Difference between revisions of "Dnscrypt-proxy"

From ArchWiki
Jump to: navigation, search
(Modify resolv.conf: follow the resolv.conf instructions from upstream)
(port 5353 is used by mDNS, use 53000 instead)
(2 intermediate revisions by 2 users not shown)
Line 5: Line 5:
 
[[pt:DNSCrypt]]
 
[[pt:DNSCrypt]]
 
[[zh-hans:DNSCrypt]]
 
[[zh-hans:DNSCrypt]]
 
 
[http://dnscrypt.info/ DNSCrypt] encrypts and authenticates DNS traffic between user and DNS resolver. While IP traffic itself is unchanged, it prevents local spoofing of DNS queries, ensuring DNS responses are sent by the server of choice. [https://www.reddit.com/r/sysadmin/comments/2hn435/dnssec_vs_dnscrypt/ckuhcbu]
 
[http://dnscrypt.info/ DNSCrypt] encrypts and authenticates DNS traffic between user and DNS resolver. While IP traffic itself is unchanged, it prevents local spoofing of DNS queries, ensuring DNS responses are sent by the server of choice. [https://www.reddit.com/r/sysadmin/comments/2hn435/dnssec_vs_dnscrypt/ckuhcbu]
  
Line 41: Line 40:
 
=== Modify resolv.conf ===
 
=== Modify resolv.conf ===
  
Modify the [[resolv.conf]] file and replace the current set of resolver addresses with address for ''localhost'' [https://github.com/jedisct1/dnscrypt-proxy/wiki/Installation-linux#step-4-change-the-system-dns-settings]:
+
Modify the [[resolv.conf]] file and replace the current set of resolver addresses with the address for ''localhost'' and options [https://github.com/jedisct1/dnscrypt-proxy/wiki/Installation-linux#step-4-change-the-system-dns-settings]:
  
 
  nameserver 127.0.0.1
 
  nameserver 127.0.0.1
Line 64: Line 63:
 
{{Note|Changing the IP address or port in {{ic|/etc/dnscrypt-proxy.conf}} [https://web.archive.org/web/20171215112100/https://github.com/jedisct1/dnscrypt-proxy/issues/528 does not work] when using the provided systemd unit and must be changed in the provided systemd socket as follows.}}
 
{{Note|Changing the IP address or port in {{ic|/etc/dnscrypt-proxy.conf}} [https://web.archive.org/web/20171215112100/https://github.com/jedisct1/dnscrypt-proxy/issues/528 does not work] when using the provided systemd unit and must be changed in the provided systemd socket as follows.}}
  
In order to forward to a local DNS cache, ''dnscrypt-proxy'' should listen on a port different from the default {{ic|53}}, since the DNS cache itself needs to listen on {{ic|53}} and query ''dnscrypt-proxy'' on a different port. Port number {{ic|5353}} is used as an example in this section.  In this example, the port number is larger than 1024 so ''dnscrypt-proxy'' is not required to be run by root. [[Edit]] {{ic|dnscrypt-proxy.socket}} with the following contents:
+
In order to forward to a local DNS cache, ''dnscrypt-proxy'' should listen on a port different from the default {{ic|53}}, since the DNS cache itself needs to listen on {{ic|53}} and query ''dnscrypt-proxy'' on a different port. Port number {{ic|53000}} is used as an example in this section.  In this example, the port number is larger than 1024 so ''dnscrypt-proxy'' is not required to be run by root. [[Edit]] {{ic|dnscrypt-proxy.socket}} with the following contents:
  
 
  [Socket]
 
  [Socket]
 
  ListenStream=
 
  ListenStream=
 
  ListenDatagram=
 
  ListenDatagram=
  ListenStream=127.0.0.1:5353
+
  ListenStream=127.0.0.1:53000
  ListenDatagram=127.0.0.1:5353
+
  ListenDatagram=127.0.0.1:53000
 
 
{{Note|UDP Port {{ic|5353}} is used by [[Avahi#Firewall|Avahi]] (if installed and running) and can cause warnings in the journal and [[Avahi]]'s mDNS unreliable.}}
 
  
 
==== Example local DNS cache configurations====
 
==== Example local DNS cache configurations====
  
The following configurations should work with ''dnscrypt-proxy'' and assume that it is listening on port {{ic|5353}}.
+
The following configurations should work with ''dnscrypt-proxy'' and assume that it is listening on port {{ic|53000}}.
  
