DNSCrypt packaged

If any one is looking to use dnscrypt in Qubes, I have salted a solution
here
The salt should be simple to understand, but I can help if it is not.

I’ve also packaged this here, and
you can either grab the package to install it, or use the ``qubes-task`
tool to install it automatically. Both are documented on that page.

The package creates a new template, and a sys-dnscrypt qube, running
dnscrypt-proxy. You can either use this in place of sys-firewall,
or run it with netvm sys-net, and have selected qubes using dnscrypt.
The installation follows the canonical instructions except that the
proxy is not installed as a system service, and must be manually
started. (I’m open to change this, but it works for me as is.)

I’m also toying with changing the pihole package to include
dnscrypt-proxy, but I dont see demand for that just now.

Thanks for sharing.

I have been working on a new dnscrypt guide (bash, not salt) some months ago but paused it for some time due to other work.

BTW, have you tested this:

flush chain qubes dnat-dns

It will result in an error unless dnat-dns chain exists, which is why I use this in my scripts:

add    chain ip qubes custom-dnat-dns
delete chain ip qubes custom-dnat-dns

and then create the chain.

Could you also explain why this is necessary:

#!/bin/sh
find /proc/sys/net/ipv4/conf -name "vif*" -exec bash -c 'echo 1 | sudo tee {}/route_localnet' \;

I have been reading some related security concerns.