dnscrypt

baltic · September 12, 2021, 8:00pm

The dnscrypt suse package seem to be broken. When i try to start dnscrypt-proxy.service after installation of the package, I get permission denied error:

systemd[1]: Starting DNSCrypt-proxy client... 
ppk systemd[1]: Started DNSCrypt-proxy client. 
ppk dnscrypt-proxy[28162]: [2021-09-12 19:51:19] [NOTICE] dnscrypt-proxy 2.1.0 
ppk dnscrypt-proxy[28162]: [2021-09-12 19:51:19] [NOTICE] Network connectivity detected 
ppk dnscrypt-proxy[28162]: [2021-09-12 19:51:19] [FATAL] listen udp 127.0.0.1:53: bind: permission denied 
ppk systemd[1]: dnscrypt-proxy.service: Main process exited, code=exited, status=255/EXCEPTION 
ppk systemd[1]: dnscrypt-proxy.service: Failed with result 'exit-code'.

Had anyone ever tried to make it work on opensuse?

arvidjaar · September 12, 2021, 8:16pm

Did you read README.openSUSE that comes with this package?

baltic · September 12, 2021, 8:58pm

If only the package had suggested it in it’s description.

BTW, wouldn’t it be nice if the info about the doc was put in the description? Or even the whole doc became part of the descirption?

baltic · September 12, 2021, 9:26pm

Nah, sadly the doc is of no help. After installing openresolv and doing sudo systemctl start dnscrypt-proxy-resolvconf.service
the /etc/resolv.conf still contains stuff created by netconfig

deano_ferrari · September 13, 2021, 4:51am

Check /etc/sysconfig/network/config for ‘NETCONFIG_DNS_POLICY=’ and disable as mentioned there…

Type: string

Default: “auto”

Defines the DNS merge policy as documented in netconfig(8) manual page.

Set to “” to disable DNS configuration.

NETCONFIG_DNS_POLICY=""

baltic · September 13, 2021, 8:09am

Isn’t network configuration managed by NetworkManager on desktop linuxes?

deano_ferrari · September 13, 2021, 8:43am

I have no idea what you have configured. openSUSE offers NetworkManager, wicked, and systemd-networkd.

baltic · September 13, 2021, 9:55am

Basically its a stock tumbleweed

marel · September 13, 2021, 1:07pm

For me dnscrypt is working on Tumbleweed 20210904 in combination with Network Manager:

$ > sudo systemctl status dnscrypt-proxy.socket  
**●** dnscrypt-proxy.socket - DNSCrypt-proxy socket 
     Loaded: loaded (/usr/lib/systemd/system/dnscrypt-proxy.socket; enabled; vendor preset: disabled) 
     Active: **active (running)** since Mon 2021-09-13 08:23:36 CEST; 4h 35min ago 
   Triggers: **●** dnscrypt-proxy.service 
       Docs: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/systemd 
             file:/usr/share/doc/packages/dnscrypt-proxy/README.openSUSE 
     Listen: 127.0.0.1:53 (Stream) 
             127.0.0.1:53 (Datagram) 
      Tasks: 0 (limit: 4915) 
        CPU: 481us 
     CGroup: /system.slice/dnscrypt-proxy.socket 

Sep 13 08:23:36 linux-d7n9 systemd[1]: **dnscrypt-proxy.socket: TCP_NODELAY failed: Protocol not available**
Sep 13 08:23:36 linux-d7n9 systemd[1]: Listening on DNSCrypt-proxy socket.

I did install it some months ago and followed README.openSUSE option C and AFAIK I did not have to do anything else to get it running.

