dig into your dns traffic via webstats
The directions below are for Debian/11 Bullseye, but should work for most current debian based systems, these instructions don't use Debian packages because they're intentionally limited to localhost lookups only.
To make all this possible you need to install dnscrypt-proxy, you can grab the latest version of dnscrypt-proxy from Here then extract it and copy the main binary to /usr/bin/dnscrypt-proxy
apt update
apt dist-upgrade
apt install wget
wget https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.0.46-beta3/dnscrypt-proxy-linux_arm64-2.0.46-beta3.tar.gz
tar xzvf dnscrypt-proxy-linux_arm64-2.0.46-beta3.tar.gz
cd linux-arm64
cp -a dnscrypt-proxy /usr/bin/
mkdir /etc/dnscrypt-proxy
cd /etc/dnscrypt-proxy
/usr/bin/dnscrypt-proxy -service install
useradd dnscrypt
You also need to tell dnscrypt-proxy to log queries, if you are running this publically you will need to filter out source IPs and other non-useful things
edit /etc/dnscrypt-proxy/dnscrypt-proxy.toml
server_names = ['cloudflare']
listen_addresses = ['[::]:53']
max_clients = 250
user_name = 'dnscrypt'
ipv4_servers = true
ipv6_servers = true
dnscrypt_servers = true
doh_servers = true
require_dnssec = false
force_tcp = false
timeout = 5000
keepalive = 30
cert_refresh_delay = 240
bootstrap_resolvers = ['1.1.1.1:53', '1.0.0.1:53']
ignore_system_dns = true
netprobe_timeout = 60
netprobe_address = '1.1.1.1:53'
log_files_max_size = 10
log_files_max_age = 7
log_files_max_backups = 1
block_ipv6 = false
block_unqualified = true
block_undelegated = true
reject_ttl = 600
cache = true
cache_size = 4096
cache_min_ttl = 2400
cache_max_ttl = 86400
cache_neg_min_ttl = 60
cache_neg_max_ttl = 600
[query_log]
file = '/var/run/query.log.pipe'
format = 'ltsv'
[sources]
## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers
[sources.'public-resolvers']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://download.dnscrypt.net/resolvers-list/v3/public-resolvers.md']
cache_file = 'public-resolvers.md'
refresh_delay = 72
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
prefix = ''
## Anonymized DNS relays
[sources.'relays']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://download.dnscrypt.net/resolvers-list/v3/relays.md']
cache_file = 'relays.md'
refresh_delay = 72
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
prefix = ''
## ODoH (Oblivious DoH) servers and relays
# [sources.'odoh']
# urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/odoh.md', 'https://download.dnscrypt.net/resolvers-list/v3/odoh.md']
# cache_file = 'odoh.md'
# refresh_delay = 24
# minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
# prefix = ''
[anonymized_dns]
skip_incompatible = true
Edit /etc/systemd/system/import-ltsv.service
[Unit]
Description=DNSCrypt-proxy to mysql logging software
Documentation=https://github.com/evilbunny2008/dnscrypt-proxy-stats/blob/main/README.md
Before=dnscrypt-proxy.service
After=network.target mariadb.service
[Service]
Type=simple
ExecStart=/var/www/html/import-ltsv.php
Restart=always
[Install]
WantedBy=multi-user.target
You now need to install a web server and mariadb-server, phpmyadmin is also helpful
apt install lighttpd mariadb-server phpmyadmin git php-cli php-cgi
# If phpmyadmin fails to install cleanly run dpkg --configure -a
Now clone this repo on your system, the details below assume a single use system without any useful data existing:
mkdir -p /var/www
cd /var/www
rm -rf html
git clone https://github.com/evilbunny2008/dnscrypt-proxy-stats.git html
cd html
cp -a mysql-example.php mysql.php
Next make a database and import the schema
mysql
CREATE DATABASE dnsstats;
CREATE USER 'dnsstats'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON dnsstats.* TO 'dnsstats'@'localhost';
FLUSH PRIVILEGES;
EXIT;
mysql dnsstats < schema.sql
Next edit mysql.php and replace the placeholder details with the actual mariadb account details
One footnote, when dealing with virtuals you may need to manually reconfigure the timezone:
dpkg-reconfigure tzdata
Finally you need to reload the scripts in systemd
systemctl daemon-reload
systemctl stop systemd-resolved.service
systemctl disable systemd-resolved.service
systemctl enable import-ltsv.service
systemctl start import-ltsv.service
systemctl restart dnscrypt-proxy.service
The next thing needed is to set your shiny new dnscrypt-proxy system as the default in your DHCP server, but due to the number of routers out there that is beyond the scope of this project. You might want to also firewall your instance of dnscrypt-proxy to prevent the world from using your system as a recursive system, but again this is beyond the scope of this document. I've set mine up inside my network behind NAT and port 53 isn't forwarded.