[Thread] Running dnscrypt-proxy on Android

[jedisct1]

Current status:

• The proxy compiles without any changes using gomobile
• It also compiles and runs fine on Termux

This is fantastic, but not enough for most Android users to easily install and use it.

Since my knowledge of Android is fairly limited, help would be welcome!

[Sporif]

Exactly how do you build it with gomobile? I tried and it makes an apk which doesn't work.

I was thinking of just making a magisk module. It's either that or a root app and I don't know how to make apps. I already updated this unmaintained v1 module for the latest magisk version and some extra improvements, It should be simple enough to adapt to v2. I just need a way to make the binaries.

[jedisct1]

It requires an app.Main() function, that can just call the (actual) main function. That's all I know :)

[Sporif]

Well the linux arm64 variant works seems to fine on my phone. Maybe we don't need android specific binaries after all.

Also I have a request, I don't know if it's possible but could you add an option to have paths relative to dnscrypt-proxy.toml? It would be useful since I'm separating the binary from the config files (can't well keep them in /system/xbin). Otherwise every path in dnscrypt-proxy.toml must be a hardcoded absolute path.

[Sak94664]

./dnscrypt-proxy [2018-01-28 15:10:08] [CRITICAL] Unable use source [public-resolvers]: [Get http://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md: dial tcp: lookup download.dnscrypt.info on [::1]:53: read udp [::1]:44259->[::1]:53: read: connection refused] [2018-01-28 15:10:08] [NOTICE] Starting dnscrypt-proxy 2.0.0beta11 [2018-01-28 15:10:08] [NOTICE] Now listening to 127.0.0.1:5353 [UDP] [2018-01-28 15:10:08] [NOTICE] Now listening to 127.0.0.1:5353 [TCP] [2018-01-28 15:10:08] [NOTICE] Now listening to [::1]:5353 [UDP] [2018-01-28 15:10:08] [NOTICE] Now listening to [::1]:5353 [TCP] [2018-01-28 15:10:08] [ERROR] Head https://dns.google.com/experimental: dial tcp: lookup dns.google.com on [::1]:53: read udp [::1]:43670->[::1]:53: read: connection refused [2018-01-28 15:10:08] [NOTICE] dnscrypt-proxy is waiting for at least one server to be reachable ^C[2018-01-28 15:10:58] [NOTICE] Stopped.``

This is the binary file from release page,running on termux.(arm64) But when I use self-compiled binary,it works fine. (Maybe it's because I run it without setting the port to 53?Set port 5353 ). Android 7.1.2

Edit:Works fine when I use self-compiled binary.(set port to 5353.) And I found a similar issue on another project.It said that the software will not run on android if the domain name is set,but it can run if the ip is set issue:https://github.com/fatedier/frp/issues/633 (Chinese)

edit(2019.11.03):.
it seems that this problem occurs when /etc/resolv.conf is missing and Android absolutely don't have this file in that exact place.
a chroot or proot may do the trick.(use proot image or just execute dnscrypt proxy right after termux-chroot is ok,e.g. termux-chroot ./dnscrypt-proxy )

• if you are using termux-chroot please don't forget to add ~/../usr/etc/resolv.conf and edit it.

• You can just download linux-arm or linux-arm64 version from releases page and use it.

[ghost]

Hi, I am trying the arm binaries on my phone and they seem to work fine. However i have a problem with configuration, since i receive this error:

Starting dnscrypt-proxy...
[2018-02-07 13:53:31] [NOTICE] System DNS configuration not usable yet, exceptionally resolving [download.dnscrypt.info] using fallback resolver [9.9.9.9:53]
[2018-02-07 13:53:31] [NOTICE] System DNS configuration not usable yet, exceptionally resolving [download.dnscrypt.info] using fallback resolver [9.9.9.9:53]
[2018-02-07 13:53:31] [CRITICAL] Unable use source [public-resolvers]: [read udp 10.102.21.149:50517->9.9.9.9:53: read: connection refused]
[2018-02-07 13:53:31] [FATAL] No servers configured

Here is my dnscrypt-proxy.toml: https://pastebin.com/c5HM2SMW

[jedisct1]

Is your network usable? connection refused is pretty self-explanatory; it looks like the phone doesn't have access to the internet, or that something is blocking outgoing DNS connections.

