[Thread] Running dnscrypt-proxy on Android

[jedisct1]

Current status:

• The proxy compiles without any changes using gomobile
• It also compiles and runs fine on Termux

This is fantastic, but not enough for most Android users to easily install and use it.

Since my knowledge of Android is fairly limited, help would be welcome!

[Sporif]

Exactly how do you build it with gomobile? I tried and it makes an apk which doesn't work.

I was thinking of just making a magisk module. It's either that or a root app and I don't know how to make apps. I already updated this unmaintained v1 module for the latest magisk version and some extra improvements, It should be simple enough to adapt to v2. I just need a way to make the binaries.

[jedisct1]

It requires an app.Main() function, that can just call the (actual) main function. That's all I know :)

[Sporif]

Well the linux arm64 variant works seems to fine on my phone. Maybe we don't need android specific binaries after all.

Also I have a request, I don't know if it's possible but could you add an option to have paths relative to dnscrypt-proxy.toml? It would be useful since I'm separating the binary from the config files (can't well keep them in /system/xbin). Otherwise every path in dnscrypt-proxy.toml must be a hardcoded absolute path.

[Sak94664]

./dnscrypt-proxy
[2018-01-28 15:10:08] [CRITICAL] Unable use source [public-resolvers]: [Get http://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md: dial tcp: lookup download.dnscrypt.info on [::1]:53: read udp [::1]:44259->[::1]:53: read: connection refused]
[2018-01-28 15:10:08] [NOTICE] Starting dnscrypt-proxy 2.0.0beta11
[2018-01-28 15:10:08] [NOTICE] Now listening to 127.0.0.1:5353 [UDP]
[2018-01-28 15:10:08] [NOTICE] Now listening to 127.0.0.1:5353 [TCP]
[2018-01-28 15:10:08] [NOTICE] Now listening to [::1]:5353 [UDP]
[2018-01-28 15:10:08] [NOTICE] Now listening to [::1]:5353 [TCP]
[2018-01-28 15:10:08] [ERROR] Head https://dns.google.com/experimental: dial tcp: lookup dns.google.com on [::1]:53: read udp [::1]:43670->[::1]:53: read: connection refused
[2018-01-28 15:10:08] [NOTICE] dnscrypt-proxy is waiting for at least one server to be reachable
^C[2018-01-28 15:10:58] [NOTICE] Stopped.``

This is the binary file from release page,running on termux.(arm64)
But when I use self-compiled binary,it works fine.
(Maybe it's because I run it without setting the port to 53?Set port 5353 ).
Android 7.1.2

Edit:Works fine when I use self-compiled binary.(set port to 5353.)
And I found a similar issue on another project.It said that the software will not run on android if the domain name is set,but it can run if the ip is set
issue:fatedier/frp#633 (Chinese)

edit(2019.11.03):.
it seems that this problem occurs when /etc/resolv.conf is missing
and Android absolutely don't have this file in that exact place.
a chroot or proot may do the trick.(use proot image or just execute dnscrypt proxy right after termux-chroot is ok,e.g. termux-chroot ./dnscrypt-proxy )

• if you are using termux-chroot please don't forget to add ~/../usr/etc/resolv.conf and edit it.

• You can just download linux-arm or linux-arm64 version from releases page and use it.

[ghost]

Hi, I am trying the arm binaries on my phone and they seem to work fine.
However i have a problem with configuration, since i receive this error:

Starting dnscrypt-proxy...
[2018-02-07 13:53:31] [NOTICE] System DNS configuration not usable yet, exceptionally resolving [download.dnscrypt.info] using fallback resolver [9.9.9.9:53]
[2018-02-07 13:53:31] [NOTICE] System DNS configuration not usable yet, exceptionally resolving [download.dnscrypt.info] using fallback resolver [9.9.9.9:53]
[2018-02-07 13:53:31] [CRITICAL] Unable use source [public-resolvers]: [read udp 10.102.21.149:50517->9.9.9.9:53: read: connection refused]
[2018-02-07 13:53:31] [FATAL] No servers configured

Here is my dnscrypt-proxy.toml: https://pastebin.com/c5HM2SMW

[jedisct1]

Is your network usable? connection refused is pretty self-explanatory; it looks like the phone doesn't have access to the internet, or that something is blocking outgoing DNS connections.

