LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Blogs > arniekat
User Name
Password

Notices


Rate this Entry

Slackware 14.2-Dnsmasq-2.77-Dnssec-Dnscrypt-Part-1

Posted 06-08-2017 at 11:21 AM by arniekat

Source - Dnsmasq Manpage, ArchLinux Wiki

In this tutorial, we will configure dnsmasq with dnssec and dnscrypt-proxy along with Adblocking. What happens is you configure dnsmasq to use 3 (three) instances of dnscrypt-proxy. In their turn, the dnscrypt-proxy servers MUST be DNSSEC-Enabled, thus enabling the dnssec extensions. Then you will also create a dnsmasq-formatted hosts file at /etc/dnsmasq.d/adblock.nsakey.20170526 which will contain approximately 70,000 entries with adservers, webbugs, malicious websites and trackers in the standard hosts format except the address will be 0.0.0.0 which is NXDOMAIN or Non-Existent Domain. I found this to be the fastest method of configuring Adblocking.

If you intend to use a Web Server (Nginx, THTTPD, etc) or a Null Server (Kwakd, PixelServ or NullServ) you must set the address in the dnsmasq additional hosts to 127.0.0.1 instead of 0.0.0.0 This was the second fastest method of configuring Adblocking in addition to outputting a blank page for the ad instead of an error.

Since Dnsmasq will be listening in at 0.0.0.0:53 and does not like any other programs listening on Port 53, we will have to make dnscrypt-proxy listen on another port. I chose 127.0.0.1:5353, 127.0.0.1:5354 and 127.0.0.1:5355 There will be three (3) instances of dnscrypt-proxy running on non-priveleged ports for redundancy.

DNSCrypt-Proxy is a tool for securing communications between a client and a DNS resolver. It provides a local service which can be used directly as your local resolver or as a DNS forwarder, encrypting and authenticating requests using the DNSCrypt protocol and passing them to an upstream server.

DNSSEC allows a zone (such as a domain) to be signed by its owner, and allows a resolver (for instance, Comcast's DNS servers) to verify the signature, and therefore be sure that the zone data it gets is authentic. It protects the resolver from receiving bad data, but does nothing to prevent MITM or snooping between you and the resolver.

Here are 4 reasons why this is a good appraoch:

1. Leave the web pages intact, without any pattern matching and string substitution.
2. Block accessing to the ad serves/sites from the DNS level, which is very fast.
3. Your DNS searches will be verified by dnssec extensions, which means that the response to queries will have been verified by an upstream root server.
4. Your DNS searches will be encrypted from your computer to the Dnscrypt DNS Server.

DNSMasq only caches the DNS queries in RAM, not on your Hard Drive.

DNSCRYPT-PROXY ISSUES/SOLUTIONS

1) The dns server names from the source package file dnscrypt-proxy-1.9.5/dnscrypt-resolvers.csv (LibreOffice-Calc will open it) tend to get stale. When they go stale, you will get the error messages.

Get a fresh file from:

https://github.com/jedisct1/dnscrypt...-resolvers.csv

and copy/overwrite it to: /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv

Be sure to use one of the entries from the fresh dnscrypt-resolvers.csv file in your dnscrypt-proxy configuration file!

2) If you are using DNSSEC Security Extensions, try to pick IPv6-Ready Dnssec-Capable Resolvers from the dnscrypt-resolvers.csv list so that it will be 100% Compliant with the test from https://en.internet.nl If you have any IPv4 dns servers in dnscrypt-proxy, the test from https://en.internet.nl WILL NOT BE 100% compliant if it uses those servers. I will use three (3) IPv6 DNS Servers.

3) You will also see some dnscrypt-proxy servers in the main list that are listed as "Adguard DNS Family Protection" and "Remove ads and protect your computer from malware". OpenDNS runs its own DNS Servers with lists of malware and adserver sites, however, they are NOT DNSSEC-Enabled so I did not use them. Also, I will be creating my own list of Malware and Ad Servers List with approximately 70,000 entries which works perfectly for me.

4) You can also use OpenNIC DNS Servers. They have a list of Servers that are Dnscrypt-Capable and Dnssec-Enabled. Use the "ping" (included in Slackware) or "fping" (available in SlackBuilds.org) command to test for which one(s) are the fastest and place those in the /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv. Be sure to list them in the configuration file /etc/default/dnscrypt-proxy

DNSCRYPT-PROXY SETUP/CONFIGURATION

Compile and install:

libsodium-1.0.12
dnscrypt-proxy-1.9.5

The configuration file is setup to use the "dnscrypt" user by default, and to chroot into that user's home directory to maximize security. In order to use the default configuration you should create a dnscrypt user and group with the following commands:

# groupadd -g 293 dnscrypt
# useradd -u 293 -g 293 -c "DNSCrypt" -d /run/dnscrypt -s /bin/false dnscrypt

If you decide to use another user you should edit the CHROOTDIR and USER options in /etc/default/dnscrypt-proxy (there are example settings provided for the user 'nobody'). Compile and install the three applications.

