Difference between revisions of "Dnscrypt-proxy"

From ArchWiki
Jump to navigation Jump to search
m (→‎Tips and tricks: Updated with the right config directory)
(Add section for dnscrypt and dnsmasq.)
Line 41: Line 41:
  
 
Restart {{ic|dnscrypt-proxy.service}} to reread the changes.
 
Restart {{ic|dnscrypt-proxy.service}} to reread the changes.
 +
 +
==== Using DNSCrypt in combination with [[dnsmasq]] ====
 +
 +
You can also use ''DNSCrypt'' with ''dnsmasq'' as a caching proxy.
 +
 +
Assuming you have setup both ''dnsmasq'' and ''dnscrypt'' on your machine stop their services with
 +
systemctl stop dnsmasq.service
 +
systemctl stop dnscrypt-proxy.service
 +
 +
Edit {{ic|/etc/dnsmasq.conf}} so that it contains at least the following options:
 +
domain-needed
 +
bogus-priv
 +
strict-order
 +
no-resolv
 +
server=127.0.0.2
 +
resolv-file=/etc/resolv.dns.conf
 +
listen-address=127.0.0.1
 +
no-dhcp-interface=lo
 +
bind-interfaces
 +
cache-size=1500
 +
proxy-dnssec
 +
 +
Edit {{ic|/etc/resolv.dns.conf}} so that it contains just:
 +
nameserver 127.0.0.2
 +
This is where dnsmasq will be sending your dns queries (dnscrypt)
 +
 +
Edit {{ic|/etc/resolv.conf.tail}} so that it contains any extra backup dns servers in case your dnscrypt isn't working for some reason. The nameservers listed here will be appended to resolv.conf automatically. In this example you have an Opendns and a Comodo dns server as backup.
 +
nameserver 208.67.222.222                   
 +
nameserver 8.26.56.26
 +
 +
Edit {{ic|/etc/conf.d/dnscrypt-proxy}} so that the ''DNSCRYPT_LOCALIP'' listens on 127.0.0.2 (where dnsmasq will be querying).
 +
DNSCRYPT_LOCALIP=127.0.0.2
 +
 +
If you use [[NetworkManager]] you might have to append
 +
dns=dnsmasq
 +
in {{ic|/etc/NetworkManager/NetworkManager.conf}}.
 +
 +
Start {{ic|dnscrypt-proxy.service}} and {{ic|dnsmasq.service}} to reread the changes.
 +
 +
===== Test DNSCrypt and dnsmasq =====
 +
 +
To check that DNS queries are effectively sent encrypted, you can use tcpdump, and then surf on your computer.
 +
Run:
 +
sudo tcpdump -i eth0 dst host 208.67.222.222 or dst host 208.67.220.220 or src host 208.67.222.222 or src host 208.67.220.220 -n
 +
 +
You should only see remote UDP port 443 being used, not 53:
 +
23:00:41.806710 IP 192.168.1.3.58619 > 208.67.220.220.443: UDP, length 260
 +
23:00:41.843235 IP 208.67.220.220.443 > 192.168.1.3.58619: UDP, length 496
  
 
==== Enable EDNS0 ====
 
==== Enable EDNS0 ====

Revision as of 16:03, 20 April 2014

DNSCrypt is a piece of software that encrypts DNS traffic between the user and a DNS resolver, preventing spying, spoofing or man-in-the-middle attacks.

Installation

Install dnscrypt-proxy from the official repositories.

Configuration

By default dnscrypt-proxy is pre-configured in /etc/conf.d/dnscrypt-proxy (read by dnscrypt-proxy.service) to accept incoming requests on 127.0.0.1 to an OpenDNS resolver. See the list of resolvers for alternatives.

With this setup, it will be necessary to alter your resolv.conf file and replace your current set of resolver addresses with localhost:

nameserver 127.0.0.1

You might need to prevent other programs from overwriting it, see resolv.conf#Preserve DNS settings for details.

Starting

Available as a systemd service: dnscrypt-proxy.service

Tips and tricks

Using DNSCrypt in combination with Unbound

It is recommended to run DNSCrypt as a forwarder for a local DNS cache, otherwise every single query will make a round-trip to the upstream resolver.