[ghost]

Ok thank you, the problem was that just after starting dnscrypt-proxy i tryed to divert all dns requests to localhost:

iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.1
iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1

Unfortunately, i don't know how to configure my phone to use 127.0.0.1 as dns server after starting dnscrypt-proxy :(

[Sporif]

I added a guide to building the Android version on a non-Android OS, if anyone's interested.

https://github.com/jedisct1/dnscrypt-proxy/wiki/Building-the-Android-version-on-non-Android-OS

[jedisct1]

This is fantastic, thank you @Sporif!

[JERW86]

@Sporif are you still planning to release a Magisk module for 15+?

[Sporif]

@JERW86 Yeah I am, it's just going to be a while. Still writing the script that calls dnscrypt-proxy.

[HI54U]

System: Android LOS 7.1.2 latest, amd64 compiled, root, Afwall+ (on/off) moved the folder dnscrypt-proxy to data/local/tmp, all files 777 privileges

I encountered the following error while starting it with ./dnscrypt-proxy:
[FATAL] listen udp 127.0.0.1:5353: bind: address already in use

I changed the standard configuration file:

listen_addresses = ['127.0.0.1:53', '[::1]:53']
to
listen_addresses = ['127.0.0.1:53', '127.0.0.1:53']

If not I got an error that there's no UDP connection possible

require_dnssec = false
to
require_dnssec = true

SSH:
gemini:/data/local/tmp/dnscrypt-proxy # ./dnscrypt-proxy
[2018-02-20 16:57:11] [NOTICE] Source [https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md] loaded
[2018-02-20 16:57:11] [NOTICE] dnscrypt-proxy 2.0.1
[2018-02-20 16:57:11] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
[2018-02-20 16:57:11] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
[2018-02-20 16:57:11] [FATAL] listen udp 127.0.0.1:53: bind: address already in use
255|gemini:/data/local/tmp/dnscrypt-proxy #

How can I fix this and run dnscrypt-proxy permantly?

[jedisct1]

listen_addresses = ['127.0.0.1:53', '127.0.0.1:53']

Looks like you are listening to the same IP and port twice.

[HI54U]

Ok, changed it again to the standard listen addresses
But then getting an error again:

gemini:/ $ su
gemini:/data/local/tmp/dns/dnscrypt-proxy <
[2018-02-20 18:03:30] [NOTICE] Source [https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md] loaded
[2018-02-20 18:03:30] [NOTICE] dnscrypt-proxy 2.0.1
[2018-02-20 18:03:30] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
[2018-02-20 18:03:30] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
[2018-02-20 18:03:30] [FATAL] listen udp [::1]:53: bind: cannot assign requested address
255|gemini:/data/local/tmp/dnsc,rypt-proxy #

[jedisct1]

Try a single address, then:

listen_addresses = ['127.0.0.1:53']

[Cnqu6doa2bn]

Don't get me wrong. It's an impressive tutorial which I tried before, but could only get it to work in setting SELinux permissive on boot by adding a line temporarily to dnscrypt-proxy.rc.

I am hanging atm in step 4 of you tutorial
https://android.stackexchange.com/questions/207484/how-to-fix-selinux-avc-denied-errors-when-launching-dnscrypt-as-init-d-script/207647#207647

That seems to work for me
supolicy --live 'create dns_crypt' # create new context
supolicy --live 'allow init dns_crypt process *' # let init handle the service
supolicy --live 'allow dns_crypt dns_crypt * *' # allow mutual love
supolicy --live 'allow dns_crypt system_file dir { read open }'
supolicy --live 'allow dns_crypt system_file file { lock entrypoint execute_no_trans }'
supolicy --live 'allow dns_crypt node tcp_socket { node_bind }'
supolicy --live 'allow dns_crypt node udp_socket { node_bind }'
supolicy --live 'allow dns_crypt port tcp_socket { name_bind name_connect }'
supolicy --live 'allow dns_crypt port udp_socket { name_bind }'
supolicy --live 'allow dns_crypt proc_net file { open read }'
supolicy --live 'allow dns_crypt proc_stat file { read }'
supolicy --live 'allow dns_crypt properties_device dir { read }'
supolicy --live 'allow dns_crypt devpts chr_file { open read write }'

output: "Load policy from: /sys/fs/selinux/policy"

Step 5. Save and load policy file.
I set /sys/fs/selinux/policy from permission 444 to 666

supolicy --save /sys/fs/selinux/policy
output:
Load policy from: /sys/fs/selinux/policy
**** write failed with 22: Invalid argument ****

Would be great to get this working :)

[Kein]

You can patch SELinux policy file on PC too.

