hello friends! new(ish)!
DNSCrypt: Difference between revisions
>Morpheus m (→Linux: See Help:Editing and Help:Style) |
>Galactus |
||
Line 25: | Line 25: | ||
===== Remove systemd as a dependency (optional)===== | ===== Remove systemd as a dependency (optional)===== | ||
In version 1.6 systemd can be removed from the software by leaving its references out of the | In version 1.6 systemd can be removed from the software by leaving its references out of the {{ic|configure}} document before compiling. | ||
Relevant lines can be found around 3258 to 3288 of the | Relevant lines can be found around 3258 to 3288 of the {{ic|configure}} document. | ||
End result should look something like this: | End result should look something like this: | ||
# | {{hc|#Manual systemd patch. Go away NSA.| | ||
have_systemd=no | <nowiki>have_systemd=no | ||
HAVE_SYSTEMD_TRUE= | HAVE_SYSTEMD_TRUE= | ||
HAVE_SYSTEMD_FALSE='#' | HAVE_SYSTEMD_FALSE='#' | ||
# Check whether --with-systemd was given. | #Check whether --with-systemd was given. | ||
#if test "${with_systemd+set}" = set; then : | #if test "${with_systemd+set}" = set; then : | ||
# withval=$with_systemd; | # withval=$with_systemd; | ||
Line 63: | Line 63: | ||
# HAVE_SYSTEMD_TRUE='#' | # HAVE_SYSTEMD_TRUE='#' | ||
# HAVE_SYSTEMD_FALSE= | # HAVE_SYSTEMD_FALSE= | ||
#fi | #fi</nowiki>}} | ||
</ | |||
Now run | |||
Now run {{ic|echo /usr/local/lib > /etc/ld.so.conf.d/usr_local_lib.conf}}, {{ic|sudo ldconfig}} and {{ic|./configure}}, then {{ic|make}} and finally {{ic|sudo make install}}. | |||
===Windows=== | ===Windows=== |
Revision as of 17:42, 16 January 2016
See also Anonymising yourself
DNSCrypt is a local DNS resolver and uses elliptic-curve cryptography when passing messages to and from the DNS server—which is extremely useful for mitigating MITM attacks on DNS. It is best used alongside a caching DNS server like Unbound.
Only a few servers are known to currently support DNSCrypt, however, adoption is growing.
Installation
Unix-like
Requirements & dependencies
`-- dev-libs/libsodium `-- net-libs/ldns `-- virtual/pkgconfig `-- sys-apps/systemd (optional!)
Arch users can install dnscrypt-proxy
and set it up manually, or install dnscrypt-autoinstall
from the AUR. Gentoo users can easily compile DNSCrypt from scratch from the main repository. Debian users can install it from the package dnscrypt-proxy
, but only in testing or unstable.
Building
- git clone git://github.com/jedisct1/dnscrypt-proxy.git
- cd dnscrypt-proxy
- ./autogen.sh
- ./configure --prefix=/usr
- make
- sudo make install
Remove systemd as a dependency (optional)
In version 1.6 systemd can be removed from the software by leaving its references out of the configure
document before compiling.
Relevant lines can be found around 3258 to 3288 of the configure
document.
End result should look something like this:
#Manual systemd patch. Go away NSA.
have_systemd=no HAVE_SYSTEMD_TRUE= HAVE_SYSTEMD_FALSE='#' #Check whether --with-systemd was given. #if test "${with_systemd+set}" = set; then : # withval=$with_systemd; #fi # #if test "x$with_systemd" = "xyes"; then : # # PKG_CHECK_MODULES(SYSTEMD, libsystemd, have_systemd=yes, # PKG_CHECK_MODULES([SYSTEMD_DAEMON], [libsystemd-daemon], [have_systemd=yes], [have_systemd=no]) # ) # case $with_systemd:$have_systemd in #( # yes:no) : # as_fn_error $? "systemd expected but libsystemd not found" #"$LINENO" 5 ;; #( # *:yes) : # #$as_echo "#define HAVE_LIBSYSTEMD 1" >>confdefs.h # # ;; #( # *) : # ;; #esac # #fi # if test "x$have_systemd" = "xyes"; then # HAVE_SYSTEMD_TRUE= # HAVE_SYSTEMD_FALSE='#' #else # HAVE_SYSTEMD_TRUE='#' # HAVE_SYSTEMD_FALSE= #fi
Now run echo /usr/local/lib > /etc/ld.so.conf.d/usr_local_lib.conf
, sudo ldconfig
and ./configure
, then make
and finally sudo make install
.
