___________________________________________
title: DNS Guardrails with dnscrypt-proxy
tags: linux dns containers docker networking tailscale
date: 2024-01-23
___________________________________________

Intro

Over the holidays we got our two younger children HP laptops for them
to do their school work on and to have a proper computer. While the
schools Google Classroom login effectively adds restrictions to
Chrome, I still wanted to have some guardrails on their Internet
access as well as ad-blocking.

The first thing I did was replace the Windows S install that came on
the laptops with Linux Mint as I’ve always enjoyed the Cinnamon
desktop environment and it has a low enough learning curve that the
kids could easily pick it up. After installing a few apps and games
(OpenRCT2) from the Software Center and setting their own passwords,
they were up and running and surfing the world-wide-web.

 [Linux Mint]: https://www.linuxmint.com/
 [Cinnamon desktop environment]: https://projects.linuxmint.com/cinnamon/
 [OpenRCT2]: https://openrct2.org/

Finally I added Tailscale to both laptops to put them on my tailnet.
This has benefits of accessing tailnet-only services, easier remote
access, and leveraging the dnscrypt-proxy on OpenBSD I setup a few
years ago for DNS.

 [Tailscale]: https://tailscale.com/
 [tailnet]: https://tailscale.com/kb/1136/tailnet
 [dnscrypt-proxy on OpenBSD]: https://www.ecliptik.com/Running-dnscrypt-proxy-on-OpenBSD/

Guardrails

My original DNS config worked well, but I wanted to add some
guardrails specifically for the kids laptops,

1.  Cloudflare for Families
2.  Ad Blocking
3.  YouTube Restricted Mode via Cloaking
4.  Accessible only from the Tailscale

 [Cloudflare for Families]: https://blog.cloudflare.com/introducing-1-1-1-1-for-families/
 [Ad Blocking]: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Public-blocklist
 [YouTube Restricted Mode]: https://support.google.com/a/answer/6212415

First I tried using the existing dnscrypt-proxy to provide a different
set of DNS resolvers depending on the source IP, but this wasn’t
possible. Eventually I came up with a seperate DNS infrastructure in a
container for the laptops to use,

 [dnscrypt-proxy]: https://github.com/DNSCrypt/dnscrypt-proxy

Container Stack

Dockerfile is used for building a container including dnscrypt-proxy,

   FROM debian:trixie-slim
   ENV DEBIAN_FRONTEND noninteractive

   RUN apt update && \
       apt install -y dnscrypt-proxy \
         ca-certificates \
       && apt clean

   WORKDIR /tmp
   ENTRYPOINT [ "/usr/sbin/dnscrypt-proxy" ]
   CMD [ "-config", "/etc/dnscrypt-proxy/dnscrypt-proxy.toml" ]

docker compose is used to bring up the stack, which includes a
tailscale container to provide network and access to other devices on
the tailnet. Configuration files are monted read-only from the current
directly and some volumes to maintain state across restarts.

 [docker compose]: https://docs.docker.com/compose/

docker-compose.yml

   version: '3.9'
   services:
     tailscale:
       container_name: tailscale-dnscrypt
       hostname: dnscrypt-proxy
       image: ghcr.io/tailscale/tailscale
       stdin_open: true
       environment:
         - TS_AUTH_KEY=${TS_AUTH_KEY}
         - TS_USERSPACE=true
         - TS_STATE_DIR=/var/lib/tailscale
         - TS_SOCKET=/var/run/tailscale/tailscaled.sock
       volumes:
         - dnscryptvarlib:/var/lib
       restart: unless-stopped
     dnscrypt-proxy:
       build: .
       stdin_open: true
       volumes:
         - ./dnscrypt-proxy.toml:/etc/dnscrypt-proxy/dnscrypt-proxy.toml:ro
         - ./blocklist.txt:/etc/dnscrypt-proxy/blocklist.txt:ro
         - ./cloaking-rules.txt:/etc/dnscrypt-proxy/cloaking-rules.txt:ro
         - ./domains-allowlist.txt:/etc/dnscrypt-proxy/domains-allowlist.txt:ro
         - keys:/etc/dnscrypt-proxy/keys
       restart: unless-stopped
       network_mode: 'service:tailscale'
   volumes:
     dnscryptvarlib:
     keys:

dnscrypt-proxy

The dnscrypt-proxy configuration uses the cloudflare-family source and
ad-blocking using a blocklist.txt generated with
generate-domains-blocklist.py. All logs go to /dev/stdout so they
appear in docker compose logs.

