to resolve this?

The binary need to have cap_net_raw+ep capability for an unprivileged user to be able to run it. Now it works just fine.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

EstherMoellman picture EstherMoellman  ·  4Comments

EstherMoellman picture EstherMoellman  ·  5Comments

jedisct1 picture jedisct1  ·  4Comments

jos1264 picture jos1264  ·  4Comments

Ambitious-Dreamer picture Ambitious-Dreamer  ·  4Comments