Documentation about installing on Android

[emanruse]

Here is my experience with 'dnscrypt-proxy' on Android (I use Replicant. Replicant has root and init.d support "out of the box".

To start off, I have spent more than a week digging the web for information on how to do it. I have read many many discussions, questions and answers (including issues here). The official documentation didn't really help. In the very beginning it says:

If you want to change the DNSCrypt resolver, unzip the downloaded archive, edit the RESOLVER_NAME variable in system/etc/init.d/99dnscrypt. Keep the content as a ZIP file, with the original structure.

I have downloaded and unzipped every single release since 2.0.6 (the first one introducing Android binaries). There is no 99dnscrypt in any of them. Neither there is such file in the source code in git. So, my next step was to search the web, read issues here and there, a lot of time and effort.

What I found:

• @Quindecim's repo - it seems made for some software called Magisk. I don't want to install additional software which I don't need, give it permissions etc. I just want dnscrypt-proxy.
• There are some solutions for creating a boot service using init.rc. This process seems to involve unpacking the boot image, editing init.rc, and repacking it. This is new to someone like me. I found several softwares/versions which unpack and repack but when testing unpacking and repacking with no modification whatsoever the repacked image is always quite smaller than the original. I decided not to risk bricking my phone, so I stopped exploring this route.
• Researching further, I found this issue and from it - @uzen's repo. Unfortunately, it seems to include a binary with unknown source code in src/META-INF/com/google/android, so I won't run it. Instead of putting that blindly on my phone, I looked into the 99dnscrypt it includes and the two sub-scripts it calls. My impression: the author has spent quite some time on that. Shellcheck complains about so many problems though. Regardless of that, I decided to give these 3 scripts a try but unfortunately the result wasn't satisfactory. I couldn't get things to work as expected, so after many hours of digging into that obviusly old shell script code, I decided to return to simplicity and start from scratch.
• Then I found this. The init.d script used by the questioner is pretty much the same one which I tried myself initially. The difference is that I don't get the errors he gets - there are no such selinux messages in my logcat.

The official documentation also suggests installing one of "four (paid) apps" to switch currently running DNS settings to DNSCrypt. That is another thing I don't want to do. Installing additional (especially non-free) software for the sake of improving security through a software like dnscrypt-proxy, thus increasing attack surface and so on, is a logical contradiction.

So, in my search for a simple, clean, and working FOSS solution I used the same steps as in the Stackexchange question. In my dnscrypt-proxy.toml I enable blocked_names and put only one line in it for testing:

*.fsf.org

My findings:

I notice that 'dnscrypt-proxy' is started twice on boot:

$ adb shell logcat | grep dns
12-29 19:25:23.100  1993  1993 I sysinit : Running /system/etc/init.d/99dnscrypt 
12-29 19:25:23.290  2006  2006 I dnscrypt: Starting dnscrypt-proxy... 
12-29 19:25:23.315  2010  2010 I dnscrypt: Changing dns with iptables... 
12-29 19:27:38.500  3459  3459 I sysinit : Running /system/etc/init.d/99dnscrypt 
12-29 19:27:38.550  3464  3464 I dnscrypt: Starting dnscrypt-proxy... 
12-29 19:27:38.595  3467  3467 I dnscrypt: Changing dns with iptables...

$ adb shell ps | grep dns
root      2009  1     813640 6500  futex_wait 40103db0 S dnscrypt-proxy
root      3466  1     808256 7628  futex_wait 4016fdb0 S dnscrypt-proxy

The 'iptables' rules are not applied:

root@i9300:/ # iptables -L | grep 53                                               
1|root@i9300:/ # iptables -t nat -L | grep 53                                      
1|root@i9300:/ # 

I kill 'dnscrypt-proxy' manually:

$ adb shell
root@i9300:/ # killall dnscrypt-proxy                                              
root@i9300:/ # killall dnscrypt-proxy                                              
killall: dnscrypt-proxy: No such process

Then I start the service manually (cellular data is not enabled):

root@i9300:/ # /etc/init.d/99dnscrypt                                            
root@i9300:/ # [2022-12-29 19:36:20] [NOTICE] dnscrypt-proxy 2.1.2
[2022-12-29 19:36:20] [NOTICE] Network not available yet -- waiting...