 [generate-domains-blocklist.py]: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Combining-Blocklists

dnscrypt-proxy.toml

   #Use cloudflare DNS
   server_names = ['cloudflare-family']

   #Listen on local and LAN addresses for DNS
   listen_addresses = ['127.0.0.1:53']
   max_clients = 250
   user_name = '_dnscrypt-proxy'

   #Enable ipv4 and ipv6
   ipv4_servers = true
   ipv6_servers = false

   #Allow TCP and UDP
   force_tcp = false
   timeout = 2500
   keepalive = 30

   #Logging
   log_level = 2
   use_syslog = true

   #Certs
   cert_refresh_delay = 240
   dnscrypt_ephemeral_keys = true
   tls_disable_session_tickets = true

   #Cache
   cache = true

   #Cloaking
   cloaking_rules = '/etc/dnscrypt-proxy/cloaking-rules.txt'

   #Query logging, commented out unless for troubleshooting
   [query_log]
     file = '/dev/stdout'
     format = 'tsv'

   #Sources for resolvers and relays
   [sources]
     [sources.'public-resolvers']
     urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3
   /public-resolvers.md']
     minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
     cache_file = '/var/tmp/public-resolvers.md'
     refresh_delay = 72

   #Blocking configuration
   [blocked_names]
     ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
     blocked_names_file = '/etc/dnscrypt-proxy/blocklist.txt'
     log_file = '/dev/stdout'
     log_format = 'tsv'

   #Allow configuration
   [allowed_names]
     allowed_names_file = '/etc/dnscrypt-proxy/domains-allowlist.txt

Cloaking is used so all YouTube requests resolve to
restrict.youtube.com.

 [Cloaking]: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Public-blocklist

cloaking-rules.txt

   www.youtube.com restrict.youtube.com
   m.youtube.com  restrict.youtube.com
   youtubei.googleapis.com restrict.youtube.com
   youtube.googleapis.com restrict.youtube.com
   www.youtube-nocookie.com restrict.youtube.com

Exposing via Tailscale

Since I only want DNS available to devices on my tailnet, and not
publicly available, there’s a tailscale container in the
docker-compose.yml that provides networking to the dnscrypt-proxy
container using network_mode.

Set this up by creating an auth key for your tailnet and then putting
it into a .env file that docker compose will source in and set as the
TS_AUTH_KEY variable.

 [auth key]: https://tailscale.com/kb/1085/auth-keys

env

   TS_AUTH_KEY=tskey-auth-xxxxxxxxxxx

Enabling on Linux Mint

My tailnet uses Magic DNS which sets the nameserver for all devices on
a tailnet to 100.100.100.100, but since this is a DNS server specific
to a subset of systems we want to use the IP of the dnscrypt-proxy
device instead.

 [Magic DNS]: https://tailscale.com/kb/1081/magicdns

After bringing up the stack with docker compose up, the tailscale
container will authenticate to the tailnet and have an Tailscale IP
(eg 100.112.129.40). This IP is then added to the laptops
/etc/resolv.conf,

   nameserver 100.112.129.40
   search tailnet-3831.ts.net

Tailscale will keep trying to revert this, so to keep the settings
permanent, /etc/resolv.conf is set to immutable with
chattr +i /etc/resolv.conf.

To test DNS is working, looking for more “adult” content on youtube
will give a message similar to “your Google workspace administrator
has restricted some content”.

Verify in container logs with dig m.youtube.com  @100.76.233.91 (where
the IP is your Tailscale container IP) and check the logs for messages
similar to 127.0.0.1       m.youtube.com   A       CLOAK   0ms     -.

You are viewing proxied material from sdf.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.