hello friends! new(ish)!

DNSCrypt: Difference between revisions

From InstallGentoo Wiki v2
Jump to navigation Jump to search
>Galactus
>Galactus
m (Adds link to libsodium, DNSCrypt's cryptographic library)
Line 3: Line 3:
[[File:Dnscrypt.png|thumb]]
[[File:Dnscrypt.png|thumb]]


'''DNSCrypt''' is a local DNS resolver and uses elliptic-curve cryptography when passing messages to and from the DNS server—which is extremely useful for mitigating MITM attacks on DNS. It is best used alongside a caching DNS server like [[Unbound]].   
'''DNSCrypt''' is a local DNS resolver and uses [https://github.com/jedisct1/libsodium elliptic-curve cryptography] when passing messages to and from the DNS server—which is extremely useful for mitigating MITM attacks on DNS. It is best used alongside a caching DNS server like [[Unbound]].   


Only a few servers are known to currently support DNSCrypt, however, adoption is growing.
Only a few servers are known to currently support DNSCrypt, however, adoption is growing.

Revision as of 12:56, 15 December 2015

Dnscrypt.png

DNSCrypt is a local DNS resolver and uses elliptic-curve cryptography when passing messages to and from the DNS server—which is extremely useful for mitigating MITM attacks on DNS. It is best used alongside a caching DNS server like Unbound.

Only a few servers are known to currently support DNSCrypt, however, adoption is growing.

Installation

Unix-like

Requirements & dependencies

  `--  dev-libs/libsodium
  `--  net-libs/ldns
  `--  virtual/pkgconfig
  `--  sys-apps/systemd (optional!)

Arch users can install dnscrypt-proxy and set it up manually, or install dnscrypt-autoinstall from the AUR. Similarly, Gentoo users can easily compile DNSCrypt from scratch from the main repository.

Building

  1. git clone git://github.com/jedisct1/dnscrypt-proxy.git
  2. cd dnscrypt-proxy
  3. ./autogen.sh
  4. ./configure --prefix=/usr
  5. make
  6. sudo make install
Remove systemd as a dependency

In version 1.6 systemd can be removed from the software by leaving its references out of the configure document before compiling. Relevant lines can be found around 3258 to 3288 of the configure document. End result should look something like this:

# MANUAL SYSTEMD PATCH. GO AWAY NSA.
have_systemd=no
HAVE_SYSTEMD_TRUE=
HAVE_SYSTEMD_FALSE='#'

# Check whether --with-systemd was given.
#if test "${with_systemd+set}" = set; then :
#  withval=$with_systemd;
#fi
#
#if test "x$with_systemd" = "xyes"; then :
#
#  PKG_CHECK_MODULES(SYSTEMD, libsystemd, have_systemd=yes,
#    PKG_CHECK_MODULES([SYSTEMD_DAEMON], [libsystemd-daemon], [have_systemd=yes], [have_systemd=no])
#  )
#  case $with_systemd:$have_systemd in #(
#  yes:no) :
#    as_fn_error $? "systemd expected but libsystemd not found" #"$LINENO" 5 ;; #(
#  *:yes) :
#
#$as_echo "#define HAVE_LIBSYSTEMD 1" >>confdefs.h
#
#   ;; #(
#  *) :
#     ;;
#esac
#
#fi
# if test "x$have_systemd" = "xyes"; then
#  HAVE_SYSTEMD_TRUE=
#  HAVE_SYSTEMD_FALSE='#'
#else
#  HAVE_SYSTEMD_TRUE='#'
#  HAVE_SYSTEMD_FALSE=
#fi

Now run echo /usr/local/lib > /etc/ld.so.conf.d/usr_local_lib.conf, sudo ldconfig and ./configure, then make and finally sudo make install.

Windows

Use SimpleDNSCrypt, it just werks. If it doesn't, go talk to the developer.

iOS

You will need a jailbroken iOS device (>=5.1.1) in order to install DNSCrypt.

  1. Download the pre-compiled binary for iOS;
  2. Copy the {bin,sbin,share} directories of the archive into the {bin,sbin,share} directories of the device;

Configuration

GNU/Linux

If you would rather run the commands yourself at boot time, edit your /etc/resolv.conf file to look like this, after you do:

  domain home
  nameserver <the DNSCrypt you picked for --local-address>
  options edns0

Lock it with sudo chattr +i /etc/resolv.conf, and then run the following script every time you boot up your PC:

sudo dnscrypt-proxy --local-address=<ip>[:port] --daemonize --resolver-address=<Server address> --provider-name=<Provider name> --provider-key=<Public key> --edns-payload-size=4096 --logfile=/var/log/dnscrypt-proxy.log.

Note: I recommend using 127.0.0.1 or 127.0.0.2, and port 40 instead of 53, should you ever want to use Unbound or Dnsmasq with it. I also recommend adding a second, or even a third nameserver (that you know works) to your resolv.conf file. Mine looks like this.

systemd

If you didn't remove the systemd depedency, the source distribution includes the dnscrypt-proxy.socket and dnscrypt-proxy.service files. As such, in order to activate them, you need only run systemctl start dnscrypt-proxy.socket and systemctl start dnscrypt-dnscrypt-proxy.service.