For resolv.conf I have these notes:

Being OpenSuse, netconfig is managing /etc/resolv.conf, configuration via /etc/sysconfig/network/config
To disable did change in /etc/sysconfig/network/config NETCONFIG_DNS_POLICY to “”:

NETCONFIG_DNS_POLICY=“auto”

NETCONFIG_DNS_POLICY=""

Next delete the symbolic link of /etc/resolv.conf to /run/netconfig/resolv.conf and create a new /etc/resolve.conf:

$ sudo rm /etc/resolv.conf
$ sudo vi /etc/resolv.conf
$ cat /etc/resolv.conf

Was managed by netconfig:

> ls -l /etc/resolv.conf

lrwxrwxrwx 1 root root 26 Sep 12 2020 /etc/resolv.conf -> /run/netconfig/resolv.conf

Updated to use dnscrypt-proxy

nameserver 127.0.0.1
options edns0

And restart the network using:

$ sudo systemctl restart network

baltic · September 13, 2021, 6:59pm

I’ve tried option A. still doesn’t start

systemd[1]: dnscrypt-proxy.socket: TCP_NODELAY failed: Protocol not available 
systemd[1]: Listening on DNSCrypt-proxy socket. 
systemd[1]: dnscrypt-proxy.socket: Failed with result 'service-start-limit-hit'.

arvidjaar · September 13, 2021, 8:02pm

This is just a warning, it tries to apply NoDelay to UDP socket. It is not an error.

systemd[1]: Listening on DNSCrypt-proxy socket.

So dnscrypt-proxy.socket was started successfully.

systemd[1]: dnscrypt-proxy.socket: Failed with result 'service-start-limit-hit'.

But it could not start dnscrypt-proxy.service.

I became curious and installed dnscrypt-proxy, it works without any manual configuration.

bor@tw:~> sudo zypper in dnscrypt-proxyThe following package is suggested, but will not be installed:
  openresolv


The following NEW package is going to be installed:
  dnscrypt-proxy


1 new package to install.
Overall download size: 3.2 MiB. Already cached: 0 B. After the operation,
additional 11.5 MiB will be used.
Continue? [y/n/v/...? shows all options] (y): 
Retrieving package dnscrypt-proxy-2.1.0-1.1.x86_64
                                           (1/1),   3.2 MiB ( 11.5 MiB unpacked)
Retrieving: dnscrypt-proxy-2.1.0-1.1.x86_64.rpm ..............[done (4.5 MiB/s)]


Checking for file conflicts: .............................................[done]
(1/1) Installing: dnscrypt-proxy-2.1.0-1.1.x86_64 ........................[done]
bor@tw:~> systemctl start dnscrypt-proxy.socket 
bor@tw:~> systemctl status dnscrypt-proxy.socket 
● dnscrypt-proxy.socket - DNSCrypt-proxy socket
     Loaded: loaded (/usr/lib/systemd/system/dnscrypt-proxy.socket; disabled; v>
     Active: active (listening) since Mon 2021-09-13 20:20:14 MSK; 4s ago
   Triggers: ● dnscrypt-proxy.service
       Docs: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/systemd
             file:/usr/share/doc/packages/dnscrypt-proxy/README.openSUSE
     Listen: 127.0.0.1:53 (Stream)
             127.0.0.1:53 (Datagram)
      Tasks: 0 (limit: 1124)
        CPU: 2ms
     CGroup: /system.slice/dnscrypt-proxy.socket
bor@tw:~> dig @localhost google.com


; <<>> DiG 9.16.19 <<>> @localhost google.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14376
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1


;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.            IN    A


;; ANSWER SECTION:
google.com.        3414    IN    A    172.217.169.14


;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Sep 13 20:30:29 MSK 2021
;; MSG SIZE  rcvd: 55


