This page describes how to install and configure dnscrypt on Artix. For more information refer to the dnscrypt-proxy article on the ArchWiki.
Install the dnscrypt-proxy-<init> package for your respective init system. dnscrypt-proxy will be installed as a dependency. For example:
# pacman -S dnscrypt-proxy-openrc
In order to start or enable the dnscrypt service, refer to the appropriate wiki article for the init system in use.
Run the following command in order to allow dnscrypt-proxy to bind to port 53:
sudo setcap cap_net_bind_service=+ep $(which dnscrypt-proxy)
That's all you have to do. The service should start normally now.
Since dnscrypt-proxy is running as the dnscrypt user, polkit prevents it from binding to a port that is below 1024.
The workaround to start the service as root. In order to do that, change the following line in /etc/conf.d/dnscrypt-proxy from
#DNSCRYPT_USER="dnscrypt"
to
DNSCRYPT_USER="root"
In order to reduce the security risk of running as root, dnscrypt needs to be configured to drop privileges at startup. This can be done by uncommenting the following line in /etc/dnscrypt-proxy/dnscrypt-proxy.toml:
# user_name = 'nobody'
This will cause dnscrypt to partially drop permissions after starting up, as explained in the config file:
Two processes will be running. The first one will keep root privileges, but is only a supervisor, that does nothing except create the sockets, manage the service, and restart it if it crashes. The second process is the service itself, and that one will always run as a different user.
A negative side effect is the loss of write access to the logfile (/var/log/dnscrypt-proxy/dnscrypt-proxy.log) and thus a de-facto loss of logging functionality.
This can be mitigated by using a system logger (e.g. syslog-ng). For that modify /etc/dnscrypt-proxy/dnscrypt-proxy.toml to include the following option:
use_syslog = true
Make sure that you have a logger installed and added to the default runlevel.
