From 51847f3fbf0b1f3cd997b26f170fc1a7f72bbd78 Mon Sep 17 00:00:00 2001
From: Dan Guido <dan@trailofbits.com>
Date: Sun, 17 Aug 2025 19:01:31 -0400
Subject: [PATCH] Fix dnscrypt-proxy not listening on VPN service IPs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Problem: dnscrypt-proxy on Ubuntu uses systemd socket activation by default,
which overrides the configured listen_addresses in dnscrypt-proxy.toml.
The socket only listens on 127.0.2.1:53, preventing VPN clients from
resolving DNS queries through the configured service IPs.

Solution: Disable and mask the dnscrypt-proxy.socket unit to allow
dnscrypt-proxy to bind directly to the VPN service IPs specified in
its configuration file.

This fixes DNS resolution for VPN clients on Ubuntu 20.04+ systems.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 roles/dns/tasks/ubuntu.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/roles/dns/tasks/ubuntu.yml b/roles/dns/tasks/ubuntu.yml
index c9c23400..072f8bb6 100644
--- a/roles/dns/tasks/ubuntu.yml
+++ b/roles/dns/tasks/ubuntu.yml
@@ -98,3 +98,13 @@
   notify:
     - daemon-reload
     - restart dnscrypt-proxy
+
+- name: Ubuntu | Disable dnscrypt-proxy socket activation
+  systemd:
+    name: dnscrypt-proxy.socket
+    state: stopped
+    enabled: false
+    masked: true
+  failed_when: false
+  notify:
+    - restart dnscrypt-proxy