No directions VPN-encrypted tunnel over SSH, DNSCrypt-proxy

[NoRainfallDuckDog]

Distribution: Linux Mint 22
Browser: Librewolf
Verified: DNSCrypt-proxy using dnscheck.tools
VPS Service: Digital Ocean

I reviewed the below links:
https://github.com/DNSCrypt/dnscrypt-proxy/wiki/DNSCrypt-server-with-vultr.com
https://github.com/DNSCrypt/dnscrypt-proxy/wiki/How-to-setup-your-own-DNSCrypt-server-in-less-than-10-minutes

There are no directions to push the DNS traffic through the tunnel at the browser level.
There are do directions to configure the VPN tunnel using the VM server to access the internet.

dnscheck.tools shows the below:
Hello! Your public IP addresses are:
ISP Name Country
IP address City, Country

Using the VM IP address and then the below CLI to log into the SSH Server and configuring the settings for Librewolf as below:
CLI: ssh -4 -TND 8888 [email protected] <---------- nnn.nnn.nnn.nnn VM IP address
Librewolf configuration settings:
a. General -> Network Settings ->Settings
b. Connection Settings -> Manual proxy configuration -> SOCK Host = 127.0.0.1 -> Port = 8888
c. No proxy for = localhost, 127.0.0.1
d. Proxy DNS when using SOCK v5 = checkmarked

DNSCrypt-proxy was started and ready.

Using dnscheck.tools it shows the ISP IP address coming from Digital Ocean and the DNS resolvers are from Digital Ocean. The DNSSEC failed to verify.

So the purpose is to see the ISP IP address as the VM from Digital Ocean, and not from my own ISP, and also see the the DNSCrypt-Proxy servers as configured accordingly, in this case Cloudflare and Google, and as well to see DNSSEC passes the check.

What are the directions to configure the settings for Librewolf to push traffic through the VPN tunnel, VM IP address, and still as well using the DNSCrypt-proxy resolvers?

Generally, what are the directions for configuring the settings on any browser to push the DNS traffic through the encrypted tunnel and at the same time using the DNSCrypt-proxy resolvers?

[lifenjoiner]

d. Proxy DNS when using SOCK v5 = checkmarked

It is the best practice: keeping DNS queries at the same exit node as the proxy which directly connects to the target website.

So the purpose is to see the ISP IP address as the VM from Digital Ocean, and not from my own ISP, and also see the the DNSCrypt-Proxy servers as configured accordingly
to configure the settings for Librewolf to push traffic through the VPN tunnel, VM IP address, and still as well using the DNSCrypt-proxy resolvers

Don't! That leads to DNS leak!

[NoRainfallDuckDog]

The problem with https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Oblivious-DoH
The Oblivious DNS-over-HTTPS protocol is still a work in progress, and so is the implementation in dnscrypt-proxy. In particular, automatic relay selection is not implemented yet. Servers and relays may not be very stable. While upstream servers don't see queries directly coming from the client, they still learn the set of client IP addresses using them.

A no to using ODoH (Oblivious DNS-over-HTTPS).

Anonymized DNS https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS is the only solution - do or don't?

[lifenjoiner]

The first thing here is you are using a proxy/VPN to visit websites.

In this process:

1. there always will be a DNS resolver knows who (IP) is querying what (server name),
2. you would expect it provide you a quick/nearby IP,
3. the website always knows who (IP) is querying what (target IP, host name and resources), and they can check if the IP you connect to is the expected one based on your (proxy) IP.

So, what's important is who this DNS resolver is. Keeping DNS queries at the same exit node as the proxy which directly connects to the target website, will make it most likely that you are the exit node. It is critical when you are using a proxy/VPN!

https://en.wikipedia.org/wiki/DNS_leak
Do not use side-loaded DNS for proxies, only if you know what you are doing!

[NoRainfallDuckDog]

The first thing here is you are using a proxy/VPN to visit websites.

This doesn't sound right.
DNSCrypt-proxy is not considered a VPN; it is primarily a DNS proxy that encrypts DNS traffic, meaning it only secures the process of resolving domain names to IP addresses, not your entire internet traffic such as a VPN does; it does not encrypt all your data or hide your IP address across all websites.

If the user is trying to prevent DNS leaks, DNSCrypt isn't what the user wants. DNSCrypt is intended to prevent DNS spoofing, which is quite different. The user could think of it as Privacy vs Man-in-the-Middle. It prevents DNS spoofing. It doesn't prevent "DNS leaks", or third-party DNS resolvers from logging your activity.

Using https://www.dnsleaktest.com/ is the way to see if your IP is hidden or masked as well as DNS leaks when accessing the internet.

1. there always will be a DNS resolver knows who (IP) is querying what (server name),
2. you would expect it provide you a quick/nearby IP,
3. the website always knows who (IP) is querying what (target IP, host name and resources), and they can check if the IP you connect to is the expected one based on your (proxy) IP.

This is why VPN is considered and required to be configured to hide and mask the activities and their traffic.

https://en.wikipedia.org/wiki/DNS_leak
Do not use side-loaded DNS for proxies, only if you know what you are doing!

Therer are no directions here for side-loaded DNS for proxies and its configuration. Reference... do you have a link from here https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux?

So the only solution would be to do the encrypted tunneling but then somehow to incorporate that with the DNSCrypt-proxy. To test the DNS leak is to use dnsleaktest.com or dnscheck.tools and others.

Is it then to use only port 53 and not 8888?

Let's forget about the concern with the DNS leak for now because it can be detected using dnsleaktest.com and dnscheck.tools, so would you have an idea how to configure the settings for Librewolf to incorporate both the encrypted tunneling and DNSCrypt-proxy? Is the request out of scope for DNSCrypt-proxy here?

---

Wouldn't this work https://github.com/DNSCrypt/dnscrypt-proxy/wiki/How-to-setup-your-own-DNSCrypt-server-in-less-than-10-minutes; essentially, you're putting DNS queries through the DNSCrypt-proxy under an encrypted secure tunnel?

Moreover, it doesn't require configuring network connection settings on the browser side.

My question is what is a docker? From Digital Ocean, there is no option for dockers but only for different distributions. The user would create an Ubuntu 24.04 VM, for instance.

From https://github.com/DNSCrypt/dnscrypt-proxy/wiki/How-to-setup-your-own-DNSCrypt-server-in-less-than-10-minutes, the section 'Install the DNSCrypt server':
docker run --ulimit nofile=90000:90000 --name=dnscrypt-server -p 443:443/udp -p 443:443/tcp --net=host
jedisct1/dnscrypt-server init -N example.com -E 51.15.38.62:443

Is there a CLI command in place of 'docker run' for the distribution specific VM, such as Ubuntu 24.04 / Linux Mint 22?