Now, 'logcat' and 'ps' show there is only one runnig process:

12-29 19:36:19.860  5209  5209 I dnscrypt: Starting dnscrypt-proxy... 
12-29 19:36:19.970  5213  5213 I dnscrypt: Changing dns with iptables...

$ adb shell ps | grep dns
root      5212  1     812096 7604  futex_wait 401c4db0 S dnscrypt-proxy

The firewall rule is applied correctly too:

root@i9300:/ # iptables -t nat -L | grep 53                                      
DNAT       udp  --  anywhere             anywhere             udp dpt:domain to:127.0.0.1:53

Enable cellular data and watch what is happening in 'adb shell':

root@i9300:/ # [2022-12-29 20:08:31] [NOTICE] Network connectivity detected
[2022-12-29 20:08:31] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
[2022-12-29 20:08:31] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
...
// many other regular notices
...
[2022-12-29 20:09:45] [NOTICE] dnscrypt-proxy is ready - live servers: 32

Everything seems to work. Testing to confirm:

root@i9300:/ # host fsf.org
host: Host not found.
1|root@i9300:/ # host gnu.org
gnu.org has address 209.51.188.116

So, the blocked_names section works and resolving works.

Next, I disabled cellular data, unplugged the USB cable connected to the computer and connected the external WiFi adapter (Replicant needs an external RYF adapter as the phone's built in one won't work without proprietary software). So, I could not test with ADB any more but only using the limited "Terminal" application in Replicant and using the browser that comes with Replicant (no idea what its name is).

In that terminal (rewriting manually here):

host -v fsf.org
host: Host not found.
host -v gnu.org
host: Host not found.

and so on - it seem nothing resolved.

In the browser I see a different result though:

• fsf.org works (although it must not resolve)
• gnu.org works
• other sites work

Obviously, things don't work as expected when using WiFi.

Connecting the phone to the computer again I see that 'dnscrypt-proxy' process is still active. Re-testing with cellular data again shows the same result as above: fsf.org is not resolved, other domains are.

The questions are:

1. Why only the logging commands of the init.d script work, considering that the script is ran by root at boot time?

2. Why (even with manual starting of the service) the behavior is different when using WiFi?

3. How to make this service work on boot with all connections (cellular, WiFi, reverse USB tethering, etc) without requiring manual starting through ADB or additional apps (assuming one already has root and init.d support)?

It would be really great if someone can update the documentation.

Best wishes for the new year!

[jedisct1]

Thanks for your input!

The documentation is a Wiki, so anybody can update it, including you :)

Unfortunately I don't have an Android device, so I have no idea about how this works.

[emanruse]

The documentation is a Wiki, so anybody can update it, including you :)

If I knew the answers to my questions, I could probably do it. Unfortunately, I don't - hence the current issue. As you can see, I have researched quite a lot and didn't find them. So, my last hope is to ask the experts here directly.

Unfortunately I don't have an Android device, so I have no idea about how this works.

Who builds the Android binaries? I suppose they have an Android device and know how to do it.

[jedisct1]

Android binaries are built automatically by the CI system, like all other binaries.

[emanruse]

But that automation must have been configured by somebody in order to work properly, right? Doesn't that mean that the person who did that understands how Android works? If I am not asking the right questions at the right place, could you kindly suggest where one can ask the dnscrypt-proxy questions about Android?

[jedisct1]

But that automation must have been configured by somebody in order to work properly, right? Doesn't that mean that the person who did that understands how Android works?

The beauty of languages such as Go and Zig is that the only thing it takes to build a binary for a given target is to specify the name of the target.

So, that's what I did for different flavors of Linux, Windows, Android, etc. even though I only have a Mac and have no idea how Windows and Android work.

