Title: Port of the week: dnscrypt-proxy | |
Author: Solène | |
Date: 19 October 2016 | |
Tags: unix security portoftheweek | |
Description: | |
### 2020 Update | |
Now, unwind on OpenBSD and unbound can support DNS over TLS or DNS | |
over HTTPS, dnscrypt lost a bit of relevance but it's still usable | |
and a good alternative. | |
### Dnscrypt | |
Today I will talk about net/dnscrypt-proxy. This let you encrypt your | |
DNS traffic between your resolver and the remote DNS recursive | |
server. More and more countries and internet provider use DNS to block | |
some websites, and now they tend to do "man in the middle" with DNS | |
answers, so you can't just use a remote DNS you find on the | |
internet. While a remote dnscrypt DNS server can still be affected by | |
such "man in the middle" hijack, there is a very little chance DNS | |
traffic is altered in datacenters / dedicated server hosting. | |
The article also deal with unbound as a dns cache because dnscrypt is | |
a bit slow and asking multiple time the same domain in a few minutes | |
is a waste of cpu/network/time for everyone. So I recommend setting up | |
a DNS cache on your side (which can also permit to use it on a LAN). | |
At the time I write this article, their is a very good explanation | |
about "how to install it" is named dnscrypt-proxy-1.9.5p3 in the | |
folder /usr/local/share/doc/pkg-readmes/. The following article is | |
made from this file. (Article updated at the time of OpenBSD 6.3) | |
While I write for OpenBSD this can be easily adapted to anthing else | |
Unix-like. | |
### Install dnscrypt ### | |
# pkg_add dnscrypt-proxy | |
### Resolv.conf ### | |
Modify your resolv.conf file to this | |
**/etc/resolv.conf** : | |
nameserver 127.0.0.1 | |
lookup file bind | |
options edns0 | |
### When using dhcp client ### | |
If you use dhcp to get an address, you can use the following line to | |
force having 127.0.0.1 as nameserver by modifying dhclient config | |
file. Beware, if you use it, when upgrading the system from bsd.rd, | |
you will get 127.0.0.1 as your DNS server but no service running. | |
**/etc/dhclient.conf** : | |
supersede domain-name-servers 127.0.0.1; | |
### Unbound ### | |
Now, we need to modify unbound config to tell him to ask DNS at | |
127.0.0.1 port 40. Please adapt your config, I will just add what is | |
mandatory. Unbound configuration file isn't in /etc because it's | |
chrooted | |
**/var/unbound/etc/unbound.conf**: | |
server: | |
# this line is MANDATORY | |
do-not-query-localhost: no | |
name: "." | |
forward-addr: 127.0.0.1@40 | |
# address dnscrypt listen on | |
If you want to allow other to resolv through your unbound daemon, | |
please see parameters interface and access-control. You will need to | |
tell unbound to bind on external interfaces and allow requests on it. | |
### Dnscrypt-proxy ### | |
Now we need to configure dnscrypt, pick a server in the following LIST | |
/usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv, the name is | |
the first column. | |
As root type the following (or use doas/sudo), in the example we | |
choose dnscrypt.eu-nl as a DNS provider | |
# rcctl enable dnscrypt_proxy | |
# rcctl set dnscrypt_proxy flags -E -m1 -R dnscrypt.eu-nl -a | |
127.0.0.1:40 | |
# rcctl start dnscrypt_proxy | |
### Conclusion ### | |
You should be able to resolv address through dnscrypt now. You can use | |
tcpdump on your external interface to see if you see something on udp | |
port 53, you should not see traffic there. | |
If you want to use `dig hostname -p 40 @127.0.0.1` to make DNS request | |
to dnscrypt without unbound, you will need net/isc-bind which will | |
provide /usr/local/bin/dig. OpenBSD base dig can't use a port | |
different than 53. |