setuidroot/dnscrypt-proxy-android

Magisk based module to use DNSCrypt-Proxyv2 in Android (6 - 10)

DNSCrypt Proxy 2 for Android via Magisk

The project aims to bring DNSCrypt-Proxyv2 to Android via Magisk module.

Table of Contents

• What is DNSCrypt-Proxyv2 and why do I need it?!
• DNSCrypt Features
• Why aren't older Android versions supported?
• Donations
• Pre-built binaries
• Differences between the old DNSCrypt Proxy Magisk project * dnscrypt-proxy.toml configurations file
• Installation
  • AFWall+ enforce a specific DNS server
  • Configuration (post-installing)
• Changelog
• Debug problems
• Credits

What is DNSCrypt-Proxyv2 and why do I need it?!

DNSCrypt-Proxyv2 is a flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2, DNS-over-HTTPS and Anonymized DNSCrypt.

DNSCrypt Features

• Please check the official page to see what DNSCrypt-Proxyv2 has to offer.
• The project related DNSCrypt-Proxyv2 binaries are taken from the official release page.

Why aren't older Android versions supported?

Magisk itself does not support all (old) Android versions, and I also believe that due to security and privacy reasons older Android versions should not be used anymore. However, you still can use and flash the module, but there will be no support from my side, there will be no support given for older Android versions!

Donations

I do not accept donations for this project, if you want to support someone, please donate to the original DNSCrypt-Proxyv2 project. This helps to keep DNSCrypt-Proxyv2 alive and pushes the project.

Pre-built binaries

Up-2-date, pre-built binaries are available for the following platforms:

• ARM
• ARM64
• x86
• x86_64

Differences between the old DNSCrypt Proxy Magisk project

I dislike that other Magisk Android modules are hosted on Telegram, so I opened this project. It's beyond me why the magisk version is been hosted via GitTea because the original code is hosted on GitHub and so should any other DNSCrypt-proxy related project (my point of view).

dnscrypt-proxy.toml configurations file

• ✅ DNSSEC is required
• ✅ dnscrypt_ephemeral_keys feature is enabled (create a new, unique key for every single DNS query)
• ✅ anonymized_dns is enabled (each resolver has 2 relay)
• ✅ IPv6 is enabled, see here why
• ⛔️ DoH is disabled, due to privacy concerns
• ℹ️ refused is been set to respond to blocked queries
• ℹ️ The DNS query max. response time was changed from 5000 to 4500 ms.
• ℹ️ CleanBrowsing is been set as fallback resolver
• ℹ️ The configuration uses dnscrypt.nl-ns0 (NL), dnscrypt.eu-dk (DK), dnscrypt.eu-nl (NL), dnswarden-dc1 (DE), dnswarden-dc1 (DE), ffmuc.net (DE), ibksturm (CH), publicarray-au (AUS), publicarray-au2 (AUS), scaleway-ams (NL), scaleway-fr (FR) and v.dnscrypt.uk-ipv4 (UK)

Installation

1. Download latest .zip file from the release channel, now repack it with the module files in the root of the zip rather then the directory.
2. Flash the module via Magisk Manager (the big plus + button) and wait until the flash process is done.
3. Reboot your device afterwards.
4. That's it! Optionally you could change the dnscrypt-proxy.toml as per own needs.

AFWall+ enforce a specific DNS server

This is optional and in case you like to enforce a specific DNS server via AFWall+. You can add this via custom script, this example uses CleanBrowsing as DNS server.

Warning: Make sure the script uses LF as line ending! And that you give AFWall+ the correct path to your script e.g. . /data/local/shartupscript.sh (the space between . and / is mandatory!).

Startup script:

iptables -t nat -A OUTPUT -p tcp ! -d 185.228.168.9 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
iptables -t nat -A OUTPUT -p udp ! -d 185.228.168.9 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
ip6tables -t nat -A OUTPUT -p tcp ! -d 2a0d:2a00:1::2 --dport 53 -j DNAT --to-destination [::1]:5354
ip6tables -t nat -A OUTPUT -p udp ! -d 2a0d:2a00:1::2 --dport 53 -j DNAT --to-destination [::1]:5354

Shutdown script:

iptables -t nat -D OUTPUT -p tcp ! -d 185.228.168.9 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
iptables -t nat -D OUTPUT -p udp ! -d 185.228.168.9 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
ip6tables -t nat -D OUTPUT -p tcp ! -d 2a0d:2a00:1::2 --dport 53 -j DNAT --to-destination [::1]:5354
ip6tables -t nat -D OUTPUT -p udp ! -d 2a0d:2a00:1::2 --dport 53 -j DNAT --to-destination [::1]:5354

Configuration (post-installing)

• You can manually edit dnscrypt-proxy.toml as you wish located on /sdcard/dnscrypt-proxy/dnscrypt-proxy.toml or /data/media/0/dnscrypt-proxy/dnscrypt-proxy.toml to change DNSCryp-Proxyv2 settings.
• For more in-depth explanation please check the official documentation.

Changelog

You can see the full changelog here.

Debugging problems

Check (via terminal/termux) if DNSCrypt is working (active) su dnscrypt-proxy --check

su
ps -A | grep dnscrypt-proxy

To complicated I need an app!

There is an app which brings everything together, DNSCrypt-Proxy, Tor and I2P, it's called InviZible Pro. It's written by Garmatin Oleksandr and uses the official libs from the offical mentioned projects, it includes some "tweaked" integrated configuration settings (e.g. for ads filter [blacklist]) , which you can review and change within the app.

Credits

• jedisct1 for his DNSCrypt-Proxy2 project
• topjohnwu for his Magisk project
• bluemeda for the original magisk module
• adit for his dcp
• All contributors and authors from the old dnscrypt-module
• All contributors as well as authors from the Gittea project
• Garmatin Oleksandr for InviZible Pro F-Droid