[ghost]

Ok thank you, the problem was that just after starting dnscrypt-proxy i tryed to divert all dns requests to localhost:

iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.1
iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1

Unfortunately, i don't know how to configure my phone to use 127.0.0.1 as dns server after starting dnscrypt-proxy :(

[Sporif]

I added a guide to building the Android version on a non-Android OS, if anyone's interested.

https://github.com/jedisct1/dnscrypt-proxy/wiki/Building-the-Android-version-on-non-Android-OS

[jedisct1]

This is fantastic, thank you @Sporif!

[JERW86]

@Sporif are you still planning to release a Magisk module for 15+?

[Sporif]

@JERW86 Yeah I am, it's just going to be a while. Still writing the script that calls dnscrypt-proxy.

[HI54U]

System: Android LOS 7.1.2 latest, amd64 compiled, root, Afwall+ (on/off) moved the folder dnscrypt-proxy to data/local/tmp, all files 777 privileges

I encountered the following error while starting it with ./dnscrypt-proxy: [FATAL] listen udp 127.0.0.1:5353: bind: address already in use

I changed the standard configuration file:

listen_addresses = ['127.0.0.1:53', '[::1]:53'] to listen_addresses = ['127.0.0.1:53', '127.0.0.1:53']

If not I got an error that there's no UDP connection possible

require_dnssec = false to require_dnssec = true

SSH: gemini:/data/local/tmp/dnscrypt-proxy # ./dnscrypt-proxy [2018-02-20 16:57:11] [NOTICE] Source [https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md] loaded [2018-02-20 16:57:11] [NOTICE] dnscrypt-proxy 2.0.1 [2018-02-20 16:57:11] [NOTICE] Now listening to 127.0.0.1:53 [UDP] [2018-02-20 16:57:11] [NOTICE] Now listening to 127.0.0.1:53 [TCP] [2018-02-20 16:57:11] [FATAL] listen udp 127.0.0.1:53: bind: address already in use 255|gemini:/data/local/tmp/dnscrypt-proxy #

How can I fix this and run dnscrypt-proxy permantly?

[jedisct1]

listen_addresses = ['127.0.0.1:53', '127.0.0.1:53']

Looks like you are listening to the same IP and port twice.

[HI54U]

Ok, changed it again to the standard listen addresses But then getting an error again:

gemini:/ $ su gemini:/data/local/tmp/dns/dnscrypt-proxy < [2018-02-20 18:03:30] [NOTICE] Source [https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md] loaded [2018-02-20 18:03:30] [NOTICE] dnscrypt-proxy 2.0.1 [2018-02-20 18:03:30] [NOTICE] Now listening to 127.0.0.1:53 [UDP] [2018-02-20 18:03:30] [NOTICE] Now listening to 127.0.0.1:53 [TCP] [2018-02-20 18:03:30] [FATAL] listen udp [::1]:53: bind: cannot assign requested address 255|gemini:/data/local/tmp/dnsc,rypt-proxy #

[jedisct1]

Try a single address, then:

listen_addresses = ['127.0.0.1:53']

[Teyro]

Could you sent me a copy of your compiled dns crypt? Cant get it wo work :(

[Sporif]

@HI54U If you haveen't already, you also need to set the dns server with iptables.

iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination $ipv4address 
iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination $ipv4address

Where $ipv4address is the ipv4 address used in listen_addresses

To remove the rules it's the same command except use iptables -t nat -D instead of iptables -t nat -A.

[Sporif]

@Teyro what have you tried so far?

[HI54U]

@jedisct1 thank you, that works now, no errors.

@Teyro amd64 V2.0.1 https://files.fm/u/f9w8h4gg

@Sporif thank you for the advice, already changed the Afwall+ startup script

What is the best way to start dnscrypt-proxy automatic and not manual in a shell for Android 7.1.2? Init.d script?

[Sporif]

Yes an init.d script, or if you use magisk add the script to /sbin/.core/img/.core/service.d

[HI54U]

ok, made a simple userinit script in system/etc/init.d

99userinit.sh

!/system/bin/sh

cd data/local/tmp/dnscrypt-proxy ./dnscrypt-proxy

then started it with universal init.d

[Sak94664]

And I found an non-root solution,the app can use Vpnservice on android to modify dns traffic

1. set port 5353 in "dnscrypt-proxy.toml" configuration file.
2. set port 5353 and 127.0.0.1 as server address in daedalus app.
3. start dnscrypt-proxy in termux(or any other terminal emulator.
4. finally you can start daedalus app and run it without root permission. (it should also work on other non-root ports)

Project: https://github.com/iTXTech/Daedalus

(Only tested on Android 7.1.2 LOS.) aarch64. And it should work on Lollipop(5.0) and higher.

