There's quite a few posts online around setting up dnscrypt-proxy on a USG or EdgeRouter but what about a CloudKey? This post will cover some high level instructions, I'm going to assume that if the reader is willing to customise their UniFi by installing non-standard packages that they are comfortable with CLI!
I've got a cloudkey+ running firmware version 2 and after enabling SSH, /etc/debian_version shows the box is based off quite an old version of debian that doesn't ship with the latest dnscrypt-proxy packages, so this is going to take a little more than apt-get install π
Before installing any non-standard packages onto any appliance you should check for conflicts, a quick netstat -nap | grep 53 will show you that systemd-resolve is already listening on UDP/53, so to start with disable that by adding DNSStubListener=no to /etc/systemd/resolved.conf
The github documentation describes how to enable the testing repo and continue the installation, however that feels like a long way off the standard, what about just downloading the single .deb file? According to uname -a the processor of the cloudkey+ is a 64bit Arm therefore the latest compatible package can be downloaded directly from here:
https://packages.debian.org/bullseye/arm64/dnscrypt-proxy/download
Copy the file (via SCP), and run dpkg -i ....
root@UniKey:~# dpkg -i dnscrypt-proxy_2.0.45+ds1-1+b1_arm64.deb
Selecting previously unselected package dnscrypt-proxy.
(Reading database ... 35495 files and directories currently installed.)
Preparing to unpack dnscrypt-proxy_2.0.45+ds1-1+b1_arm64.deb ...
Unpacking dnscrypt-proxy (2.0.45+ds1-1+b1) ...
Setting up dnscrypt-proxy (2.0.45+ds1-1+b1) ...
Removing obsolete conffile /etc/dnscrypt-proxy/dnscrypt-proxy.conf ...
root@UniKey:~#
(Notice in my output, I had tried apt-get before realizing how old the package was!)
A quick check of the service will show it's running...
root@UniKey:~# service dnscrypt-proxy status
β dnscrypt-proxy.service - DNSCrypt client proxy
Loaded: loaded (/lib/systemd/system/dnscrypt-proxy.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2021-03-15 13:02:26 GMT; 17s ago
Docs: https://github.com/DNSCrypt/dnscrypt-proxy/wiki
Main PID: 18613 (dnscrypt-proxy)
Memory: 8.0M
CPU: 630ms
CGroup: /system.slice/dnscrypt-proxy.service
ββ18613 /usr/sbin/dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
Mar 15 13:02:26 UniKey dnscrypt-proxy[18613]: [2021-03-15 13:02:26] [NOTICE] dnscrypt-proxy 2.0.45
Mar 15 13:02:26 UniKey dnscrypt-proxy[18613]: [2021-03-15 13:02:26] [NOTICE] Network connectivity detected
Mar 15 13:02:26 UniKey dnscrypt-proxy[18613]: [2021-03-15 13:02:26] [WARNING] Systemd sockets are untested and unsupported - use at your own risk
Mar 15 13:02:26 UniKey dnscrypt-proxy[18613]: [2021-03-15 13:02:26] [NOTICE] Wiring systemd TCP socket #0, dnscrypt-proxy.socket, 127.0.2.1:53
Mar 15 13:02:26 UniKey dnscrypt-proxy[18613]: [2021-03-15 13:02:26] [NOTICE] Wiring systemd UDP socket #1, dnscrypt-proxy.socket, 127.0.2.1:53
Mar 15 13:02:26 UniKey dnscrypt-proxy[18613]: [2021-03-15 13:02:26] [NOTICE] Source [public-resolvers] loaded
Mar 15 13:02:26 UniKey dnscrypt-proxy[18613]: [2021-03-15 13:02:26] [NOTICE] Firefox workaround initialized
Mar 15 13:02:27 UniKey dnscrypt-proxy[18613]: [2021-03-15 13:02:27] [NOTICE] [cloudflare] OK (DoH) - rtt: 27ms
Mar 15 13:02:27 UniKey dnscrypt-proxy[18613]: [2021-03-15 13:02:27] [NOTICE] Server with the lowest initial latency: cloudflare (rtt: 27ms)
Mar 15 13:02:27 UniKey dnscrypt-proxy[18613]: [2021-03-15 13:02:27] [NOTICE] dnscrypt-proxy is ready - live servers: 1
root@UniKey:~#
... But you'll find it's useless as by default it's only listening on localhost, that's because of Systemd.
To change the port number (or IP), you need to create /etc/systemd/system/dnscrypt-proxy.socket.d/listen.conf (the directory won't exist), as this is the place to customise systemd. The contents should be:
[Socket]
ListenStream=
ListenStream=53
ListenDatagram=
ListenDatagram=53
The line duplication above is deliberate, systemd requires you to clear any previous values with a blank entry, then you can assign a new one. If you just add "ListenStream=5454" then it will add a port, not replace one!
...restart the socket and you should be good to go!
root@UniKey:~#systemctl status dnscrypt-proxy.socket
β dnscrypt-proxy.socket - dnscrypt-proxy listening socket
Loaded: loaded (/lib/systemd/system/dnscrypt-proxy.socket; enabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/dnscrypt-proxy.socket.d
ββlisten.conf
Active: active (running) since Tue 2021-04-13 12:24:34 BST; 2 days ago
Docs: https://github.com/DNSCrypt/dnscrypt-proxy/wiki
Listen: [::]:53 (Datagram)
CGroup: /system.slice/dnscrypt-proxy.socket
Apr 13 12:24:34 UniKey systemd[1]: Stopping dnscrypt-proxy listening socket.
Apr 13 12:24:34 UniKey systemd[1]: dnscrypt-proxy.socket: TCP_DEFER_ACCEPT failed: Protocol not available
Apr 13 12:24:34 UniKey systemd[1]: dnscrypt-proxy.socket: TCP_NODELAY failed: Protocol not available
Apr 13 12:24:34 UniKey systemd[1]: Listening on dnscrypt-proxy listening socket.
root@UniKey:~#
Notes: *Drop-In, if you box still isn't listening on the port, check to see if your file is created/read correctly.
Resolver Lists
By default the package selects Cloudflare's public DNS. The settings are stored in /etc/dnscrypt-proxy/dnscrypt-proxy.toml, so if you don't want to use Cloudflare, for example to use Cisco Umbrella (OpenDNS) change server_names = ['cloudflare'] to server_names = ['cisco']. The full list of resolvers is on DNSCrypt's website
Logging
By default the package didn't do any logging, that's a fairly easy fix, drop the following into the config file:
log_level = 2
log_files_max_size = 10
log_files_max_age = 7
log_files_max_backups = 1
[query_log]
file = '/var/log/dnscrypt-proxy/query.log'
[nx_log]
file = '/var/log/dnscrypt-proxy/nx.log'
Restart the service and then you can do a tail -f /var/log/dnscrypt-proxy/query.log to validate your resolver is working, if the file doesn't get created run chown _dnscrypt-proxy /var/log/dnscrypt-proxy to correct folder permission issues.