[syphyr]

I did this to add dnscrypt to cm14:
https://github.com/syphyr/dnscrypt_proxy_prebuilt

Additional commits:

syphyr/android_packages_apps_Settings@6f4e60e

syphyr/android_packages_apps_Settings@5064ace

syphyr/android_packages_apps_Settings@786c32c

syphyr/android_system_sepolicy@580f2ab

syphyr/android_system_sepolicy@11c3cf4

syphyr/android_system_sepolicy@20af525

syphyr/android_system_sepolicy@9717a0f

To enable:

syphyr/android_vendor_cm-1@8aeb773

Add to local manifest:

syphyr/cm_build_scripts@59b1738

[MF-Debug]

@emanruse I suggest you to use Invizible Pro. It's much simpler to use imo.

[emanruse]

@syphyr OK, I cloned your repo and looked at each and every file in the resulting tree. Now I wonder: 1. Why did I have to download 1.2 GB and why >99% of that size is in .git directory? 2. Looking at the essential content, I see 4 files (20Kb total) containing the customizations you made: ``` . ├── Android.mk ├── dnscrypt ├── dnscrypt-iptables ├── dnscrypt_proxy.rc └── etc └── dnscrypt-proxy // this as this is standard config stuff ``` - Your `dnscrypt` and `dnscrypt-iptabes` are quite similar to @uzen's scripts. So, I still wonder - how can I use them? Your `dnscrypt_proxy.rc` suggests that those should be placed in `/system/bin`. I am not an Android expert but from what I have read this is the directory for system binaries. Other binaries should go to `/system/xbin` and start up scripts should be placed in `/etc/init.d` with a proper prefix (e.g. 99). - In `dnscrypt_proxy.rc` you start the service as root. Why? On my Linux systems I see the service runs as user named `dnscrypt`. Is it not appropriate to have the same on Android and how can it be done? - Could you please explain how the `on property:` lines of `dnscrypt_proxy.rc` work? - What is `Android.mk` and how do I use it?

Additional commits:

How do I use those? And why? As you understand, I am definitely not an Android developer. I only know how to do things on Linux. I would really appreciate if you can elaborate on my initial questions, as well as the ones in the current post. @MF-Debug I know about this app, thanks. As stated in my initial question #3 - I don't want to install additional apps. Just `dnscrypt-proxy`.

[syphyr]

@emanruse

1. the repo is large because it is storing prebuilt binaries of dnscrypt-proxy. The older android build environment does not support new versions of go, so I am using prebuilt dnscrypt binaries.

2. getting it to work with my repo will require building the rom. There are required changes to the sepolicy and I added a switch in the developer options to turn dnscrypt off/on and also the ability to enable all traffic through tor. So, those additional commits are for the needed changes to other android repos used to build the rom.

3. I am using root to run dnscrypt because the older version of android (cm-14.1) did not seem to work right when changing the user to anything other than root. Although, I have read people using newer versions of android can change the user to something with less privileges. I couldn't get it to work with other users on cm-14.1, but the added sepolicy domain should help prevent dnscrypt from doing anything it is not supposed to do.

4. "on property" is looking for changes in the android props and performs actions when the props change. That is how the settings work to turn dnscrypt off/on.

5. the method I am using adds dnscrypt as a service to android so that it gets special system privileges and does not get killed under low memory situations, which will happen if you start dnscrypt any other way on android. Using init.d is not the correct way to add a service, that is what the .rc file is for.

6. Android.mk is what the android build system uses to know where to copy the files

[emanruse]

@syphyr Thank you for this info. I hope you can answer my initial questions too. Perhaps I didn't stress enough what I mentioned in the initial post, so it seems a good time to do it to avoid further complication and confusion (quoting myself):

So, in my search for a **simple, clean, and working FOSS solution**

Rebuilding the OS, downloading git-versioned binaries several times bigger than the OS itself, and becoming an Android developer to understand all the intricacies of a complicated process is not suitable for a non-expert. What I am looking for is something similar to what one does on Linux: 1. Download the latest release from current repo (without having to use other repos or apps) 2. Customize config files 3. Have a working init script for the purpose of dnscrypt-proxy only 4. Push the proper files to their proper places using `adb` 5. Reboot and have everything working as expected Can you help with that?

[syphyr]

@emanruse

If you look at https://github.com/uzen/dnscrypt-android , this repo will help create a zip file which can be installed from recovery. This is probably the closest you can get to installing dnscrypt-proxy without building the ROM. This repo uses init.d, but it requires a helper application (Afwall) to launch dnscrypt-proxy with root privileges. So, if you use this method, you will need to have root installed on your ROM and you will also need to install Afwall in order to start dnscrypt to get around the sepolicy that would normally prevent dnscrypt from starting up.