Windows
Use SimpleDNSCrypt, it just werks. If it doesn't, go talk to the developer.
iOS
You will need a jailbroken iOS device (>=5.1.1) in order to install DNSCrypt.
- Download the pre-compiled binary for iOS;
- Copy the {bin,sbin,share} directories of the archive into the {bin,sbin,share} directories of the device;
Configuration
Linux
If you would rather run the commands yourself at boot time, this section is for you. However, the following step is common amongst all Linux distros: you must edit your /etc/resolv.conf file to look like this:
/etc/resolv.conf
domain home nameserver <the DNSCrypt you picked for --local-address> options edns0
Lock it with sudo chattr +i /etc/resolv.conf
, and then, either move on to systemd/OpenRC, or run the following script every time you boot up your PC:
sudo dnscrypt-proxy --local-address=<ip>[:port] --daemonize --resolver-address=<Server address> --provider-name=<Provider name> --provider-key=<Public key> --edns-payload-size=4096 --logfile=/var/log/dnscrypt-proxy.log
Note: It is recommended to use 127.0.0.1 or 127.0.0.2, and port 40 instead of 53, should you ever want to use Unbound or Dnsmasq with it. It is also recommended to add a second, or even a third nameserver (that you know works) to your resolv.conf file. It looks like this.
Security consideration: it is best to use an extra user to run it with no privileges, and no home folder.
systemd
If you didn't remove the systemd depedency, the source distribution includes the dnscrypt-proxy.socket and dnscrypt-proxy.service files. As such, in order to activate them, you need only run systemctl start dnscrypt-proxy.socket
and systemctl start dnscrypt-proxy.service
.
To ensure it starts automagically every time you boot up your PC, systemctl enable dnscrypt-proxy.socket
and systemctl enable dnscrypt-proxy.service
.
You can check if it's running by issuing systemctl status dnscrypt-proxy.service
.
Note: DNSCrypt's systemd socket uses port 53 by default. You can easily change that at will.
OpenRC
/etc/init.d/dnscrypt-proxy
#!/sbin/runscript # $Id$ DNSCRYPT_LOGFILE=${DNSCRYPT_LOGFILE:-/var/log/dnscrypt-proxy.log} rundir=${rundir:-/var/run/dnscrypt-proxy} pidfile=${pidfile:-${rundir}/dnscrypt-proxy.pid} rundir=${rundir:-/var/run/dnscrypt-proxy} runas_user=${runas_user:-dnscrypt} runas_group=${runas_user:-dnscrypt} depend() { use net before dns after logger } start() { if [ ! -d "${rundir}" ]; then mkdir "${rundir}" if [ -n "${runas_user}" ]; then touch "${DNSCRYPT_LOGFILE}" chown ${runas_user}:${runas_group} "${DNSCRYPT_LOGFILE}" chown -R ${runas_user}:${runas_group} "${rundir}" fi fi ebegin "Starting dnscrypt-proxy" start-stop-daemon --start --quiet \ --exec /usr/sbin/dnscrypt-proxy \ -- \ --pidfile="${pidfile}" \ --logfile="${DNSCRYPT_LOGFILE}" \ --daemonize --user=${runas_user} \ --local-address=${DNSCRYPT_LOCALIP}:${DNSCRYPT_LOCALPORT} \ --resolver-address=${DNSCRYPT_RESOLVERIP}:${DNSCRYPT_RESOLVERPORT} \ --provider-name=${DNSCRYPT_PROVIDER_NAME} \ --provider-key=${DNSCRYPT_PROVIDER_KEY} eend $? } stop() { ebegin "Stopping dnscrypt-proxy" start-stop-daemon --stop --quiet --exec /usr/sbin/dnscrypt-proxy eend $? }
You will need to make it executable, sudo chmod +x /etc/init.d/dnscrypt-proxy
.