Using Termux to compile the binary file.

but it seemed that it is a bit complicated. :|

and if port 5353 doesn't work,set other non root ports is ok.

[gideion]

Following this discussion closely, hoping to get dnscrypt-proxy to work with OpenDNS on my rooted (Magisk) OPT3 running Oreo 8.1, but it's just a little over my head.

I believe i was able to successfully build dnscrypt-proxy using Sporif's excellent guide.

Edited the example-dnscrypt-proxy.toml to: dnscrypt-proxy.toml server_names = ['cisco-ipv6'] and listen_addresses = ['127.0.0.1:5353', '[::1]:5353']

Now i can't seem to start the service, iv'e tried a few things without result.

P.s. Looking forward to Sportif's release of a Magisk module.

[bluemeda]

I just created magisk module here https://github.com/bluemeda/dnscrypt-proxy-magisk

[Teyro]

@bluemeda Thx for your work, downloaded the file from v saw only the sources try to flash in magisk 16... said no vailed file?!?! Did i need to compile it?

[gideion]

@bluemeda Thank you! but, Same result as @Teyro and thus same question.

[JERW86]

@Teyro @gideion You have to re-zip the files so they are not contained in a folder. To flash in Magisk Manager, the zip file needs to be signed.

[gideion]

@bluemeda I downloaded the zip from github, extracted the files, edited dnscrypt-proxt.toml removing the # on the line: # server_names = ['scaleway-fr', 'google', 'yandex'] and replaced 'scaleway-fr', 'google', 'yandex' with 'cisco-ipv6' to use OpenDNS so now the line reads: server_names = ['cisco-ipv6'] zipped the file (no compression) and signed it using ZipSigner I was able to successfully flash the zip using Magisk Manager v16, and then rebooted, however after testing using https://dnsleaktest.com/ it says that i am still using the local ISP for DNS and connecting to 6+ servers so it does not look like dnscrypt-proxy is working. What am i doing wrong/missing?

Thanks for your help, it is appreciated.

[Fabianvk]

@Teyro & @gideion

Here is the module from @bluemeda, signed and working (at least for me using Magisk 16.0). dnscrypt-proxy_Magisk.zip

[bluemeda]

@gideion I haven't that issue. I'll check later.

My repo has been added to Official Magisk Repo. You can download it in Magisk Manager app. https://github.com/Magisk-Modules-Repo/dnscrypt-proxy-magisk

[gideion]

@bluemeda I sucessfully installed your module from the official repo, cleared my browser cache and rebooted, unfortunately however the results were the same as when i built it myself, it does not seem to be working. See attached screenshot for my results from https://dnsleaktest.com/

[bluemeda]

@gideion please make sure if dnscrypt-proxy is running. Check it with ps -A | grep dnscrypt-proxy

[gideion]

@bluemeda ps -A | grep dnscrypt-proxy gives the result 15798 u0_a174 0:00 grep dsncrypt-proxy

[bluemeda]

@gideion run as root ps -ef | grep dnscrypt-proxy to see full arguments of the process

for example:

root@android:/storage/emulated/0 # ps -ef | grep dnscrypt-proxy
root           655     1 0 13:28:43 ?     00:00:00 dnscrypt-proxy -config /sbin/.core/img/dnscrypt-proxy/system/etc/dnscrypt-proxy/dnscrypt-proxy.toml
root         13232 13199 15 13:41:35 pts/2 00:00:00 grep dnscrypt-proxy

[gideion]

@bluemeda ps -A | grep dnscrypt-proxy root 1024 1 39704 17180 futex_wait_queue_me 109e0ce9b8 S dnscrypt-proxy

[bluemeda]

@gideion hmm.... it seems that it was running

how about iptables? iptables -L -t nat

[gideion]

@bluemeda `iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination oem_nat_pre all -- anywhere anywhere

Chain INPUT (policy ACCEPT) target prot opt source destination

Chain OUTPUT (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere anywhere tcp dpt:domain to:127.0.0.1:5353 DNAT udp -- anywhere anywhere udp dpt:domain to:127.0.0.1:5353

Chain POSTROUTING (policy ACCEPT) target prot opt source destination natctrl_nat_POSTROUTING all -- anywhere anywhere

Chain natctrl_nat_POSTROUTING (1 references) target prot opt source destination

Chain oem_nat_pre (1 references) target prot opt source destination `

[Teyro]

Magisk Module workes great but have to add

37.59.238.213 download.dnscrypt.info

to my /etc/hosts (because use hosts magisk adblock)

And i need to start dnscrypt by hand in adb shell / terminal by useing

./dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml Because the init.d script doenst find the config, added that doenst work.... :(

[Skjold]

There is a typo in magisk module's service.sh, dnsproxy is called with -config instead of --config. I've removed the entire while construct there and it ran on startup with zero problems.