[syphyr]

I have created some dnscrypt-proxy installation packages to be installed from the recovery, so you can take a look at the file structure. But in order for this to work, you would also need to update the selinux policy and build your device's boot.img, or this will not work. The selinux policy is contained within your boot.img. Another way to fix the sepolicy is to use Magisk, but I have not tried using that. The changes required to the sepolicy for dnscrypt can be found in my first post.

NOTE: These zip packages do not support installing on A/B file systems

dnscrypt-proxy-arm64-20221231-1-signed.zip:
https://www.androidfilehost.com/?fid=4279422670115706958

dnscrypt-proxy-arm-20221231-1-signed.zip
https://www.androidfilehost.com/?fid=4279422670115706960

[syphyr]

This is a good reference for launching dnscrypt-proxy at boot:
https://android.stackexchange.com/questions/207484/how-to-fix-selinux-avc-denied-errors-when-launching-dnscrypt-as-init-d-script/207647#207647

[syphyr]

BTW, upon further investigation on running dnscrypt-proxy as a non-privileged user, I finally was able to get it working like this:
syphyr/dnscrypt_proxy_prebuilt@8e58401

[emanruse]

@syphyr Thank you.

If you look at https://github.com/uzen/dnscrypt-android , this repo will help create a zip file which can be installed from recovery.

I have looked. I have linked to that repo in my initial post and shared my experience with it. Regardless of that, could you please explain: - Why make a zip file? Why not push files using `adb`? What's the difference? - How do you "install from recovery"? What does this actually do and how does it work? So far, I have used the recovery mode only to install Replicant itself and hence I have always assumed that it is only for this purpose. So, could you elaborate? Won't that overwrite the OS itself with the contents of the zip file? - What must the structure of such zip file be? Any official documentation on the subject?

This repo uses init.d, but it requires a helper application (Afwall) to launch dnscrypt-proxy with root privileges. So, if you use this method, you will need to have root installed on your ROM and you will also need to install Afwall in order to start dnscrypt to get around the sepolicy that would normally prevent dnscrypt from starting up.

As per my initial post - I do have root. Re. Afwall - why should I need that? From what I understand Afwall is pretty much a convenient GUI for handling `iptables` rules. Considering I have root and can run `iptables` directly, why should I install other apps? I don' want to install anything except `dnscrypt-proxy`.

Here are some examples of what the dnscrypt-proxy installation zips look like. These packages contain dnscrypt binaries built from latest source code.

This website requires from me to run proprietary JavaSript. Could you please share the URLs of the actual zip files for direct downloading?

I have created some dnscrypt-proxy installation packages to be installed from the recovery, so you can take a look at the file structure. But in order for this to work, you would also need to update the selinux policy

I have zero experience with selinux administering. Some day I will educate myself on the subject more thoroughly. Or must I do it now? Or is the step required for `dnscrypt-proxy` simple enough to grasp it from an example?

and build your device's boot.img, or this will not work.

That is a big concern to me. Again, as explained in my initial post, I researched into that and the process of unpacking and repacking the boot.img **with no modification whatsoever** always results in a smaller image file. During my research, I have read stories about people uploading such "unmodified, just repacked" image back to their device resulting in a boot loop. I don't know if this will happen with my device. What is worse - I don't know how to restore the previous working state of the device if this happens. In short, I am cautious not to damage/brick the device or its OS. Your input on the subject will be much appreciated.

This is a good reference for launching dnscrypt-proxy at boot: https://android.stackexchange.com/questions/207484/how-to-fix-selinux-avc-denied-errors-when-launching-dnscrypt-as-init-d-script/207647#207647

I have shared the same link in my initial post and shared my own result following the steps of the questioner. My result is different. Again - your clarifications are welcome.

BTW, upon further investigation on running dnscrypt-proxy as a non-privileged user, I finally was able to get it working like this:

That's good. I would be glad to try it if I know how. Looking forward to your clarifications!