Difference between revisions of "DNSCrypt"

From ArchWiki
Jump to: navigation, search
m (Starting)
m (Tips and tricks: edns0 tip)
Line 51: Line 51:
  
 
== Tips and tricks ==
 
== Tips and tricks ==
 +
==== Enable EDNS0 ====
 +
Add the following line to your {{ic|/etc/resolv.conf}}:
 +
options edns0
 +
This is for [https://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS Extension Mechanisms for DNS] that, among other things, allows a client to specify how large a reply over UDP can be.
  
 
== See also ==
 
== See also ==

Revision as of 21:30, 17 February 2014


DNSCrypt is a piece of software that encrypts DNS traffic between the user and a DNS resolver, preventing spying, spoofing or man-in-the-middle attacks.

Installation

dnscrypt-proxy is available in the official repositories.

Configuration

By default dnscrypt-proxy is pre-configured in /etc/conf.d/dnscrypt-proxy to accept incoming requests on 127.0.0.1 to an OpenDNS resolver:

DNSCRYPT_LOCALIP=127.0.0.1
DNSCRYPT_LOCALPORT=53
DNSCRYPT_USER=nobody
DNSCRYPT_PROVIDER_NAME=2.dnscrypt-cert.opendns.com
DNSCRYPT_PROVIDER_KEY=B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79
DNSCRYPT_RESOLVERIP=208.67.220.220
DNSCRYPT_RESOLVERPORT=443

The above file is read by /usr/lib/systemd/system/dnscrypt-proxy.service:

[Unit]
Description=A tool for securing communications between a client and a DNS resolver.
After=network.target
# Only needed if you use pdnsd, other caching DNS servers can go here. Could be ignored too.
#Before=pdnsd.service

[Service]
EnvironmentFile=/etc/conf.d/dnscrypt-proxy
ExecStart=/usr/bin/dnscrypt-proxy \
       --local-address=${DNSCRYPT_LOCALIP}:${DNSCRYPT_LOCALPORT} \
   --resolver-address=${DNSCRYPT_RESOLVERIP}:${DNSCRYPT_RESOLVERPORT} \
   --provider-name=${DNSCRYPT_PROVIDER_NAME} \
   --provider-key=${DNSCRYPT_PROVIDER_KEY} \
       --user=${DNSCRYPT_USER}
Restart=on-abort

[Install]
WantedBy=multi-user.target

With this setup, it will be necessary to alter your /etc/resolv.conf file and replace your current set of resolver addresses with:

nameserver 127.0.0.1

You may also wish to write-protect /etc/resolv.conf by setting the appropriate attribute:

# chattr +i /etc/resolv.conf

Starting

Activated as a systemd .service:

# systemctl start dnscrypt-proxy.service
# systemctl enable dnscrypt-proxy.service

Tips and tricks

Enable EDNS0

Add the following line to your /etc/resolv.conf:

options edns0

This is for Extension Mechanisms for DNS that, among other things, allows a client to specify how large a reply over UDP can be.

See also