This page describes how to install and use dnscrypt on Artix Linux. For more information refer to Dnscrypt-proxy on Archwiki.
Install the dnscrypt-proxy-openrc package. dnscrypt-proxy will be installed as dependency.
# pacman -S dnscrypt-proxy-openrc
Since dnscrypt-proxy is running as user dnscrypt, polkit settings prevent it from binding to a port that is below 1024.
The workaround is to edit /etc/conf.d/dnscrypt-proxy to start the service as root.
Change file contents from
#DNSCRYPT_OPTS="--config /etc/dnscrypt-proxy/dnscrypt-proxy.toml" #DNSCRYPT_USER="dnscrypt" #DNSCRYPT_GROUP="dnscrypt"
to:
#DNSCRYPT_OPTS="--config /etc/dnscrypt-proxy/dnscrypt-proxy.toml" DNSCRYPT_USER="root" #DNSCRYPT_GROUP="dnscrypt"
Now, to mitigate the security risk of running dnscrypt as root we will ask dnscrypt to drop privileges upon startup. This can be done by editing /etc/dnscrypt-proxy/dnscrypt-proxy.toml. Find a line that says
# user_name = 'nobody'
and uncomment it. This will cause dnscrypt to partially drop permissions after starting up as explained in the config file:
Two processes will be running. The first one will keep root privileges, but is only a supervisor, that does nothing except create the sockets, manage the service, and restart it if it crashes. The second process is the service itself, and that one will always run as a different user.
To start dnscrypt run:
# rc-service dnscrypt-proxy start
To enable it on system startup, add dnscrypt-proxy to the default runlevel:
# rc-update add dnscrypt-proxy default
A negative side effect is the loss of write access to the logfile /var/log/dnscrypt-proxy/dnscrypt-proxy.log and thus a de-facto loss of logging functionality.
Can be mitigated by using syslog-ng. For that edit /etc/dnscrypt-proxy/dnscrypt-proxy.toml to include the following option:
use_syslog = true
Make sure that you have a logger installed and added to your default runlevel.