The whole process does not sound pleasant

[mirfatif]

The whole process does not sound pleasant

Yes, if you want to go the hard way, following something proposed 4 years back. What I proposed recently in How to manually root a phone? goes like this:

• Download latest magiskinit (static) binary for x86 from here: https://github.com/topjohnwu/Magisk/releases
• Create a symlink supolicy to magiskinit.
• Copy loaded policy /sys/fs/selinux/policy or policy file /sepolicy or wherever it is on your phone to PC.
• Run

  supolicy --load policy --save policy.patched 'create my_custom_context' 'allow my_custom_context ...' 'allow ...' 'allow ...'
  

  and so on.
• Put policy.patched file back to your phone where it's supposed to be loaded on boot.

Also what has been written in your linked answer isn't applicable (at least fully) today. Android's SELinux implementation is very near to mainline Linux kernel now. And all tools designed for the latter also work on Android. I use sesearch regularly on my phone. So please learn and take things practically, don't suppose theoratically.

[mirfatif]

open: /etc/selinux/sepolicy failed with 30: Read-only file system

Why are you patching /etc/selinux/sepolicy? Patch loaded policy file /sys/fs/selinux/policy using supolicy --live ... statements.

[Cnqu6doa2bn]

Step 4 I did in an adb shell
supolicy --live 'create dns_crypt'
supolicy --live 'allow init dns_crypt process *'
supolicy --live 'allow dns_crypt dns_crypt * *'

supolicy --live 'allow dns_crypt system_file dir { read open }'
supolicy --live 'allow dns_crypt system_file file { lock entrypoint execute_no_trans }'

supolicy --live 'allow dns_crypt node tcp_socket { node_bind }'
supolicy --live 'allow dns_crypt node udp_socket { node_bind }'
supolicy --live 'allow dns_crypt port tcp_socket { name_bind name_connect }'
supolicy --live 'allow dns_crypt port udp_socket { name_bind }'

supolicy --live 'allow dns_crypt proc_net file { open read }'
supolicy --live 'allow dns_crypt proc_stat file { read }'
supolicy --live 'allow dns_crypt properties_device dir { read }'
supolicy --live 'allow dns_crypt devpts chr_file { open read write }'

got after every rule "Load policy from: /sys/fs/selinux/policy"

Step 5. Save and load policy file

supolicy --save /sys/fs/selinux/policy
Load policy from: /sys/fs/selinux/policy
**** write failed with 22: Invalid argument ****

added to dnscrypt-proxy.rc

#enforcing custom SELinux policy loading after reboot
on property:init.svc.netd=running
exec u:r:magisk:s0 root root -- /system/bin/load_policy /sys/fs/selinux/policy
start dnscrypt-proxy

After a reboot it works like before, but now I have a separate UID 999 for Dnscrypt and disabled Apps as root (0) permission and got Internet Access.

But :)
Is this normal that I got this write failed & "Load policy from: /sys/fs/selinux/policy"?
What can I do to verify that the custom rules are written to the policy rules?

[Cnqu6doa2bn]

So if I can't patch it "live" with supolicy in Android system I need to patch it with magiskinit from PC

Android supolicy errors
supolicy --live 'create dns_crypt'
Load policy from: /sys/fs/selinux/policy
Error in: create dns_crypt

supolicy --live 'allow init dns_crypt process *'
Load policy from: /sys/fs/selinux/policy

supolicy --save /sys/fs/selinux/policy
Load policy from: /sys/fs/selinux/policy
write failed with 22: Invalid argument