 
===== Unbound =====
 
===== Unbound =====
Line 85: Line 82:
 
  forward-zone:
 
  forward-zone:
 
   name: "."
 
   name: "."
   forward-addr: 127.0.0.1@5353
+
   forward-addr: 127.0.0.1@53000
  
 
{{Tip|If you are setting up a server, add {{ic|interface: 0.0.0.0@53}} and {{ic|access-control: ''your-network''/''subnet-mask'' allow}} inside the {{ic|server:}} section so that the other computers can connect to the server. A client must be configured with {{ic|nameserver ''address-of-your-server''}} in {{ic|/etc/resolv.conf}}.}}
 
{{Tip|If you are setting up a server, add {{ic|interface: 0.0.0.0@53}} and {{ic|access-control: ''your-network''/''subnet-mask'' allow}} inside the {{ic|server:}} section so that the other computers can connect to the server. A client must be configured with {{ic|nameserver ''address-of-your-server''}} in {{ic|/etc/resolv.conf}}.}}
Line 97: Line 94:
 
{{hc|/etc/dnsmasq.conf|2=
 
{{hc|/etc/dnsmasq.conf|2=
 
no-resolv
 
no-resolv
server=127.0.0.1#5353
+
server=127.0.0.1#53000
 
listen-address=127.0.0.1
 
listen-address=127.0.0.1
 
}}
 
}}
Line 131: Line 128:
 
     label = "dnscrypt-proxy";
 
     label = "dnscrypt-proxy";
 
     ip = 127.0.0.1;
 
     ip = 127.0.0.1;
     port = 5353;
+
     port = 53000
 
     timeout = 4;
 
     timeout = 4;
 
     proxy_only = on;
 
     proxy_only = on;
Line 192: Line 189:
 
=== Redundant DNSCrypt providers ===
 
=== Redundant DNSCrypt providers ===
  
To use several different dnscrypt providers, you may simply copy the original {{ic|dnscrypt-proxy.service}} and {{ic|dnscrypt-proxy.socket}}. Then in your new copy of the service change the command line parameters, either pointing to a new configuration file or naming a different resolver directly. From there change the port in the new copy of the socket. Lastly, update your local DNS cache program to point to new service's port. For example, with [[unbound]] the configuration file would look like if using ports {{ic|5353}} for the original socket and {{ic|5354}} for the new socket.
+
To use several different dnscrypt providers, you may simply copy the original {{ic|dnscrypt-proxy.service}} and {{ic|dnscrypt-proxy.socket}}. Then in your new copy of the service change the command line parameters, either pointing to a new configuration file or naming a different resolver directly. From there change the port in the new copy of the socket. Lastly, update your local DNS cache program to point to new service's port. For example, with [[unbound]] the configuration file would look like if using ports {{ic|53000}} for the original socket and {{ic|53001}} for the new socket.
  
 
{{hc|/etc/unbound/unbound.conf|
 
{{hc|/etc/unbound/unbound.conf|
Line 198: Line 195:
 
  forward-zone:
 
  forward-zone:
 
   name: "."
 
   name: "."
   forward-addr: 127.0.0.1@5353
+
   forward-addr: 127.0.0.1@53000
   forward-addr: 127.0.0.1@5354}}
+
   forward-addr: 127.0.0.1@53001
 +
}}
  
 
==== Create instanced systemd service ====
 
==== Create instanced systemd service ====
Line 225: Line 223:
 
===== Add dnscrypt-sockets =====
 
===== Add dnscrypt-sockets =====
  
To create multiple dnscrypt-proxy sockets, copy {{ic|/usr/lib/systemd/system/dnscrypt-proxy.socket}} to a new file, {{ic|/etc/systemd/system/dnscrypt-proxy@''short-name.here''.socket}}, replacing the socket instance name with one of the short names listed in [[#Select_resolver|{{ic|dnscrypt-resolvers.csv}}]] and  [[#Change_port|change the port]].  Use a different port for each instance (5353, 5354, and so forth).
+
To create multiple dnscrypt-proxy sockets, copy {{ic|/usr/lib/systemd/system/dnscrypt-proxy.socket}} to a new file, {{ic|/etc/systemd/system/dnscrypt-proxy@''short-name.here''.socket}}, replacing the socket instance name with one of the short names listed in [[#Select_resolver|{{ic|dnscrypt-resolvers.csv}}]] and  [[#Change_port|change the port]].  Use a different port for each instance (53000, 53001, and so forth).
  
