{"id":13558720,"url":"https://github.com/GortCodex/DNSCrypt-Loader","last_synced_at":"2025-04-03T13:31:55.215Z","repository":{"id":56270081,"uuid":"47560499","full_name":"GortCodex/DNSCrypt-Loader","owner":"GortCodex","description":"A flexible and customizable bash script to manage DNSCrypt-proxy","archived":false,"fork":false,"pushed_at":"2020-11-17T14:35:53.000Z","size":656,"stargazers_count":111,"open_issues_count":3,"forks_count":24,"subscribers_count":15,"default_branch":"master","last_synced_at":"2024-11-04T09:37:34.186Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/GortCodex.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-12-07T15:25:14.000Z","updated_at":"2024-09-15T12:36:15.000Z","dependencies_parsed_at":"2022-08-15T15:50:12.710Z","dependency_job_id":null,"html_url":"https://github.com/GortCodex/DNSCrypt-Loader","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GortCodex%2FDNSCrypt-Loader","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GortCodex%2FDNSCrypt-Loader/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GortCodex%2FDNSCrypt-Loader/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GortCodex%2FDNSCrypt-Loader/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/GortCodex","download_url":"https://codeload.github.com/GortCodex/DNSCrypt-Loader/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247009695,"owners_count":20868592,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T12:05:07.168Z","updated_at":"2025-04-03T13:31:54.830Z","avatar_url":"https://github.com/GortCodex.png","language":"Shell","funding_links":[],"categories":["Shell","others"],"sub_categories":[],"readme":"- Note: this version is not compatible with dnscrypt-proxy 1.9.4 yet\r\n\r\n# Getting started with DNSCrypt-Loader\r\n\r\nDNSCrypt-loader is a flexible and customizable bash script to manage DNSCrypt-proxy using command line or Whiptail GUI.\r\nIf you are system adminitrator or common user this script is a handy way to setup DNSCrypt-proxy on your system\r\n\r\n## Features\r\n- Has no package dependencies (or almost), to keep it universal and easy to use.\r\n- Runs in text mode, but uses Whiptail/Dialog interface which is pre-installed on most Linux distros.\r\n- Automatic update of resolver.csv file from official source\r\n- Signature verification of resolvers.csv file using \r\n- n. You can enable or disable resolver.csv integrity check.\r\n- Automatic parsing of resolvers.csv file columns used on dnscrypt-proxy daemon execution parameters\r\n- Sets primary and secondary DNS resolvers instances.\r\n- Display of resolvers in a `whiptail` menu, that can be filtered to show only IPV4, IPV6 or show all resolvers.\r\nAlso, filters resolvers that do not create DNS query logs by default, but you can Change this behavior if you want.\r\n- Sets a resolver randomly chosen by the DNSCrypt-loader, very useful for cyclical replacement schedule of resolvers using Cron.\r\n- Can use command-line parameters in a task schedule using Cron or at boot time.\r\n- Start, stop or restart Dnscrypt-proxy daemon by pressing a key or on the command line.\r\n- Display Dnscrypt-proxy status information such as run time, name and IP of the current resolver, DNS resolution speed.\r\n- Generating information in the system log for debugging.\r\n- performs dns leak tests using third party site.\r\n- Provides init script to control DNSCrypt-proxy as service.\r\n- Script to install and uninstall DNSCrypt-loader resources\r\n- Configurable IP/port instances\r\n- Restores resolvers used on last DNSCrypt-proxy session\r\n\r\n## Pre-requisites\r\n  \r\nA successful install of DNSCrypt-proxy.\r\n\r\n\r\n**Optional**  \r\nA successful install of Minisign (optional but highly recomended)  \r\nPlease refer to [https://github.com/jedisct1/minisign](https://github.com/jedisct1/minisign) to details.