Followed the description here for patchin supolicy on PC (Linux)
#41 (comment)

but

supolicy --load policy --save policy.patched 'create dns_crypt'
Load policy from: policy
Error in: create dns_crypt

supolicy --load policy --save policy.patched 'create dns_crypt' 'allow init dns_crypt process *' 'allow dns_crypt dns_crypt * *' 'allow dns_crypt system_file dir { read open }' 'allow dns_crypt system_file file { lock entrypoint execute_no_trans }' 'allow dns_crypt node tcp_socket { node_bind }' 'allow dns_crypt node udp_socket { node_bind }' 'allow dns_crypt port tcp_socket { name_bind name_connect }' 'allow dns_crypt port udp_socket { name_bind }' 'allow dns_crypt proc_net file { open read }' 'allow dns_crypt proc_stat file { read }' 'allow dns_crypt properties_device dir { read }' 'allow dns_crypt devpts chr_file { open read write }'

Load policy from: policy
target type dns_crypt does not exist
Error in: allow init dns_crypt process (null)
source type dns_crypt does not exist

Can someone please help to patch policy.

[Cnqu6doa2bn]

It seems that's not a policy problem, because if I run dnscrypt in permissive mode by adding in the rc-script there's no difference. I've got Internet access, but not through dnscrypt-proxy.

AfWall grant access through UID999 (custom script):
iptables -I OUTPUT -m owner --uid-owner 999 -j ACCEPT

rc-script adding:
on property:init.svc.netd=running
exec u:r:magisk:s0 root root -- /system/bin/setenforce 0
start dnscrypt-proxy

1. Resolver problem
   dnscrypt-proxy -check -config /system/etc/dnscrypt-proxy/dnscrypt-proxy.toml

[2020-06-20 10:42:54] [NOTICE] dnscrypt-proxy 2.0.44
[2020-06-20 10:42:54] [NOTICE] Network not available yet -- waiting...
[2020-06-20 10:43:26] [NOTICE] Network connectivity detected
[2020-06-20 10:43:26] [NOTICE] System DNS configuration not usable yet, exceptionally resolving [raw.githubusercontent.com] using fallback resolvers over tcp
[2020-06-20 10:43:27] [NOTICE] Fallback resolvers didn't respond - Trying with the system resolver as a last resort
[2020-06-20 10:43:27] [ERROR] Unable to resolve [raw.githubusercontent.com] - Make sure that the system resolver works, or that fallback_resolver has been set to a resolver that can be reached
[2020-06-20 10:43:27] [NOTICE] System DNS configuration not usable yet, exceptionally resolving [download.dnscrypt.info] using fallback resolvers over tcp
[2020-06-20 10:43:28] [NOTICE] Fallback resolvers didn't respond - Trying with the system resolver as a last resort
[2020-06-20 10:43:28] [ERROR] Unable to resolve [download.dnscrypt.info] - Make sure that the system resolver works, or that fallback_resolver has been set to a resolver that can be reached
[2020-06-20 10:43:28] [CRITICAL] Unable to retrieve source [public-resolvers]: [lookup download.dnscrypt.info: No address associated with hostname]
[2020-06-20 10:43:28] [FATAL] lookup download.dnscrypt.info: No address associated with hostname
Setting up different resolvers doesn't solve it.

I copied the files manual to the /system/etc/dnscrypt-proxy directory and dnscrypt is running as a service

[2020-06-20 11:21:15] [NOTICE] dnscrypt-proxy 2.0.44
[2020-06-20 11:21:15] [NOTICE] Network connectivity detected
[2020-06-20 11:21:15] [NOTICE] Source [public-resolvers] loaded
[2020-06-20 11:21:15] [NOTICE] Source [relays] loaded
[2020-06-20 11:21:15] [NOTICE] Anonymized DNS: routing everything via [anon-]
[2020-06-20 11:21:15] [NOTICE] Configuration successfully checked

2. AfWall
   custom script: iptables -I OUTPUT -m owner --uid-owner 999 -j ACCEPT
   Internet access to root apps (0) off

I got Internet access, but not through dnscrypt-proxy. How should I configure AfWall and dnscrypt to get the Internet access through dnscrypt again and that's the resolver can update the files properly.

[ghost]

@mirfatif
Can you elaborate on how to make dnscrypt bypass VPN using iptables/AFWall+? I dont understand what is to target besides the userid, like, VPN, when established, does not add any special rules. I can target dncrypt owner id but what for?

