Thomas Aldrian

Sometimes writes good code.

DNSCrypt + Dnsmasq setup with Waydroid

1 minute read

Preamble

I’ll skip the usual shite about why you really should be using one of DNSCrypt, DoT or DoH nowadays. Okay, maybe not that last one if it can be avoided.

So, here’s my very quick guide / reference to getting DNSCrypt and dnsmasq working. This has been tested with waydroid, which is especially relevant because waydroid runs its own dnsmasq instance, which can sometimes fail to start when another instance is already running.

The guide

/etc/dnscrypt-proxy/dnscrypt-proxy.toml

server_names = ['cloudflare']
listen_addresses = ['127.0.0.53:53000']

Edit server_names as you wish, or leave it commented and adjust the require_* configuration values as desired. If you use the same loopback address as dnsmasq will use, make sure to change the port to something non-standard.

/etc/dnsmasq.conf

no-resolv
server=127.0.0.53#53000
listen-address=127.0.0.53
bind-interfaces

Getting dnsmasq: failed to create listening socket for 192.168.250.1: Address already in use errors in waydroid log? You probably forgot to enable bind-interfaces. It prevents dnsmasq from binding to the loopback interface, which would interfere with waydroid.

To optionally (though it’s strongly recommended) enable DNSSEC, uncomment the following two lines:

conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec

Remember to apk add dnsmasq-dnssec (or your system’s equivalent)!

/etc/resolv.conf

nameserver 127.0.0.53
options edns0

Many things will break if you try and specify a non standard (53) port in resolv.conf. So don’t. Dnsmasq should be configured to use port 53 by default. However, you can use a different localhost address as I’ve done here. Just remember to update dnsmasq.conf

/etc/NetworkManager/conf.d/00-dns.conf

[main]
dns=none

This prevents NetworkManager from overwriting resolv.conf with the DNS server provided by DHCP, as it would usually. This will not automatically edit existing networks, so you may have to delete and re-add connections, or just update the DNS field to blank and checking Automatic DNS.

Comments

You May Also Enjoy