How to install dnscrypt + doh on NAT VPS

Natvps.id – DNSCRYPT is a protocol that has a communication between DNS client with DNS Resolver. DNSCrypt can be used to ward off attacks DNS spoofingBy verifying that the response received from DNS Resolver has not been modified. The DNSCrypt protocol is open source and free, and not affiliated with any company or organization.

This article discusses the steps to install DNSCrypt along with DOH Proxy on NAT VPS, which later functions as a DNS Over HTTPS (DOH) server that is connected to the DNSCrypt proxy. This article uses Ubuntu 22.04 as a reference, but you can use other distributions such as Debian and Centos. Make sure the OS used is supported by DNSCrypt.

Port forwarding configuration

Considering we use grout, we need to add 2 Port Forwarding Configuration on the virtualizor panel (or other VPS panels according to the provider), namely Port Forwarding HTTP and HTTPS For DNSCrypt dough.

For example, in this article will use a domain dnscrypt.tutorial.mdinata.my.id. You are free to change the domain according to your choice. Record this port and domain, because we will use it again in the installation process.

Don’t forget to add DNS Records to go to your NAT VPS public IP, like this:

Install DNSCrypt

Open then find the file release which contain Linux-X86_64 In its name. Then, copy the file URL.

In NAT VPS, download the file using Curl:

curl -LO <link DNSCrypt yang telah Anda salin>

Create a new directory for DNSCrypt:

mkdir /opt/dnscrypt

DNSCrypt extract to the directory:

tar -xzvf dnscrypt-*.tar.gz -C /opt/dnscrypt

Install serve Dnscrypt:

/opt/dnscrypt/linux-x86_64/dnscrypt-proxy -service install

Copy the DNSCrypt configuration:

cd /opt/dnscrypt/linux-x86_64
cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml

For Ubuntu and its derivatives, Systemd-Resolved is usually active and runs on port 53. Because DNSCrypt will run on Port 53 as a DNS Server, turn off the SystemD-Resolved:

sudo mkdir -p /etc/systemd/resolved.conf.d

sudo tee /etc/systemd/resolved.conf.d/adguardhome.conf > /dev/null <<EOF
[Resolve]
DNS=127.0.0.1
DNSStubListener=no
EOF

sudo mv /etc/resolv.conf /etc/resolv.conf.backup
sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf

sudo systemctl reload-or-restart systemd-resolved

Activate DNSCrypt:

Process Pioneering DNSCrypt can take a few moments because they have to test the latency of Public resolver there is to maximize speed. Check the dnscrypt log with:

systemctl status dnscrypt-proxy

Activating DNS-Over-HTTPS (DOH)

Open the DNSCrypt configuration:

nano /opt/dnscrypt/linux-x86_64/dnscrypt-proxy.toml

Then, move down to find the part [local_doh]Then remove the fence sign to activate the dough, like this:

Save the file, then restart dnscrypt:

/opt/dnscrypt/linux-x86_64/dnscrypt-proxy -service restart

Nginx Configuration (Reverse Proxy)

So that we can access our DOH through domains like dnscrypt.tutorial.mdinata.my.idwe can use Reverse Proxy Like Nginx.

First, install Nginx through the command:

# Hapus Apache2 dan pendukungnya (biasanya terpasang secara bawaan di VPS OpenVZ)
apt purge apache2* -y

# Install NGINX
apt install nginx -y

Create a new host configuration specifically for DNSCrypt:

nano /etc/nginx/sites-available/dnscrypt

Then stick the following configuration:

# 

server {
    listen 80;
    server_name dnscrypt.tutorial.mdinata.my.id;

    location /dns-query {
        proxy_pass 
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
    }
}

Change dnscrypt.tutorial.mdinata.my.id with your domain.

Activate the configuration with:

ln -sf /etc/nginx/sites-available/dnscrypt /etc/nginx/sites-enabled/dnscrypt

# Restart NGINX
systemctl restart nginx

Produce SSL certificate (let’s encryption)

So that our domain can be accessed through HTTPS, we need to make a SSL certificate. We can use a free SSL certificate from Let’s Encrypt through Certbot.

Install Certbot and Nginx plugin use the command:

apt install python3-certbot python3-certbot-nginx

So, produce Certificate through Certbot with the command

certbot --nginx -d dnscrypt.tutorial.mdinata.my.id

Change dnscrypt.tutorial.mdinata.my.id with your domain.

Happy! Your current domain can be accessed via a safe connection https.

Finished!

DNSCrypt DOH can be used through the URL DNSCrypt>/DNS-QueryExample: https://dnscrypt.tutorial.mdinata.my.id/dns-query.

Cover

Thus this article is about the steps to install DNSCrypt + DOH on NAT VPS. If you are confused or doubtful, don’t hesitate to ask questions in the telegram group @ipv6indonesia. Thank You!