 
===== Apply new systemd configuration =====
 
===== Apply new systemd configuration =====

Revision as of 14:59, 16 May 2018

DNSCrypt encrypts and authenticates DNS traffic between user and DNS resolver. While IP traffic itself is unchanged, it prevents local spoofing of DNS queries, ensuring DNS responses are sent by the server of choice. [1]

Installation

Install the dnscrypt-proxy package.

Configuration

Note: Systemd overrides the listen_addresses option with a socket file.

To configure dnscrypt-proxy, perform the following steps:

Select resolver

Note: By leaving server_names commented out in the configuration file /etc/dnscrypt-proxy/dnscrypt-proxy.toml, dnscrypt-proxy will choose the fastest server from the sources already configured under [sources] [2]. The lists will be downloaded, verified, and automatically updated. [3]. Thus, configuring a specific set of servers is optional.

Edit /etc/dnscrypt-proxy/dnscrypt-proxy.toml and uncomment the server_names variable, selecting one or more of the servers. For example, to use Cloudflare's servers:

server_names = ['cloudflare', 'cloudflare-ipv6']
Tip:
  • You can find the full list of resolvers on the upstream page, Github, or /var/cache/dnscrypt-proxy/public-resolvers.md.
  • Users should look at the description for servers on the public resolvers list and take note of which validate DNSSEC, do not log, and are uncensored. These requirements can be configured globally with the require_dnssec, require_nolog, require_nofilter options.

Disable any services bound to port 53

Tip: If using #Unbound as your local DNS cache this section can be ignored, as unbound runs on port 53 by default.

To see if any programs are using port 53, run

 $ ss -lp 'sport = :domain'

If the output contains more than the first line of column names, you need to disable whatever service is using port 53. One common culprit is systemd-resolved.service, but other network managers may have analogous components. You are ready to proceed once the above command outputs nothing more than the following line:

 Netid               State                 Recv-Q                Send-Q                                 Local Address:Port                                   Peer Address:Port

Modify resolv.conf

Modify the resolv.conf file and replace the current set of resolver addresses with the address for localhost and options [4]:

nameserver 127.0.0.1
options edns0 single-request-reopen

Other programs may overwrite this setting; see resolv.conf#Preserve DNS settings for details.

Start systemd service

Finally, start and enable the dnscrypt-proxy.service.

Tips and tricks

Local DNS cache configuration

Note: dnscrypt can cache entries without relying on another program. This feature is enabled by default with the line cache = true in your dnscrypt configuration file

It is recommended to run DNSCrypt as a forwarder for a local DNS cache if not using dnscrypt's cache feature; otherwise, every single query will make a round-trip to the upstream resolver. Any local DNS caching program should work. In addition to setting up dnscrypt-proxy, you must setup your local DNS cache program.

Change port

Note: Changing the IP address or port in /etc/dnscrypt-proxy.conf does not work when using the provided systemd unit and must be changed in the provided systemd socket as follows.

In order to forward to a local DNS cache, dnscrypt-proxy should listen on a port different from the default 53, since the DNS cache itself needs to listen on 53 and query dnscrypt-proxy on a different port. Port number 53000 is used as an example in this section. In this example, the port number is larger than 1024 so dnscrypt-proxy is not required to be run by root. Edit dnscrypt-proxy.socket with the following contents:

[Socket]
ListenStream=
ListenDatagram=
ListenStream=127.0.0.1:53000
ListenDatagram=127.0.0.1:53000

Example local DNS cache configurations

The following configurations should work with dnscrypt-proxy and assume that it is listening on port 53000.

Unbound

Configure Unbound to your liking (in particular, see Unbound#Local DNS server) and add the following lines to the end of the server section in /etc/unbound/unbound.conf:

  do-not-query-localhost: no
forward-zone:
  name: "."
  forward-addr: 127.0.0.1@53000
Tip: If you are setting up a server, add interface: 0.0.0.0@53 and access-control: your-network/subnet-mask allow inside the server: section so that the other computers can connect to the server. A client must be configured with nameserver address-of-your-server in /etc/resolv.conf.

