====== Information ======

  * DNSCrypt ((https://dnscrypt.info))
  * dnscrypt-proxy ((https://github.com/jedisct1/dnscrypt-proxy))

===== Prerequisites =====

  * [[distros:opensuse_tumbleweed_gnome | openSUSE Tumbleweed]] ((local DNS server))

====== Create Group and User ======

****

  sudo groupadd 'dnscryptbuilder' && sudo useradd -c 'DNSCrypt Builder User' -d '/var/lib/dnscryptbuilder' -g 'dnscryptbuilder' -m -r 'dnscryptbuilder'

====== Dependencies ======

****

  sudo zypper install git-core go

====== Install ======

  * https://github.com/jedisct1/dnscrypt-proxy/wiki/building

===== Build =====

==== Switch User ====

****

  sudo su 'dnscryptbuilder' -s '/bin/bash'

==== Compile ====

****

  cd '/tmp' && rm -Rf '/tmp/dnscrypt-proxy' '/tmp/go-build'* ~/'go' && git clone -b 'master' 'https://github.com/jedisct1/dnscrypt-proxy.git' '/tmp/dnscrypt-proxy' --depth '1' && cd '/tmp/dnscrypt-proxy/dnscrypt-proxy' && go get -d && go clean && go build -ldflags='-s -w' && exit

===== Install =====

****

  sudo mv '/tmp/dnscrypt-proxy/dnscrypt-proxy/dnscrypt-proxy' '/usr/sbin/dnscrypt-proxy' && sudo chown 'root':'root' '/usr/sbin/dnscrypt-proxy' && sudo chmod +x '/usr/sbin/dnscrypt-proxy' && sudo restorecon -v '/usr/sbin/dnscrypt-proxy' && cd ~ && sudo rm -Rf '/tmp/dnscrypt-proxy' '/tmp/go-build'* '/var/lib/dnscryptbuilder/go' && sync

====== Settings ======

===== References =====

  * https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
  * https://github.com/DNSCrypt/dnscrypt-resolvers

===== Notes =====

  * ''server_names'' can be commented-out in order to query all available servers, and then manually curated to select the servers with lowest response times

===== Settings =====

  sudo mkdir -p '/etc/dnscrypt-proxy' && sudo -e '/etc/dnscrypt-proxy/dnscrypt-proxy.toml'

<code>
server_names = ['cloudflare', 'ev-us2', 'ventricle.us', 'opennic-onic']

keepalive = 10

fallback_resolver = '185.121.177.177:53'

ipv6_servers = true
require_dnssec = true

[blacklist]
blacklist_file = 'blacklist.txt'

[sources.'public-resolvers']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
cache_file = 'public-resolvers.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'

[sources.'opennic']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/opennic.md', 'http://download.dnscrypt.info/resolvers-list/v2/opennic.md']
cache_file = 'opennic.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'</code>

===== Blacklist =====

  sudo -e '/etc/dnscrypt-proxy/blacklist.txt'

<code>
# Facebook 2018/03/19
*.facebook.*
*.fbcdn.*
*.tfbnw.*
*.fbsbx.*
*.fb.*
*.whatsapp.*
*.instagram.*</code>

====== Services ======

===== Main =====

  sudo -e '/etc/systemd/system/dnscrypt-proxy.service' && sudo systemctl daemon-reload && sudo systemctl enable 'dnscrypt-proxy' --now && sudo systemctl status 'dnscrypt-proxy' -l

<code>
[Unit]
Description=dnscrypt-proxy
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
WorkingDirectory=/etc/dnscrypt-proxy
ExecStart='/usr/sbin/dnscrypt-proxy'

ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=yes
ReadWritePaths='/etc/dnscrypt-proxy'
NoNewPrivileges=yes
RestrictNamespaces=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes

[Install]
WantedBy=multi-user.target</code>

===== Updater =====

==== Service ====

  sudo -e '/etc/systemd/system/dnscrypt-proxy-up.service'

<code>
[Service]
Type=oneshot
WorkingDirectory=/tmp

ProtectControlGroups=yes
ProtectKernelModules=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=yes
RestrictNamespaces=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes

ExecStartPre='/usr/bin/rm' -Rf '/tmp/dnscrypt-proxy' '/tmp/go-build'* '/var/lib/dnscryptbuilder/go'

ExecStartPre='/bin/bash' -c 'sudo -u "dnscryptbuilder" git clone -b "master" "https://github.com/jedisct1/dnscrypt-proxy.git" "/tmp/dnscrypt-proxy" --depth '1''
ExecStartPre='/bin/bash' -c 'cd "/tmp/dnscrypt-proxy/dnscrypt-proxy" && sudo -u "dnscryptbuilder" go get -d'
ExecStartPre='/bin/bash' -c 'cd "/tmp/dnscrypt-proxy/dnscrypt-proxy" && sudo -u "dnscryptbuilder" go clean'

ExecStart='/bin/bash' -c 'cd "/tmp/dnscrypt-proxy/dnscrypt-proxy" && sudo -u "dnscryptbuilder" go build -ldflags="-s -w"'

ExecStartPost='/usr/bin/mv' '/tmp/dnscrypt-proxy/dnscrypt-proxy/dnscrypt-proxy' '/usr/sbin/dnscrypt-proxy'
ExecStartPost='/usr/bin/chown' 'root':'root' '/usr/sbin/dnscrypt-proxy'
ExecStartPost='/usr/bin/chmod' +x '/usr/sbin/dnscrypt-proxy'
ExecStartPost='/usr/bin/systemctl' restart 'dnscrypt-proxy'

ExecStartPost='/usr/bin/rm' -Rf '/tmp/dnscrypt-proxy' '/tmp/go-build'* '/var/lib/dnscryptbuilder/go'
ExecStartPost='/usr/bin/sync'</code>

==== Timer ====

****

  sudo -e '/etc/systemd/system/dnscrypt-proxy-up.timer' && sudo systemctl daemon-reload && sudo systemctl enable 'dnscrypt-proxy-up.timer' --now && sudo systemctl start 'dnscrypt-proxy-up' && sudo systemctl status 'dnscrypt-proxy-up' -l

<code>
[Unit]
Description=dnscrypt-proxy Updater
After=network-online.target
Wants=network-online.target

[Timer]
OnCalendar=weekly
Persistent=true

[Install]
WantedBy=timers.target</code>