\r\n\r\n**Commands dependant**  \r\n`whiptail` (Pre-installed in most Linux distros)  \r\n`gawk` GNU awk, a pattern scanning and processing language (Pre-installed in most Linux distros)  \r\n\r\n\r\n\r\n## Compatibility\r\nThe scripts were written and tested using CentOS Linux release 7  \r\n and should be compatible with most Linux distributions based on Red Hat.  \r\nWas tested in Debian based distros with success also. \r\n\r\n- CentOS, Fedora\r\n- Ubuntu, Mint, Debian, Kali\r\n- openSUSE\r\n\r\nVersions of DNSCrypt-loader for other Linux distros will be available soon.\r\n\r\n## know issues\r\nScripts that use the Whiptail can be difficult to debug because the interface hides some error messages. \r\nFor this reason, despite all care on script writing, you can get stuck on a screen without being able to cancel the script, \r\nThis may force you to cancel an SSH session or kill the frozen process.  \r\n\r\n\r\n## Install using RPM packages\r\n\r\n[Click here to download rpm packages for centOS or openSUSE](https://software.opensuse.org/download.html?project=home%3Agortcodex\u0026package=dnscrypt-loader)\r\n\r\nand Skip to `Prepare configurations` topic.  \r\n\r\n![alt text](images/dcp-centos-rpm.png \"centos-rpm\")\r\n\r\n\r\n![alt text](images/dcp-suse-rpm.png \"centos-rpm\")\r\n\r\n\r\n---------\r\n\r\n## Install manually\r\n\r\nBefore installing DNSCrypt-loader install the whiptail (newt package) and the gawk package using your package manager, example:\r\n\r\n\tyum install -y newt gawk\r\n\r\n\r\n2. **Download and unpack DNSCrypt-loader**  \r\n[https://github.com/GortCodex/DNSCrypt-Loader/releases](https://github.com/GortCodex/DNSCrypt-Loader/releases)\r\n\r\n3. **Run DNSCrypt-loader installer as root**\r\n\r\nOn CentOS and Red Hat based distros\r\n\r\n\t./install-loader-redhat \r\n\r\nOn Ubuntu and Debian based distros \r\n\r\n\tsudo ./install-loader-debian\r\n \r\nOn openSUSE based distros \r\n\r\n\t./install-loader-suse\r\n \r\n![alt text](images/dcp-install.png \"Installer\")\r\n\r\n**Option 1 - Install DNSCrypt-loader**  \r\n\r\nCreates config files on `/etc/dnscrypt-loader/`  \r\nCopy the main script dnscrypt-loader to `/usr/local/sbin/`\r\n\r\n**Option 2 - Enable DNSCrypt-loader at boot time**\r\n\r\nIf you need to load DNSCrypt-proxy at system start up  this option will copy the `dcp-loader` script to `/etc/init.d`.  \r\n`dcp-loader` is a basic init script to load DNSCrypt-proxy at boot time\r\nthrough the DNCrypt-loader.  \r\nPlease, refer to Using DNSCrypt-loader as service (dcp-loader) topic\r\n\r\n\r\n**Option 3 - Disable DNSCrypt-loader at boot time**\r\n\r\nRemoves the dcp-loader script from `/etc/init.d`  \r\nand disables loading of DNSCrypt-proxy at boot time\r\n\r\n**Option 4 - Uninstall DNSCrypt-loader**\r\n\r\nRemoves all scripts and config files.  \r\nIf DNSCrypt-proxy is running it will not be interrupted.  \r\nTo prevents DNS query errors you need stop the proxy before uninstall.\r\n\r\n## Prepare configurations\r\n\r\nBefore you start using dnscrypt-loader you may want to customize the script to meet your needs.  \r\nIf you prefer, leave the DNSCrypt-loader using default settings\r\n\r\n**Edit dnscrypt-loader using your prefered editor**   \r\n\r\n    vi /usr/local/sbin/dnscrypt-loader\r\n\r\nPlease note that after install the dnscrypt-loader you must edit it at  \r\n\r\n\r\n    /usr/local/sbin/dnscrypt-loader\r\n\r\n**What parameters can you modify?**\r\n\r\nAt begining of dnscrypt-loader script locate the ` Start Customizations` block  \r\nand configure as following:\r\n\r\n**The user who execute DNSCrypt-proxy**\r\n  \r\nIt is strongly recommended that you change the root user  \r\nby an unprivileged user to avoid security problems\r\n\r\n    cChroot=\"root\"\r\n\r\n**IPs and ports used by DNSCrypt-proxy**  \r\n\r\nRespectively, the local IP and port used by DNSCrypt-proxy to act as  \r\nprimary DNS and secondary DNS instances\r\n  \r\n    cPrimaryIP=\"127.0.0.1\"\r\n    cPrimaryPort=\"5553\"\r\n    cSecondaryIP=\"127.0.0.1\"\r\n    cSecondaryPort=\"5554\"\r\n    \r\n    \r\n**Path to DNSCrypt-proxy files**  \r\n\r\n`cProxyBaseDir`, `cCSVBaseDir`, `cSIGBaseDir` parameters\r\ncontents vary according to your distro and/or dnscrypt-proxy setup used (package, compilation, etc).