bor@tw:~> sudo journalctl -b --no-pager
...
Sep 13 20:29:02 tw systemd[1]: Starting DNSCrypt-proxy client...
Sep 13 20:29:02 tw systemd[1]: Started DNSCrypt-proxy client.
Sep 13 20:29:03 tw dnscrypt-proxy[3212]: [2021-09-13 20:29:03] [NOTICE] dnscrypt-proxy 2.1.0
Sep 13 20:29:03 tw dnscrypt-proxy[3212]: [2021-09-13 20:29:03] [NOTICE] Network connectivity detected
Sep 13 20:29:03 tw dnscrypt-proxy[3212]: [2021-09-13 20:29:03] [WARNING] Systemd sockets are untested and unsupported - use at your own risk
Sep 13 20:29:03 tw dnscrypt-proxy[3212]: [2021-09-13 20:29:03] [NOTICE] Wiring systemd TCP socket #0, dnscrypt-proxy.socket, 127.0.0.1:53
Sep 13 20:29:03 tw dnscrypt-proxy[3212]: [2021-09-13 20:29:03] [NOTICE] Wiring systemd UDP socket #1, dnscrypt-proxy.socket, 127.0.0.1:53
Sep 13 20:29:05 tw dnscrypt-proxy[3212]: [2021-09-13 20:29:05] [NOTICE] Source [public-resolvers] loaded
Sep 13 20:29:06 tw dnscrypt-proxy[3212]: [2021-09-13 20:29:06] [NOTICE] Source [relays] loaded
Sep 13 20:29:06 tw dnscrypt-proxy[3212]: [2021-09-13 20:29:06] [NOTICE] Firefox workaround initialized
Sep 13 20:29:11 tw dnscrypt-proxy[3212]: [2021-09-13 20:29:11] [NOTICE] [dnscrypt.uk-ipv4] OK (DNSCrypt) - rtt: 64ms
...
bor@tw:~> sudo systemctl --no-pager -l status dnscrypt-proxy.service

● dnscrypt-proxy.service - DNSCrypt-proxy client
     Loaded: loaded (/usr/lib/systemd/system/dnscrypt-proxy.service; disabled; vendor preset: disabled)
     Active: active (running) since Mon 2021-09-13 20:29:02 MSK; 30min ago
TriggeredBy: ● dnscrypt-proxy.socket
       Docs: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/systemd
             file:/usr/share/doc/packages/dnscrypt-proxy/README.openSUSE
   Main PID: 3212 (dnscrypt-proxy)
      Tasks: 7 (limit: 1124)
        CPU: 1.346s
     CGroup: /system.slice/dnscrypt-proxy.service
             └─3212 /usr/sbin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml


Sep 13 20:36:18 tw dnscrypt-proxy[3212]: [2021-09-13 20:36:17] [NOTICE] -   296ms cs-ore
Sep 13 20:36:18 tw dnscrypt-proxy[3212]: [2021-09-13 20:36:17] [NOTICE] -   305ms doh.ffmuc.net-2
Sep 13 20:36:18 tw dnscrypt-proxy[3212]: [2021-09-13 20:36:17] [NOTICE] -   314ms quad101
Sep 13 20:36:18 tw dnscrypt-proxy[3212]: [2021-09-13 20:36:17] [NOTICE] -   331ms publicarray-au-doh
Sep 13 20:36:18 tw dnscrypt-proxy[3212]: [2021-09-13 20:36:17] [NOTICE] -   333ms indonesia-unfilter-doh
Sep 13 20:36:18 tw dnscrypt-proxy[3212]: [2021-09-13 20:36:17] [NOTICE] -   361ms deffer-dns.au
Sep 13 20:36:18 tw dnscrypt-proxy[3212]: [2021-09-13 20:36:17] [NOTICE] -   400ms jp.tiarap.org
Sep 13 20:36:18 tw dnscrypt-proxy[3212]: [2021-09-13 20:36:17] [NOTICE] -   408ms doh-crypto-sx
Sep 13 20:36:18 tw dnscrypt-proxy[3212]: [2021-09-13 20:36:17] [NOTICE] Server with the lowest initial latency: cloudflare (rtt: 10ms)
Sep 13 20:36:18 tw dnscrypt-proxy[3212]: [2021-09-13 20:36:17] [NOTICE] dnscrypt-proxy is ready - live servers: 122
bor@tw:~>

You need to check your dnscrypt-proxy configuration. But it most certainly works (actually it “just works” after installation).

P.S. and could you please avoid applying fonts and colors to computer texts. It does not help to read and quote them.

baltic · September 14, 2021, 8:41am

Ok i have systemctl reset-failed the service and socket. Still doesn’t start
The service status is

dnscrypt-proxy[17618]: [2021-09-14 09:27:07] [FATAL] listen udp 127.0.0.1:53: bind: permission denied 
systemd[1]: dnscrypt-proxy.service: Main process exited, code=exited, status=255/EXCEPTION 
systemd[1]: dnscrypt-proxy.service: Failed with result 'exit-code'. 
systemd[1]: dnscrypt-proxy.service: Start request repeated too quickly. 
systemd[1]: dnscrypt-proxy.service: Failed with result 'exit-code'. 
systemd[1]: Failed to start DNSCrypt-proxy client.