[Kein]

There is an issue with DNSCrypt not letting phone to go to sleep and as far as I know you can't solve with any exiting methods, it has to be implemented on the application side.

[iWARR]

AFWall+ anti-leaking boot script - Fallback resolver stuck (HELP NEEDED)

Probably you know about anti-leaking script that AFWall+ can put into startup directory and make the OS booting much safer.
This is realy effective thing, but main disadvantage is a breakage of the Fallback resolver. As soon as the script located inside the startup directory for the scripts, then fallback resolver is unable to resolve [raw.githubusercontent.com], [download.dnscrypt.info] and other errors like "write: operation not permitted".

I have tried some workarounds like granting the access through the extra IPTABLES rules (additional script), but they didn't work for me. It would be nice to find a way making this script working in conjunction with the dnscrypt-proxy.

AFWall+ v3.4.0 - Anti-leaking boot script

#!/system/bin/sh

export PATH=/system/bin

if [ -e /data/data/dev.ukanth.ufirewall/app_bin/iptables ]; then
  path="dev.ukanth.ufirewall"
elif [ -e /data/data/dev.ukanth.ufirewall.donate/app_bin/iptables ]; then
  path="dev.ukanth.ufirewall.donate"
else
  log -p i -t afwall "AFWall does not seem to be installed, waited for $((endDt-startDt)) seconds."
  exit
fi

doit() {
  for i in "$@"
  do
    if [ -x "$i" ]
    then
      "$i" -w -P INPUT DROP
      "$i" -w -P OUTPUT DROP
      "$i" -w -P FORWARD DROP
      return
    fi
  done
}

doit /system/bin/iptables /data/data/$path/app_bin/iptables
doit /system/bin/ip6tables /data/data/$path/app_bin/ip6tables
log -p i -t afwall "IPv4/6 policy set to DROP"

P.S. Interensting fact (over the years): if I have any kind of troubles with Fallback resolver, manual launching dnscrypt-proxy using adb always works... It would be nice to have the equal reliability by default...

---

I need your help, freinds.
May be correct IPTABLES allow rules (new script)? Or may be some edits just inside the AFWall+ anti-leaking script?

[tehcog]

Before I can configure it (I had dnscrypt-proxy v1 running with custom init/config scripts just fine on my OnePlus), I need to have it built / build it for Android ARM7. My current toolchain is deprecated (OSX & go is depreicated), and I cannot build it in a VM for the same reason. Can someone please build for Android ARM7 and post? Thanks.

[ianbashford]

@tehcog - for Arm7, would the alpine build work?
Latest stable has 2.0.42. https://uk.alpinelinux.org/alpine/latest-stable/community/armv7/
Edge has 2.0.44 https://uk.alpinelinux.org/alpine/edge/community/armv7/
APKs should just untar. armhf is available there too.

[ghost]

Hey,

I try to run dnscrypt-proxy without root privileges (sudo dnscrypt-proxy -config dnscrypt-proxy.toml -netprobe-timeout 0)
Details about my installation and config can be found from #1563.

dnscrypt-proxy user in inet group with <permission name="android.permission.INTERNET" /> permission, but the proxy fails to connect as seen from log:

...
dial udp <ip>:443: socket: permission denied.
dnscrypt-proxy is waiting for at least one server to be reachable
...

Any ideas how to resolve this?

[Kein]

Use dmesg and see where selinux restricts it, then add exception to policy or permission? Though, if you are wrapping dnscrypt binaries into your own user-app you must understand what it only will wrap user-queries (that go through user-defined VPN, since this is the only way you can route them that way), all system queries and built-in google spyware will go through whatever is currently defined and used by the system.

[ghost]

Hey,

I try to run dnscrypt-proxy without root privileges (sudo dnscrypt-proxy -config dnscrypt-proxy.toml -netprobe-timeout 0)
Details about my installation and config can be found from #1563.

dnscrypt-proxy user in inet group with <permission name="android.permission.INTERNET" /> permission, but the proxy fails to connect as seen from log:

...
dial udp <ip>:443: socket: permission denied.
dnscrypt-proxy is waiting for at least one server to be reachable
...

Any ideas how to resolve this?

The binary need to have cap_net_raw+ep capability for an unprivileged user to be able to run it. Now it works just fine.