\r\nincorrect paths are common causes of runtime errors.\r\n\r\n \r\nPath to DNSCrypt-proxy application:\r\n\r\n    cProxyBaseDir=\"/usr/local/sbin/\"\r\n\r\nPath to resolvers.csv file:\r\n\r\n    cCSVBaseDir=\"/usr/local/share/dnscrypt-proxy/\"\r\n\r\nPath to Minisign path file:\r\n\r\n\tcSIGBaseDir=\"/usr/local/share/dnscrypt-proxy/\"\r\n\r\n**Parameters used by DNSCrypt-proxy**  \r\n\r\nIf necessary, you can add or remove additional parameters used by DNSCrypt-proxy on  \r\n\r\n    cOtherParams=\"--ephemeral-keys \"\r\n\r\n**URL to download resolvers.csv**  \r\n\r\nAutomatic resolvers.csv update uses this URL to download it  \r\n\r\n    cCSVURL=\"https://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-resolvers.csv\"\r\n\r\n**URL to download dnscrypt-resolvers.csv.minisig**  \r\n\r\nAutomatic resolvers.csv signature verification uses this URL to download it  \r\n\r\n    cSIGURL=\"https://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-resolvers.csv.minisig\"\r\n\r\n**URL to copy Public Key used by Minisign**  \r\n\r\nWhen necessary you can copy Public key at [https://github.com/jedisct1/minisign](https://github.com/jedisct1/minisign)  \r\n\r\n    cSIGKey=\"RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3\"\r\n\r\n**Resolvers privacy level filter**  \r\n\r\nResolvers that holds some level of logging of DNS queries can be filtered to not be displayed on menu  \r\nand not be included in the random selection of resolvers.  \r\nSetting parameter to true will hide resolvers.  \r\nThis filter can be changed on script interface too\r\n\r\n    cAnonymousOnly=true\r\n\r\n**IP version filter**  \r\n\r\nResolvers that works with IPV6, IPV4 or both can be filtered to fit your network needs.  \r\nPossible values to cIPVersion are \"ipv4\" or \"ipv6\" or \"all\"  \r\nThis filter can be changed on script interface too  \r\nPlease refer to [https://github.com/jedisct1/dnscrypt-proxy](https://github.com/jedisct1/dnscrypt-proxy) for IPV6 support details\r\n\r\n    cIPVersion=\"ipv4\"\r\n\r\n**Resolvers.csv signature check using Minisign**\r\n  \r\nBy default, this setting is disabled to allow you to install and configure Minisign.  \r\nPlease refer to [https://github.com/jedisct1/minisign](https://github.com/jedisct1/minisign)  \r\nAfter that, you can set `cEnableSignCheck=true` and the integrity check will run properly \r\n\r\n    cEnableSignCheck=false\r\n\r\n**Dig target domain to test DNS resolvers**  \r\n\r\nDNSCrypt-loader uses `dig` to test DNS resolvers functionality and performance.  \r\nYou can put any domain you want.  \r\n`cDigTries` is the number of tries to test the domain  \r\n`cDigTime` is the time in seconds per try\r\n\r\n    cDigTarget=\"internic.net\"\r\n    cDigTries=2\r\n    cDigTime=5\r\n    \r\n**Interface type**  \r\n\r\nYou can select between \"whiptail\" or \"dialog\"  to customize the interface appearance.  \r\nBoth are pre-installed on most Linux distros\r\n\r\n    cGUI=\"whiptail\"\r\n\r\n# Running DNSCrypt-loader  \r\n\r\n**Run DNSCrypt-loader as root**\r\n\r\n    dnscrypt-loader\r\n\r\n![alt text](images/dcp-tasks.png \"Tasks\")\r\n\r\n**Option 1 - Set primary DNS resolver**  \r\n\r\nSelect the resolver that will act as primary DNS using local IP and port previously configured.  \r\nPlease, refer to `What parameters can you modify?` topic\r\n \r\n\r\n**Option 2 - Set secondary DNS resolver**\r\n\r\nSelect the resolver that will act as secondary DNS using local IP and port previously configured\r\n\r\n![alt text](images/dcp-resolvers.png \"Resolvers\")\r\n\r\n![alt text](images/dcp-run.png \"Run\")\r\n\r\n**Option 3 - Set resolvers randomly**  \r\n\r\nSelect this option If you prefer let the script randomly choose the resolvers.  \r\nThis option is available as command line parameter too, useful to change  \r\nresolvers from time to time using `cron` or during system startup.