I did not apply any fonts or colors. Maybe forum does after copy-paste. But i can’t do anything with it. It is quite annoying indeed.

The problem is clearly not in my configuration:
[FATAL] listen udp 127.0.0.1:53: bind: permission denied

arvidjaar · September 14, 2021, 9:36am

Which is exactly your configuration problem and it is even explained in README.openSUSE. If you want to use port 53 you either need to use socket unit (as I demonstrated) or to change service definition to run as root, not as unprivileged user.

marel · September 14, 2021, 10:38am

Searching for “service-start-limit-hit” gives me:

https://askubuntu.com/questions/1089310/how-to-resolve-service-start-limit-hit

So like written, there is an initial reason for the error but it’s hidden behind the one you see.

baltic:

systemd[1]: Starting DNSCrypt-proxy client... 
ppk systemd[1]: Started DNSCrypt-proxy client. 
ppk dnscrypt-proxy[28162]: [2021-09-12 19:51:19] [NOTICE] dnscrypt-proxy 2.1.0 
ppk dnscrypt-proxy[28162]: [2021-09-12 19:51:19] [NOTICE] Network connectivity detected 
ppk dnscrypt-proxy[28162]: [2021-09-12 19:51:19] [FATAL] listen udp 127.0.0.1:53: bind: permission denied 
ppk systemd[1]: dnscrypt-proxy.service: Main process exited, code=exited, status=255/EXCEPTION 
ppk systemd[1]: dnscrypt-proxy.service: Failed with result 'exit-code'.

Looking better my guess is that bind is running and owing port 53, so try stopping bind.

baltic · September 14, 2021, 11:53am

You are wrong again. I did use socket. It’s not my configuration problem.
Please don’t assume others are dumber then you. Or if, because of arrogance or other psychological problems, you can’t help it, don’t bother to reply in this thread further. Thanks!

baltic · September 14, 2021, 11:54am

Whats bind and how to stop it?

marel · September 14, 2021, 1:26pm

Did you try searching for “dns bind”?

Before killing, let start with checking:

$ sudo ss -tulpn | grep :53
udp   UNCONN 0      0          127.0.0.1**:53**         0.0.0.0:*    users:(("dnscrypt-proxy",pid=1390,fd=9),("systemd",pid=1,fd=65)) 
tcp   LISTEN 0      4096       127.0.0.1**:53**         0.0.0.0:*    users:(("dnscrypt-proxy",pid=1390,fd=8),("systemd",pid=1,fd=64)) 
$ sudo ls -l /proc/1390/exe 
lrwxrwxrwx 1 dnscrypt dnscrypt 0 Sep 14 07:57 /proc/1390/exe -> /usr/sbin/dnscrypt-proxy

baltic · September 15, 2021, 11:52am

I did even search how to make dnscrypt work. Alas, all the info is ubuntu/arch specific and not applicable to openSuse

udp   UNCONN 0      0               127.0.0.1:53         0.0.0.0:*    users:(("systemd",pid=1,fd=75))         
tcp   LISTEN 0      4096            127.0.0.1:53         0.0.0.0:*    users:(("systemd",pid=1,fd=48))

Go ahead and tell me its my configuration problem. How it even works on ubuntu and arch without all this dances around? Could that be that package maintainers are more sane there?

Edit by Sauerland:
Please use Code-Tags for Terminal output.
Also please post the complete commandline to show, what command you use in which directory as which user…

knurpht · September 15, 2021, 12:30pm

Condider this an official warning: we do and will not allow personal attacks, not even if masked like this.

baltic · September 15, 2021, 1:05pm

How about personal attacks when you pretend everyone else is stupid, and constantly feed them with wrong answers? Are they Ok?