 |
Title: Port of the week: dnscrypt-proxy |
|
Author: Solène |
|
Date: 19 October 2016 |
|
Tags: unix security portoftheweek |
|
Description: |
|
|
|
### 2020 Update |
|
|
|
Now, unwind on OpenBSD and unbound can support DNS over TLS or DNS |
|
over HTTPS, dnscrypt lost a bit of relevance but it's still usable |
|
and a good alternative. |
|
|
|
|
|
### Dnscrypt |
|
|
|
Today I will talk about net/dnscrypt-proxy. This let you encrypt your |
|
DNS traffic between your resolver and the remote DNS recursive |
|
server. More and more countries and internet provider use DNS to block |
|
some websites, and now they tend to do "man in the middle" with DNS |
|
answers, so you can't just use a remote DNS you find on the |
|
internet. While a remote dnscrypt DNS server can still be affected by |
|
such "man in the middle" hijack, there is a very little chance DNS |
|
traffic is altered in datacenters / dedicated server hosting. |
|
|
|
The article also deal with unbound as a dns cache because dnscrypt is |
|
a bit slow and asking multiple time the same domain in a few minutes |
|
is a waste of cpu/network/time for everyone. So I recommend setting up |
|
a DNS cache on your side (which can also permit to use it on a LAN). |
|
|
|
At the time I write this article, their is a very good explanation |
|
about "how to install it" is named dnscrypt-proxy-1.9.5p3 in the |
|
folder /usr/local/share/doc/pkg-readmes/. The following article is |
|
made from this file. (Article updated at the time of OpenBSD 6.3) |
|
|
|
While I write for OpenBSD this can be easily adapted to anthing else |
|
Unix-like. |
|
|
|
|
|
### Install dnscrypt ### |
|
|
|
# pkg_add dnscrypt-proxy |
|
|
|
|
|
### Resolv.conf ### |
|
|
|
Modify your resolv.conf file to this |
|
|
|
**/etc/resolv.conf** : |
|
|
|
nameserver 127.0.0.1 |
|
lookup file bind |
|
options edns0 |
|
|
|
|
|
### When using dhcp client ### |
|
|
|
If you use dhcp to get an address, you can use the following line to |
|
force having 127.0.0.1 as nameserver by modifying dhclient config |
|
file. Beware, if you use it, when upgrading the system from bsd.rd, |
|
you will get 127.0.0.1 as your DNS server but no service running. |
|
|
|
**/etc/dhclient.conf** : |
|
|
|
supersede domain-name-servers 127.0.0.1; |
|
|
|
|
|
### Unbound ### |
|
|
|
Now, we need to modify unbound config to tell him to ask DNS at |
|
127.0.0.1 port 40. Please adapt your config, I will just add what is |
|
mandatory. Unbound configuration file isn't in /etc because it's |
|
chrooted |
|
|
|
**/var/unbound/etc/unbound.conf**: |
|
|
|
server: |
|
# this line is MANDATORY |
|
do-not-query-localhost: no |
|
|
|
name: "." |
|
forward-addr: 127.0.0.1@40 |
|
# address dnscrypt listen on |
|
|
|
If you want to allow other to resolv through your unbound daemon, |
|
please see parameters interface and access-control. You will need to |
|
tell unbound to bind on external interfaces and allow requests on it. |
|
|
|
|
|
### Dnscrypt-proxy ### |
|
|
|
Now we need to configure dnscrypt, pick a server in the following LIST |
|
/usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv, the name is |
|
the first column. |
|
|
|
As root type the following (or use doas/sudo), in the example we |
|
choose dnscrypt.eu-nl as a DNS provider |
|
|
|
# rcctl enable dnscrypt_proxy |
|
# rcctl set dnscrypt_proxy flags -E -m1 -R dnscrypt.eu-nl -a |
|
127.0.0.1:40 |
|
# rcctl start dnscrypt_proxy |
|
|
|
|
|
### Conclusion ### |
|
|
|
You should be able to resolv address through dnscrypt now. You can use |
|
tcpdump on your external interface to see if you see something on udp |
|
port 53, you should not see traffic there. |
|
|
|
If you want to use `dig hostname -p 40 @127.0.0.1` to make DNS request |
|
to dnscrypt without unbound, you will need net/isc-bind which will |
|
provide /usr/local/bin/dig. OpenBSD base dig can't use a port |
|
different than 53. |