\r\n\r\n![alt text](images/dcp-random.png \"Random\")\r\n\r\n**Option 4 - Set IP version filter**  \r\n\r\nFilters resolvers by IP version. Select IPV4, IPV6 or all  \r\nThis filter bypass the script parameter `cIPVersion` temporarily\r\n\r\n![alt text](images/dcp-ipv.png \"IP version\")\r\n\r\n**Option 5 - Set privacy level filter**  \r\n\r\nFilter resolvers by privacy level  \r\nThis filter bypass the script parameter `cAnonymousOnly` temporarily\r\n\r\n![alt text](images/dcp-priv.png \"Privacy\")\r\n\r\n**Option 6 - DNSCrypt-proxy status**  \r\n\r\nShow informations about DNSCrypt-proxy process\r\n\r\n![alt text](images/dcp-status.png \"Status\")\r\n\r\n**Option 7 - Update resolvers.csv from official source**  \r\n\r\nPerforms download, update and signature check of the resolvers.csv file\r\n\r\n![alt text](images/dcp-updcvs.png \"Update\")\r\n\r\n![alt text](images/dcp-updsig.png \"Update\")\r\n\r\n**Option 8 - Stop DNSCrypt-proxy**  \r\n\r\nStops all instances of DNSCrypt-proxy  \r\nDNS queries will fail for proxy clients\r\n\r\n![alt text](images/dcp-stop.png \"Stop\")\r\n\r\n**Option 9 - Restore previous session**\r\n\r\nTries to reload the last primary and secondary resolver used by DNSCrypt-proxy\r\n\r\n![alt text](images/dcp-restore.png \"Restore\")\r\n\r\n**The DNSCrypt-proxy process running**\r\n![alt text](images/dcp-htop.png \"Leak\")\r\n\r\n**DNSCrypt-loader system log entries**\r\n![alt text](images/dcp-log.png \"Log\")\r\n\r\n## Using command line options\r\nCommand-line options are useful when you want to run DNSCrypt-proxy through DNSCrypt-loader\r\nin a script you created or as a scheduled task using Cron and so on, using as follows:\r\n\r\nShow usage\r\n\r\n    dnscrypt-loader -h\r\n\r\n![alt text](images/dcp-usage.png \"Usage\")\r\n\r\n**Load resolvers**  \r\n\r\nLoads the resolvers selected by user in interactive mode.\r\nIf no resolvers previously selected DNSCrypt-loader will select the resolvers randomly.\r\n\r\n    dnscrypt-loader -d\r\n\r\n**Load resolvers randomly**  \r\n\r\nDoes the same as the \"-d\" option, but uses random resolvers only.\r\n\r\n    dnscrypt-loader -r\r\n\r\n**Change filters**  \r\n\r\nYou can add filter modifiers to the options \"-d\" and \"-r\"  \r\nthe randomizer will restrict the resolvers to these filters. Example:\r\n\r\n    dnscrypt-loader -i ipv4 -l nolog -r \r\n    dnscrypt-loader -i ipv6 -l log -d\r\n    \r\n**Update resolvers.csv**\r\n\r\nPerforms download, update and signature check of the resolvers.csv file\r\n\r\n    dnscrypt-loader -u\r\n\r\n**Minisign Signature check**  \r\n\r\nPerforms integrity check of resolvers.csv file using Minisign\r\n\r\n    dnscrypt-loader -m\r\n\r\n**Status**  \r\n\r\nShow DNSCrypt-proxy instances status\r\n\r\n    dnscrypt-loader -s\r\n\r\n![alt text](images/dcp-statustxt.png \"Status\")\r\n\r\n**Quit DNSCrypt-proxy**  \r\n\r\nStops all instances of DNSCrypt-proxy and preserves information about the resolvers used for further session restore\r\n\r\n    dnscrypt-loader -q\r\n\r\n**Kill DNSCrypt-proxy**  \r\n\r\nStops all instances of DNSCrypt-proxy and clears all information about the resolvers used\r\n\r\n    dnscrypt-loader -k\r\n\r\n  \r\n\r\n**Performs DNS leak test (IPV4)**  \r\nThis function is just a command line bonus. It depends of third-party software that can be changed at any time.\r\n\r\nNote: DNS-OARC is not a DNS Leak Test site itself but produces the exactly same results when we observe the DNS Servers tested.\r\nThis site was chosen because is secure and it does not use javascript, permitting download of data inside html code\r\n\r\nNo magic here. This function extracts the DNS IP addresses detected on [http://entropy.dns-oarc.net/test](http://entropy.dns-oarc.net/test) test page.\r\nSo you can check if the DNSCrypt-proxy resolvers you choosed really is working.\r\n\r\nBut the most important is verify if your real IP address is listed.\r\nIf yes, it means you are not protected by VPN or if you are using DNSCrypt-proxy as Forwarder on DNS (BIND) server,\r\nthe directive \"Forward only;\"  must be applied, since this server will forward all requests and should not attempt to resolve requests on its own, bypassing DNSCrypt-proxy.