DNS Crypt setup with systemd

DNSCrypt.README

1. Install dnscrypt-proxy (https://dnscrypt.org) and Unbound (https://unbound.net)
2. Set up dnscrypt to listen on 127.0.0.1 port 40
 # VISUAL=vim systemctl edit dnscrypt-proxy.socket -> paste override.conf
3. "Enable" DNS Crypt socket for autostart and start it now
 # systemctl enable dnscrypt-proxy.socket
 # systemctl start dnscrypt-proxy.socket
4. Edit /etc/unbound/unbound.conf -> paste unbound.conf (adjust to your needs)
5. Download root.hints
 # wget ftp://FTP.INTERNIC.NET/domain/named.cache -O /etc/unbound/root.hints
6. "Enable" Unbound service for autostart and start it now
 # systemctl enable unbound.service
 # systemctl start unbound.service
7. Edit /etc/resolv.conf -> paste resolv.conf (optionally modify domain and search)
8. Prevent resolv.conf from being overwritten by any dhcp client
 # chattr +i /etc/resolv.conf
9. Check your DNS IP
 # ping whoami.akamai.net

override.conf

[Socket]
ListenStream=
ListenDatagram=
ListenStream=127.0.0.1:40
ListenDatagram=127.0.0.1:40

resolv.conf

domain local
search local
nameserver 127.0.0.1

unbound.conf

server:
	verbosity: 1
	interface: 127.0.0.1
	port: 53
	username: "unbound"
	directory: "/etc/unbound"
	use-syslog: yes 
	root-hints: "/etc/unbound/root.hints"
	do-not-query-localhost: no

# dnscrypt proxy
forward-zone:
	name: "."
	forward-addr: 127.0.0.1@40

# intranet
forward-zone:
	name: "local.<company>.pl"
	forward-addr: <internal DNS ip>
forward-zone:
	name: "clients.<company>.pl"
	forward-addr: <internal DNS ip>
forward-zone:
	name: "<company>.local"
	forward-addr: <internal DNS ip>
forward-zone:
	name: "<company>.clients"
	forward-addr: <internal DNS ip>