https://wiki.archlinux.org/api.php?action=feedcontributions&user=Zormino&feedformat=atomArchWiki - User contributions [en]2024-03-28T11:39:30ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Dnscrypt-proxy&diff=334116Dnscrypt-proxy2014-09-06T19:01:02Z<p>Zormino: said to add a before line to dnscrypt.service, changed to dnscrypt-proxy.service</p>
<hr />
<div>[[Category:Domain Name System]]<br />
[[Category:Security]]<br />
[http://dnscrypt.org/ DNSCrypt] is a piece of software that encrypts DNS traffic between the user and a DNS resolver, preventing spying, spoofing or man-in-the-middle attacks.<br />
<br />
== Installation ==<br />
<br />
Install {{Pkg|dnscrypt-proxy}} from the [[official repositories]].<br />
<br />
== Configuration ==<br />
<br />
{{Tip|To automatically configure DNSCrypt and choose a resolver, use {{AUR|dnscrypt-autoinstall}} from the [[AUR]].}}<br />
<br />
By default ''dnscrypt-proxy'' is pre-configured in {{ic|/etc/conf.d/dnscrypt-proxy}} (read by {{ic|dnscrypt-proxy.service}}) to accept incoming requests on {{ic|127.0.0.1}} to an [https://opendns.com OpenDNS] resolver. See the [https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv list of public resolvers] for alternatives.<br />
<br />
With this setup, it will be necessary to alter your [[resolv.conf]] file and replace your current set of resolver addresses with localhost:<br />
nameserver 127.0.0.1<br />
<br />
You might need to prevent other programs from overwriting it, see [[resolv.conf#Preserve DNS settings]] for details.<br />
<br />
== Starting ==<br />
<br />
Available as a [[systemd]] service: {{ic|dnscrypt-proxy.service}}<br />
<br />
== Tips and tricks ==<br />
<br />
=== DNSCrypt as a forwarder for local DNS cache ===<br />
<br />
It is recommended to run DNSCrypt as a forwarder for a local DNS cache, otherwise every single query will make a round-trip to the upstream resolver. Any local DNS caching program should work, examples below show configuration for [[Unbound]] and [[dnsmasq]].<br />
<br />
==== Example: configuration for Unbound ====<br />
<br />
Configure [[Unbound]] to your liking (remember to [[Unbound#Set /etc/resolv.conf to use the local DNS server|set /etc/resolv.conf to use the local DNS server]]) and add the following lines to the end of the {{ic|server}} section in {{ic|/etc/unbound/unbound.conf}}:<br />
do-not-query-localhost: no<br />
forward-zone:<br />
name: "."<br />
forward-addr: 127.0.0.1@40<br />
<br />
{{Note|Port 40 is given as an example as Unbound by default listens to 53, these must be different.}}<br />
<br />
Start the [[systemd]] service {{ic|unbound.service}}. Then configure DNScrypt to match Unbound's new {{ic|forward-zone}} IP and port in {{ic|/etc/conf.d/dnscrypt-proxy}}:<br />
DNSCRYPT_LOCALIP=127.0.0.1<br />
DNSCRYPT_LOCALPORT=40<br />
<br />
{{Note|DNSCrypt needs to start before Unbound, so include {{ic|unbound.service}} on a {{ic|1=Before=}} line in the {{ic|[Unit]}} section of {{ic|dnscrypt-proxy.service}}.}}<br />
<br />
Restart {{ic|dnscrypt-proxy.service}} and {{ic|unbound.service}} to apply the changes.<br />
<br />
==== Example: configuration for dnsmasq ====<br />
<br />
Configure dnsmasq as a [[dnsmasq#DNS Cache Setup|local DNS cache]]. The basic configuration to work with DNSCrypt:<br />
<br />
{{hc|/etc/dnsmasq.conf|2=<br />
no-resolv<br />
server=127.0.0.2<br />
listen-address=127.0.0.1<br />
}}<br />
<br />
If you configured DNSCrypt to use a resolver with enabled DNSSEC validation, make sure to enable it also in dnsmasq:<br />
<br />
{{hc|/etc/dnsmasq.conf|2=<br />
proxy-dnssec<br />
}}<br />
<br />
Configure DNSCrypt to listen on {{ic|127.0.0.2}}, where dnsmasq will be querying:<br />
<br />
{{hc|/etc/conf.d/dnscrypt-proxy|2=<br />
DNSCRYPT_LOCALIP=127.0.0.2<br />
}}<br />
<br />
Restart {{ic|dnscrypt-proxy.service}} and {{ic|dnsmasq.service}} to apply the changes.<br />
<br />
=== Enable EDNS0 ===<br />
<br />
[[wikipedia:Extension_mechanisms_for_DNS|Extension Mechanisms for DNS]] that, among other things, allows a client to specify how large a reply over UDP can be.<br />
<br />
Add the following line to your {{ic|/etc/resolv.conf}}:<br />
options edns0<br />
<br />
You may also wish to add the following argument to ''dnscrypt-proxy'':<br />
--edns-payload-size=<bytes><br />
<br />
The default size being '''1252''' bytes, with values up to '''4096''' bytes being purportedly safe. A value below or equal to '''512''' bytes will disable this mechanism, unless a client sends a packet with an OPT section providing a payload size.<br />
<br />
==== Test EDNS0 ====<br />
<br />
Make use of the [https://www.dns-oarc.net/oarc/services/replysizetest DNS Reply Size Test Server], use the ''dig'' command line tool available with {{Pkg|dnsutils}} from the [[official repositories]] to issue a TXT query for the name ''rs.dns-oarc.net'':<br />
$ dig +short rs.dns-oarc.net txt<br />
<br />
With '''EDNS0''' supported, the output should look similar to this:<br />
rst.x3827.rs.dns-oarc.net.<br />
rst.x4049.x3827.rs.dns-oarc.net.<br />
rst.x4055.x4049.x3827.rs.dns-oarc.net.<br />
"2a00:d880:3:1::a6c1:2e89 DNS reply size limit is at least 4055 bytes"<br />
"2a00:d880:3:1::a6c1:2e89 sent EDNS buffer size 4096"</div>Zormino