[palmuse]

I am working on an updated root-version, flashable zip for Android based off 'dnscrypt-proxy-android-armv7-a-1.9.4' (last version I had from the old proxy). Will try to get it done this weekend. If interested in posting this, let me know.

The key for me getting this to work is not setting up the iptables with 127.0.0.1 in a separate script or afWall+. I believe it is already done in the config (dnscrypt-proxy.toml).

[jedisct1]

Looks like there is another issue with the Magisk module: https://github.com/jedisct1/dnscrypt-proxy/issues/226#issuecomment-373721309

Any reasons to use a different port?

[gideion]

@palmuse I would be interested.

[palmuse]

@gideion I uploaded a copy of the updated zip. Based on dnscrypt 1.9.4 and dnscrypt-proxy 2.0.7.

Be warned this is my first venture in updating a flash zip. It worked on my device. (LineageOS 14.1 on Galaxy Note 3). Might not be the best implementation, but works for my needs.

Note: I use OverrideDNS to set my DNS to localhost. Everything else should work out of the box.

A nice site to test with is here (lists all servers): https://ipleak.net/

https://www.dropbox.com/s/ym684cyhawbyumd/dnscrypt-proxy-android-armv7-2.0.7-signed.zip?dl=0

[Cobalagi]

My Internet can not be used after install dnscrypt v2,1.3 from magisk manager. Redmi 4 prime running Android 7.1.2 Unoffciall Crdroid

[Cobalagi]

I use overridedns and set to opendns(port443) everything is working now. But if i change to another dns without port 443,my internet is unuseable. Sorry for mybad english

[bluemeda]

Next update, I will create option in installation progress to let users make their decision

• use iptables script by default
• no iptables rules (you have to set dns manually with 3rd party apps (AfWall, OverrideDNS, etc)).

[runo280]

@bluemeda Dude which zip we should download? I'v downloaded this: https://github.com/Magisk-Modules-Repo/dnscrypt-proxy-magisk/archive/v2.1.2.zip Then tried to flash it via Magisk Manager, It says "This zip is not Magisk Module".

[bluemeda]

@runo280 download it via Magisk Manager apps. If you wanna download from github, try download https://github.com/Magisk-Modules-Repo/dnscrypt-proxy-magisk/archive/master.zip extract it then go to root folder and re-zip.

[halfbytecode]

I am trying to run dnscrypt-proxy-android_arm-2.0.8 on my android phone, running marshmallow.

I configured it to use only google DNS. However, I get an error saying Certificate Hash not found for [google].

Could someone help?

[2018-03-30 10:31:25] [NOTICE] Source [public-resolvers.md] loaded [2018-03-30 10:31:25] [NOTICE] dnscrypt-proxy 2.0.8 [2018-03-30 10:31:25] [NOTICE] Now listening to 127.0.0.2:53 [UDP] [2018-03-30 10:31:25] [NOTICE] Now listening to 127.0.0.2:53 [TCP] [2018-03-30 10:31:28] [ERROR] Certificate hash [f25c6adc73978d79c27c9e8989089faae9e08b4c49fa6c789cd2158653061068] not found for [google] [2018-03-30 10:31:28] [NOTICE] dnscrypt-proxy is waiting for at least one server to be reachable

[halfbytecode]

It ran error free a couple of times, after that. However, now it is showing another error.

[2018-03-30 12:17:05] [NOTICE] Source [public-resolvers.md] loaded [2018-03-30 12:17:05] [NOTICE] dnscrypt-proxy 2.0.8 [2018-03-30 12:17:05] [NOTICE] Now listening to 127.0.0.2:53 [UDP] [2018-03-30 12:17:05] [NOTICE] Now listening to 127.0.0.2:53 [TCP] [2018-03-30 12:17:09] [ERROR] read udp 100.71.31.223:45908->9.9.9.9:53: i/o timeout [2018-03-30 12:17:09] [NOTICE] dnscrypt-proxy is waiting for at least one server to be reachable