Restart unbound.service to apply the changes.

dnsmasq

Configure dnsmasq as a local DNS cache. The basic configuration to work with DNSCrypt:

/etc/dnsmasq.conf
no-resolv
server=127.0.0.1#53000
listen-address=127.0.0.1

If you configured DNSCrypt to use a resolver with enabled DNSSEC validation, make sure to enable it also in dnsmasq:

/etc/dnsmasq.conf
proxy-dnssec

Restart dnsmasq.service to apply the changes.

pdnsd

Install pdnsd. A basic configuration to work with DNSCrypt is:

/etc/pdnsd.conf
global {
    perm_cache = 1024;
    cache_dir = "/var/cache/pdnsd";
    run_as = "pdnsd";
    server_ip = 127.0.0.1;
    status_ctl = on;
    query_method = udp_tcp;
    min_ttl = 15m;       # Retain cached entries at least 15 minutes.
    max_ttl = 1w;        # One week.
    timeout = 10;        # Global timeout option (10 seconds).
    neg_domain_pol = on;
    udpbufsize = 1024;   # Upper limit on the size of UDP messages.
}

server {
    label = "dnscrypt-proxy";
    ip = 127.0.0.1;
    port = 53000
    timeout = 4;
    proxy_only = on;
}

source {
    owner = localhost;
    file = "/etc/hosts";
}

Restart pdnsd.service to apply the changes.

Sandboxing

Edit dnscrypt-proxy.service to include the following lines:

[Service]
CapabilityBoundingSet=CAP_IPC_LOCK CAP_SETGID CAP_SETUID
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
PrivateTmp=true
PrivateDevices=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
RestrictRealtime=true
RestrictAddressFamilies=AF_INET AF_INET6
SystemCallArchitectures=native
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @ipc @module @mount @obsolete @raw-io

See systemd.exec(5) and Systemd#Sandboxing application environments for more information. Additionally see upstream comments[dead link 2018-01-08].

Enable EDNS0

Extension Mechanisms for DNS that, among other things, allows a client to specify how large a reply over UDP can be.

Add the following line to your /etc/resolv.conf:

options edns0

You may also wish to append the following to /etc/dnscrypt-proxy.conf:

EDNSPayloadSize <bytes>

Where <bytes> is a number, the default size being 1252, with values up to 4096 bytes being purportedly safe. A value below or equal to 512 bytes will disable this mechanism, unless a client sends a packet with an OPT section providing a payload size.

Test EDNS0

Make use of the DNS Reply Size Test Server, use the drill command line tool to issue a TXT query for the name rs.dns-oarc.net:

$ drill rs.dns-oarc.net TXT

With EDNS0 supported, the "answer section" of the output should look similar to this:

rst.x3827.rs.dns-oarc.net.
rst.x4049.x3827.rs.dns-oarc.net.
rst.x4055.x4049.x3827.rs.dns-oarc.net.
"2a00:d880:3:1::a6c1:2e89 DNS reply size limit is at least 4055 bytes"
"2a00:d880:3:1::a6c1:2e89 sent EDNS buffer size 4096"

Redundant DNSCrypt providers

To use several different dnscrypt providers, you may simply copy the original dnscrypt-proxy.service and dnscrypt-proxy.socket. Then in your new copy of the service change the command line parameters, either pointing to a new configuration file or naming a different resolver directly. From there change the port in the new copy of the socket. Lastly, update your local DNS cache program to point to new service's port. For example, with unbound the configuration file would look like if using ports 53000 for the original socket and 53001 for the new socket.

/etc/unbound/unbound.conf
 do-not-query-localhost: no
 forward-zone:
   name: "."
   forward-addr: 127.0.0.1@53000
   forward-addr: 127.0.0.1@53001

Create instanced systemd service

An alternative option to copying the systemd service is to used an instanced service.

Create systemd file

First, create /etc/systemd/system/dnscrypt-proxy@.service containing:

[Unit]
Description=DNSCrypt client proxy
Documentation=man:dnscrypt-proxy(8)
Requires=dnscrypt-proxy@%i.socket

[Service]
Type=notify
NonBlocking=true
ExecStart=/usr/bin/dnscrypt-proxy \
    --resolver-name=%i
Restart=always

This specifies an instanced systemd service that starts a dnscrypt-proxy using the service name specified after the @ symbol of a corresponding .socket file.

Add dnscrypt-sockets

To create multiple dnscrypt-proxy sockets, copy /usr/lib/systemd/system/dnscrypt-proxy.socket to a new file, /etc/systemd/system/dnscrypt-proxy@short-name.here.socket, replacing the socket instance name with one of the short names listed in dnscrypt-resolvers.csv and change the port. Use a different port for each instance (53000, 53001, and so forth).

Apply new systemd configuration

Now we need to reload the systemd configuration.

# systemctl daemon-reload

Since we are replacing the default service with a different name, we need to explicitly stop and disable dnscrypt-proxy.service and dnscrypt-proxy.socket.

Now start/enable the new service(s), e.g., dnscrypt-proxy@dnscrypt.eu-nl, etc.

Finally restart unbound.service.