\r\n\r\nObviously, you can use DNS Leak test pages to do the same.  \r\nPlease refer to [https://www.dns-oarc.net/](https://www.dns-oarc.net/) for details\r\n\r\n  \r\n    dnscrypt-loader -x\r\n\r\n![alt text](images/dcp-leak.png \"Leak\")\r\n\r\n## DNSCrypt-loader Configuration files\r\n\r\nDNSCryp-loader uses two config files located in`/etc/dnscrypt-loader/`\r\nThis files contains parameters used by DNSCrypt-proxy instances called primary and secondary DNS resolvers.\r\n    \r\n    dcp-primary.conf\r\n    dcp-secondary.conf\r\n\r\nThe contents of the files is updated every successful execution of DNSCrypt-proxy using user selected resolvers or randomly loaded by script.\r\n\r\nThe DNSCrypt-loader retrieves these parameters when you restore a previous session or during system startup.\r\nOnly well-known DNSCrypt-proxy parameters are read and processed.\r\n\r\n\r\n## Using DNSCrypt-loader with cron\r\n\r\nIn this example we add two entries in crontab, as folow:  \r\n\r\nThe resolvers.csv file will be updated everyday at 23:00pm  \r\nNew resolvers will be loaded randomly everyday at 13:00pm\r\n\r\n\r\n    # For details see man 4 crontabs\r\n\r\n    # Example of job definition:\r\n    # .---------------- minute (0 - 59)\r\n    # |  .------------- hour (0 - 23)\r\n    # |  |  .---------- day of month (1 - 31)\r\n    # |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...\r\n    # |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\r\n    # |  |  |  |  |\r\n    # *  *  *  *  * user-name command to be executed\r\n    0 23 * * * * root exec /usr/local/sbin/dnscrypt-loader -u\r\n    0 13 * * * * root exec /usr/local/sbin/dnscrypt-loader -r\r\n\r\n\r\n## Using DNSCrypt-loader with BIND DNS server\r\nYou can redirect DNS requests of whole network to a DNS Bind server that will act as a forwarder only.  \r\nTo do this, just put ip/port of DNSCrypt-proxy you set up on DNSCrypt-loader  \r\ninside of Bind `forwarders` clause.  \r\nThen, your DNS clients can point to your Bind server to forwarded DNS queries.\r\n\r\nAs follows:\r\n\r\n\r\n    options {\r\n     ...\r\n    forward only;\r\n    forwarders {127.0.0.1 port 5553;  127.0.0.1 port 5554;};\r\n     ...\r\n    }\r\n\r\n\r\nA more selective version this setting is to use the Bind `view` clause for a specific set of DNS clients  \r\nthat will be forwarded through DNSCrypt-proxy. For example:\r\n\r\n\r\n    acl ProxyClients { 192.168.1.0/24;  };\r\n      ...\r\n\r\n    view \"PROXY-NETWORK\" {\r\n    match-clients { ProxyClients; };\r\n    recursion yes;\r\n    forward only;\r\n    forwarders {127.0.0.1 port 5553;  127.0.0.1 port 5554;};\r\n      ...\r\n    };\r\n\r\n\r\nPlease, refer to Bind documentation.\r\n\r\n\r\n\r\n## Using DNSCrypt-loader as service (dcp-loader)\r\n\r\nYou can enable or disable DNSCrypt-loader as service using the installer, please refer to Installation topic.  \r\nRemember that the service mode is needed to load DNSCrypt-proxy resolvers at boot time.  \r\nTo control all details of DNSCrypt-proxy use the dnscrypt-loader script.\r\n  \r\nOnce service is enabled, depending on your Linux distro, you can control the service as follow:\r\n\r\n**On Centos and RedHat based**\r\n\r\n    service dcp-loader start|stop|restart|status  \r\n    or\r\n    systemctl start|stop|restart|status dcploader.service\r\n\r\n\r\n**On Ubuntu and Debian based**\r\n\r\n    sudo service dcp-loader start|stop|restart|status\r\n\r\n**On openSUSE based**\r\n\r\n    service dcp-loader start|stop|restart|status\r\n\r\n\r\n\r\n----------\r\n\r\nHope you enjoy using DNSCrypt-loader to manage DNCrypt-proxy.\r\n\r\n---\r\n\r\nDCL Guide Rev-4 9/18/2016 \r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FGortCodex%2FDNSCrypt-Loader","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FGortCodex%2FDNSCrypt-Loader","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FGortCodex%2FDNSCrypt-Loader/lists"}