This init script will of course require a configuration file, located here /etc/conf.d/dnscrypt-proxy file. Pick two servers (one will work as the fallback server), whilst making sure they are compatible with the options you will want to use later on (DNSSEC with unbound, for instance), and add the following text:
DNSCRYPT_LOCALIP=127.0.0.1 DNSCRYPT_LOCALPORT=40 DNSCRYPT_USER=dnscrypt DNSCRYPT_PROVIDER_NAME= DNSCRYPT_PROVIDER_KEY= DNSCRYPT_RESOLVERIP= DNSCRYPT_PROVIDER_NAME= DNSCRYPT_PROVIDER_KEY= DNSCRYPT_RESOLVERIP= DNSCRYPT_OPTIONS="--edns-payload-size=4096" DNSCRYPT_RESOLVERPORT=443
Make sure to substitute where appropriate. You will also have to manually create a user called dnscrypt, with:
/etc/passwd
dnscrypt:x:117:991:/var/empty:/sbin/nologin
You'll also have to create a group:
/etc/group
... dnscrypt:x:991:
To activate the init script, issue sudo rc-update add dnscrypt-proxy
.
Mac OS X
Use the dnscrypt-osxclient.
Android
iOS
- Edit the
org.dnscrypt.osx.DNSCryptProxy.plist
file to set the resolver name to use, by editing this string<string>--resolver-name=***CHANGETHIS***</string>
; - Copy the
org.dnscrypt.osx.DNSCryptProxy.plist
file into /Libary/LaunchDaemons on the device;
To get it working, simply:
- Reboot or type
launchctl load org.dnscrypt.osx.DNSCryptProxy.plist
; - Change your wifi settings to use 127.0.0.1 as a DNS resolver;
- Enjoy being less susceptible to MITM attacks whilst on public WiFis.
Additional considerations
Picking a server
One must take a few considerations when picking a server:
- Does it keep logs?
- Does it support the DNSCrypt protocol specification?
- Does it support DNSSEC (assuming you want to use it in conjunction with DNSCrypt, and use Unbound to enforce it)?
- Is the latency low enough?
- Is the company or individual running the server trustworthy, or do they appear to have ulterior motives?
As it stands, I trust the dnscrypt-eu servers. However, if you have no need for DNSSEC support, you can look into the various cryptostorm servers (if you're not in Europe), or the OpenNIC ones, if you'd like to make use of their extra TLDs.
Sandboxing
It is possible to sandbox DNSCrypt and even recommended, amongst the considerations already highlighted in this article (separate user with no home directory)—but you may only do one!
To do this, simply edit your systemd/openrc scripts by installing firejail and adding the prefix 'firejail' before dnscrypt-proxy. Firejail comes bundled with a profile for DNSCrypt and many more, which you can analyse, and even edit, by issuing vim /etc/firejail
Troubleshooting
Run hostip -r 127.0.0.1 example.com
. If that outputs an IP, then DNSCrypt is working and the problem lies with whatever DNS cache you're using (most likely Dnsmasq or Unbound). If not, then your DNS server might be down, in which case you should issue sudo chattr -i /etc/resolv.conf
to unlock your resolv.conf, and temporarily change the nameserver to a DNS server of your choice until you fix the issue (not necessary if you have fall-back DNS servers, as you should).
If none of this fixes it, look at /var/log/dnscrypt-proxy.log and figure it out yourself, or are you not a true /g/entooman?