To ensure it starts automagically every time you boot up your PC, systemctl enable dnscrypt-proxy.socket and systemctl enable dnscrypt-proxy.service.

You can check if it's running by issuing systemctl status dnscrypt-proxy.service.

OpenRC

Run,

sudo vim /etc/init.d/dnscrypt-proxy

 #!/sbin/runscript
 # $Id$
 
 DNSCRYPT_LOGFILE=${DNSCRYPT_LOGFILE:-/var/log/dnscrypt-proxy.log}
 
 rundir=${rundir:-/var/run/dnscrypt-proxy}
 pidfile=${pidfile:-${rundir}/dnscrypt-proxy.pid}
 rundir=${rundir:-/var/run/dnscrypt-proxy}
 runas_user=${runas_user:-dnscrypt}
 runas_group=${runas_user:-dnscrypt}
 
 depend() {
 	use net
 	before dns
 	after logger
 }
 
 start() {
 	if [ ! -d "${rundir}" ]; then
 		mkdir "${rundir}"
 		if [ -n "${runas_user}" ]; then
 			touch "${DNSCRYPT_LOGFILE}"
 			chown ${runas_user}:${runas_group} "${DNSCRYPT_LOGFILE}"
 			chown -R ${runas_user}:${runas_group} "${rundir}"
 		fi
 	fi
 
 	ebegin "Starting dnscrypt-proxy"
 	start-stop-daemon --start --quiet \
 		--exec /usr/sbin/dnscrypt-proxy \
 		-- \
 		--pidfile="${pidfile}" \
 		--logfile="${DNSCRYPT_LOGFILE}" \
 		--daemonize --user=${runas_user} \
 		--local-address=${DNSCRYPT_LOCALIP}:${DNSCRYPT_LOCALPORT} \
 		--resolver-address=${DNSCRYPT_RESOLVERIP}:${DNSCRYPT_RESOLVERPORT} \
 		--provider-name=${DNSCRYPT_PROVIDER_NAME} \
 		--provider-key=${DNSCRYPT_PROVIDER_KEY}
 	eend $?
 }
 
 stop() {
 	ebegin "Stopping dnscrypt-proxy"
 	start-stop-daemon --stop --quiet --exec /usr/sbin/dnscrypt-proxy
 	eend $?
 }

You will need to make it executable, sudo chmod +x /etc/init.d/dnscrypt-proxy.

This init script will of course require a configuration file, located here /etc/conf.d/dnscrypt-proxy file. Pick two servers (one will work as the fallback server), whilst making sure they are compatible with the options you will want to use later on (DNSSEC with unbound, for instance), and add the following text:

 DNSCRYPT_LOCALIP=127.0.0.1
 DNSCRYPT_LOCALPORT=40
 DNSCRYPT_USER=dnscrypt
 
 DNSCRYPT_PROVIDER_NAME=
 DNSCRYPT_PROVIDER_KEY=
 DNSCRYPT_RESOLVERIP=
 
 DNSCRYPT_PROVIDER_NAME=
 DNSCRYPT_PROVIDER_KEY=
 DNSCRYPT_RESOLVERIP=
 
 DNSCRYPT_RESOLVERPORT=443

Make sure to substitute where appropriate. You will also need to add an account called dnscrypt, with no privileges, by running useradd -G dnscrypt dnscrypt. To activate the init script, issue sudo rc-update add dnscrypt-proxy

Lastly, edit your /etc/resolv.conf file with an editor of your choice, and add the following text:

 domain home
 nameserver 127.0.0.1
 options edns0

Now you have to do is lock the file with sudo chattr +i /etc/resolv.conf.

Should anything fail, issue the same command with -i and temporarily change the nameserver to a DNS server of your choice until you fix the issue.

Mac OS X

Android

iOS

  1. Edit the org.dnscrypt.osx.DNSCryptProxy.plist file to set the resolver name to use, by editing this string <string>--resolver-name=***CHANGETHIS***</string>;
  2. Copy the org.dnscrypt.osx.DNSCryptProxy.plist file into /Libary/LaunchDaemons on the device;

To get it working, simply:

  1. Reboot or type launchctl load org.dnscrypt.osx.DNSCryptProxy.plist;
  2. Change your wifi settings to use 127.0.0.1 as a DNS resolver;
  3. Enjoy being less susceptible to MITM attacks whilst on public WiFis.

Picking a server

One must take a few considerations when picking a server:

  • Does it keep logs?
  • Does it support DNSCrypt?
  • Does it support DNSSEC (assuming you want to use it in conjunction with DNSCrypt, and use Unbound to enforce it)?
  • Is the latency low enough?
  • Is the company or individual running the server trustworthy, or do they appear to have ulterior motives?

As it stands, I trust the dnscrypt-eu servers. However, if you have no need for DNSSEC support, you can look into the various cryptostorm servers (if you're not in Europe), or the OpenNIC ones, if you'd like to make use of their extra TLDs.

Troubleshooting

Run hostip -r 127.0.0.1 example.com. If that outputs an IP, then DNSCrypt is working and the problem lies with whatever DNS cache you're using (most likely Dnsmasq or Unbound).

If it doesn't, look at /var/log/dnscrypt-proxy.log and figure it out yourself, or are you not a true /g/entooman?

External links