Setup

An init script and configuration file have been provided to run
dnscrypt-wrapper as a daemon. To configure dnscrypt-wrapper, edit
/etc/default/dnscrypt-wrapper with the desired settings. By default
dnscrypt-wrapper will run on 0.0.0.0 (all interfaces), port 53, forwarding DNS
queries to 8.8.8.8:53 (Google's DNS server).

The configuration file is setup to use a dnscrypt user by default, and to
chroot into that user's home directory to maximize security. In order to use
the default configuration you should create a dnscrypt user and group with the
following commands:

    groupadd -g 293 dnscrypt
    useradd -u 293 -g 293 -c "DNSCrypt" -d /run/dnscrypt -s /bin/false dnscrypt

If you decide to use another user you should edit the CHROOTDIR and USER
options in /etc/default/dnscrypt-wrapper (there are example settings provided
for the user 'nobody').

dnscrypt-wrapper requires both provider and cryptographic public and secret
keys, and a provider certificate. These can all be generated manually (see
/usr/doc/dnscrypt-wrapper-@VERSION@/README.md ), or they can be generated
automatically by configuring /etc/default/dnscrypt-wrapper and running

    /etc/rc.d/rc.dnscrypt-wrapper generate-keys
    /etc/rc.d/rc.dnscrypt-wrapper generate-cryptkeys
    /etc/rc.d/rc.dnscrypt-wrapper generate-cert

You will need to note the provider key fingerprint(s) and/or stamp(s) when
running that command, since clients will need them for
identification/verification. Automatically generated keys have a 24-hour expiry
period by default. Unless you change this to something longer in
/etc/default/dnscrypt-wrapper, you will almost certainly need a key rotation
mechanism to automatically update the encryption key and certificate. This can
be done by running

    /etc/rc.d/rc.dnscrypt-wrapper rotate-keys

This command backs up the old key/cert, creates a new key/cert, and restarts a
running server to support both old and new key/cert. Since clients typically
fetch new certificates hourly, support for the old key/cert should be removed
an hour after the keys are rotated by restarting the server:

    /etc/rc.d/rc.dnscrypt-wrapper restart

Typically one cron job, run daily, would rotate the keys, and another, run an
hour later, would restart the server.

In order for clients to forward queries through dnscrypt-wrapper, they will
need to run dnscrypt-proxy configured to connect to the server running
dnscrypt-wrapper.

To start dnscrypt-wrapper automatically at system start, add the following to
/etc/rc.d/rc.local:

    if [ -x /etc/rc.d/rc.dnscrypt-wrapper ]; then
        /etc/rc.d/rc.dnscrypt-wrapper start
    fi

To properly stop dnscrypt-wrapper on system shutdown, add the following to
/etc/rc.d/rc.local_shutdown:

    if [ -x /etc/rc.d/rc.dnscrypt-wrapper ]; then
        /etc/rc.d/rc.dnscrypt-wrapper stop
    fi