Install unbound from the official repositories and add the following lines to the end of the server section in /etc/unbound/unbound.conf:

do-not-query-localhost: no
forward-zone:
  name: "."
  forward-addr: 127.0.0.1@40
Note: Port 40 is given as an example as unbound by default listens to 53, these must be different.

Start the systemd service unbound.service. Then configure DNScrypt to match Unbound's new forward-zone IP and port in /etc/conf.d/dnscrypt-proxy:

DNSCRYPT_LOCALIP=127.0.0.1
DNSCRYPT_LOCALPORT=40
Note: dnscrypt-proxy needs to start before unbound, so include unbound.service on a Before= line in the [Unit] section of dnscrypt.service.

Restart dnscrypt-proxy.service to reread the changes.

Using DNSCrypt in combination with dnsmasq

You can also use DNSCrypt with dnsmasq as a caching proxy.

Assuming you have setup both dnsmasq and dnscrypt on your machine stop their services with

systemctl stop dnsmasq.service
systemctl stop dnscrypt-proxy.service

Edit /etc/dnsmasq.conf so that it contains at least the following options:

domain-needed
bogus-priv
strict-order
no-resolv
server=127.0.0.2
resolv-file=/etc/resolv.dns.conf
listen-address=127.0.0.1
no-dhcp-interface=lo
bind-interfaces
cache-size=1500
proxy-dnssec

Edit /etc/resolv.dns.conf so that it contains just:

nameserver 127.0.0.2

This is where dnsmasq will be sending your dns queries (dnscrypt)

Edit /etc/resolv.conf.tail so that it contains any extra backup dns servers in case your dnscrypt isn't working for some reason. The nameservers listed here will be appended to resolv.conf automatically. In this example you have an Opendns and a Comodo dns server as backup.

nameserver 208.67.222.222                     
nameserver 8.26.56.26

Edit /etc/conf.d/dnscrypt-proxy so that the DNSCRYPT_LOCALIP listens on 127.0.0.2 (where dnsmasq will be querying).

DNSCRYPT_LOCALIP=127.0.0.2

If you use NetworkManager you might have to append

dns=dnsmasq 

in /etc/NetworkManager/NetworkManager.conf.

Start dnscrypt-proxy.service and dnsmasq.service to reread the changes.

Test DNSCrypt and dnsmasq

To check that DNS queries are effectively sent encrypted, you can use tcpdump, and then surf on your computer. Run:

sudo tcpdump -i eth0 dst host 208.67.222.222 or dst host 208.67.220.220 or src host 208.67.222.222 or src host 208.67.220.220 -n

You should only see remote UDP port 443 being used, not 53:

23:00:41.806710 IP 192.168.1.3.58619 > 208.67.220.220.443: UDP, length 260
23:00:41.843235 IP 208.67.220.220.443 > 192.168.1.3.58619: UDP, length 496

Enable EDNS0

Extension Mechanisms for DNS that, among other things, allows a client to specify how large a reply over UDP can be.

Add the following line to your /etc/resolv.conf:

options edns0

You may also wish to add the following argument to dnscrypt-proxy:

--edns-payload-size=<bytes>

The default size being 1252 bytes, with values up to 4096 bytes being purportedly safe. A value below or equal to 512 bytes will disable this mechanism, unless a client sends a packet with an OPT section providing a payload size.

Test EDNS0

Make use of the DNS Reply Size Test Server, use the dig command line tool available with dnsutils from the official repositories to issue a TXT query for the name rs.dns-oarc.net:

$ dig +short rs.dns-oarc.net txt

With EDNS0 supported, the output should look similar to this:

rst.x3827.rs.dns-oarc.net.
rst.x4049.x3827.rs.dns-oarc.net.
rst.x4055.x4049.x3827.rs.dns-oarc.net.
"2a00:d880:3:1::a6c1:2e89 DNS reply size limit is at least 4055 bytes"
"2a00:d880:3:1::a6c1:2e89 sent EDNS buffer size 4096"

See also