DNSCrypt Proxy 2 for Android via Magisk
The project aims to bring DNSCrypt-Proxyv2 to Android via Magisk module.
Table of Contents
- What is DNSCrypt-Proxyv2 and why do I need it?!
- DNSCrypt Features
- Why aren't older Android versions supported?
- Donations
- Pre-built binaries
- Differences between the old DNSCrypt Proxy Magisk project * dnscrypt-proxy.toml configurations file
- Installation
- Changelog
- Debug problems
- Credits
What is DNSCrypt-Proxyv2 and why do I need it?!
DNSCrypt-Proxyv2 is a flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2, DNS-over-HTTPS and Anonymized DNSCrypt.
DNSCrypt Features
- Please check the official page to see what DNSCrypt-Proxyv2 has to offer.
- The project related DNSCrypt-Proxyv2 binaries are taken from the official release page.
Why aren't older Android versions supported?
Magisk itself does not support all (old) Android versions, and I also believe that due to security and privacy reasons older Android versions should not be used anymore. However, you still can use and flash the module, but there will be no support from my side, there will be no support given for older Android versions!
Donations
I do not accept donations for this project, if you want to support someone, please donate to the original DNSCrypt-Proxyv2 project. This helps to keep DNSCrypt-Proxyv2 alive and pushes the project.
Pre-built binaries
Up-2-date, pre-built binaries are available for the following platforms:
ARM
ARM64
x86
x86_64
Differences between the old DNSCrypt Proxy Magisk project
I dislike that other Magisk Android modules are hosted on Telegram, so I opened this project. It's beyond me why the magisk version is been hosted via GitTea because the original code is hosted on GitHub and so should any other DNSCrypt-proxy related project (my point of view).
dnscrypt-proxy.toml configurations file
- ✅
DNSSEC
is required - ✅
dnscrypt_ephemeral_keys
feature is enabled (create a new, unique key for every single DNS query) - ✅
anonymized_dns
is enabled (each resolver has 2 relay) - ✅
IPv6
is enabled, see here why - ⛔️
DoH
is disabled, due to privacy concerns - ℹ️
refused
is been set to respond to blocked queries - ℹ️ The DNS query max. response time was changed from
5000
to4500
ms. - ℹ️ CleanBrowsing is been set as fallback resolver
- ℹ️ The configuration uses
dnscrypt.nl-ns0
(NL),dnscrypt.eu-dk
(DK),dnscrypt.eu-nl
(NL),dnswarden-dc1
(DE),dnswarden-dc1
(DE),ffmuc.net
(DE),ibksturm
(CH),publicarray-au
(AUS),publicarray-au2
(AUS),scaleway-ams
(NL),scaleway-fr
(FR) andv.dnscrypt.uk-ipv4
(UK)
Installation
- Download latest
.zip
file from the release channel, now repack it with the module files in the root of the zip rather then the directory. - Flash the module via Magisk Manager (the big plus + button) and wait until the flash process is done.
- Reboot your device afterwards.
- That's it! Optionally you could change the
dnscrypt-proxy.toml
as per own needs.
AFWall+ enforce a specific DNS server
This is optional and in case you like to enforce a specific DNS server via AFWall+. You can add this via custom script, this example uses CleanBrowsing as DNS server.
Warning:
Make sure the script uses LF as line ending! And that you give AFWall+ the correct path to your script e.g. . /data/local/shartupscript.sh
(the space between . and / is mandatory!).
Startup script:
iptables -t nat -A OUTPUT -p tcp ! -d 185.228.168.9 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
iptables -t nat -A OUTPUT -p udp ! -d 185.228.168.9 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
ip6tables -t nat -A OUTPUT -p tcp ! -d 2a0d:2a00:1::2 --dport 53 -j DNAT --to-destination [::1]:5354
ip6tables -t nat -A OUTPUT -p udp ! -d 2a0d:2a00:1::2 --dport 53 -j DNAT --to-destination [::1]:5354
Shutdown script:
iptables -t nat -D OUTPUT -p tcp ! -d 185.228.168.9 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
iptables -t nat -D OUTPUT -p udp ! -d 185.228.168.9 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
ip6tables -t nat -D OUTPUT -p tcp ! -d 2a0d:2a00:1::2 --dport 53 -j DNAT --to-destination [::1]:5354
ip6tables -t nat -D OUTPUT -p udp ! -d 2a0d:2a00:1::2 --dport 53 -j DNAT --to-destination [::1]:5354
Configuration (post-installing)
- You can manually edit
dnscrypt-proxy.toml
as you wish located on/sdcard/dnscrypt-proxy/dnscrypt-proxy.toml
or/data/media/0/dnscrypt-proxy/dnscrypt-proxy.toml
to change DNSCryp-Proxyv2 settings. - For more in-depth explanation please check the official documentation.
Changelog
You can see the full changelog here.
Debugging problems
Check (via terminal/termux) if DNSCrypt is working (active) su dnscrypt-proxy --check
su
ps -A | grep dnscrypt-proxy
To complicated I need an app!
There is an app which brings everything together, DNSCrypt-Proxy, Tor and I2P, it's called InviZible Pro. It's written by Garmatin Oleksandr and uses the official libs from the offical mentioned projects, it includes some "tweaked" integrated configuration settings (e.g. for ads filter [blacklist]) , which you can review and change within the app.
Credits
- jedisct1 for his DNSCrypt-Proxy2 project
- topjohnwu for his Magisk project
- bluemeda for the original magisk module
- adit for his dcp
- All contributors and authors from the old dnscrypt-module
- All contributors as well as authors from the Gittea project
- Garmatin Oleksandr for InviZible Pro F-Droid