Edit the file /etc/default/dnscrypt-proxy and place three instances of dnscrypt-proxy for redundancy. Since I will be using the DNS Security Extensions, I need to find three different IPv6 servers from the dnscrypt-resolvers.csv file that are DNSSEC enabled. The three I chose are dnssec-enabled and do not keep logs.

Country Name
Netherlands dnscrypt.eu-nl-ipv6
Denmark dnscrypt.eu-dk-ipv6
Poland soltysiak-ipv6

# vi /etc/default/dnscrypt-proxy

CHROOTDIR[0]="/run/dnscrypt"
LOCALADDRESS[0]="127.0.0.1:5353"
PIDFILE[0]="/var/run/dnscrypt-proxy/dnscrypt-proxy-0.pid"
USER[0]="dnscrypt"
RESOLVERNAME[0]="dnscrypt.eu-nl-ipv6"
RESOLVERSLIST[0]="/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv"
EDNSPAYLOADSIZE[0]="4096"
LOGFILE[0]="/var/log/dnscrypt-proxy/dnscrypt-proxy-0.log"

CHROOTDIR[1]="/run/dnscrypt"
LOCALADDRESS[1]="127.0.0.1:5354"
PIDFILE[1]="/var/run/dnscrypt-proxy/dnscrypt-proxy-1.pid"
USER[1]="dnscrypt"
RESOLVERNAME[1]="dnscrypt.eu-dk-ipv6"
RESOLVERSLIST[1]="/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv"
LOGFILE[1]="/var/log/dnscrypt-proxy/dnscrypt-proxy-1.log"

CHROOTDIR[2]="/run/dnscrypt"
LOCALADDRESS[2]="127.0.0.1:5355"
PIDFILE[2]="/var/run/dnscrypt-proxy/dnscrypt-proxy-2.pid"
USER[2]="dnscrypt"
RESOLVERNAME[2]="soltysiak-ipv6"
RESOLVERSLIST[2]="/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv"
LOGFILE[2]="/var/log/dnscrypt-proxy/dnscrypt-proxy-2.log"

Save the file and exit.

Make sure the file /etc/rc.d/rc.dnscrypt-proxy is executable. If is not, then use the following command:

# chmod +x /etc/rc.d/rc.dnscrypt-proxy

Now, edit the file /etc/rc.d/rc.local and add these lines:

# Start DNSCrypt-Proxy
if [ -x /etc/rc.d/rc.dnscrypt-proxy ]; then
/etc/rc.d/rc.dnscrypt-proxy start
fi

To properly stop dnscrypt-proxy on system shutdown, add the following to /etc/rc.d/rc.local_shutdown

# vi /etc/rc.d/rc.local_shutdown

# Stop DNSCrypt-Proxy
if [ -x /etc/rc.d/rc.dnscrypt-proxy ]; then
/etc/rc.d/rc.dnscrypt-proxy stop
fi

Save the file and exit.

DNSMASQ SETUP

Create the dnsmasq user and group.

# groupadd -g 322 dnsmasq
# useradd -d /dev/null -s /bin/false -u 322 -g 322 dnsmasq

Recompile the dnsmasq-2.77 Slackware package with the following changes to enable dnssec extensions:

Original SlackBuild

# Default CFLAGS are "-W -Wall -O2" - that's good enough.
make $NUMJOBS all-i18n PREFIX=/usr MANDIR=/usr/man || exit 1
make install-i18n PREFIX=/usr DESTDIR=$PKG MANDIR=/usr/man || exit 1
chmod 0755 $PKG/usr/sbin/dnsmasq

Modified SlackBuild

# Default CFLAGS are "-W -Wall -O2" - that's good enough.
make $NUMJOBS COPTS='-DHAVE_DNSSEC -DHAVE_DBUS' all-i18n PREFIX=/usr MANDIR=/usr/man || exit 1
make install-i18n COPTS='-DHAVE_DNSSEC -DHAVE_DBUS' PREFIX=/usr DESTDIR=$PKG MANDIR=/usr/man || exit 1
chmod 0755 $PKG/usr/sbin/dnsmasq

Move the old /etc/dnsmasq.conf to /etc/dnsmasq.conf.default and create a new dnsmasq configuration file.

# mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
# vi /etc/dnsmasq.conf

interface=wlan0
listen-address=127.0.0.1
no-resolv
server=127.0.0.1#5353
server=127.0.0.1#5354
server=127.0.0.1#5355
dnssec
conf-file=/etc/dnsmasq.d/trust-anchors.conf
dnssec-check-unsigned
strict-order
domain-needed
bogus-priv
dns-forward-max=4000
cache-size=8000
neg-ttl=3600
user=dnsmasq
group=dnsmasq
addn-hosts=/etc/dnsmasq.d/adblock.nsakey.20170526

Save the file and exit.

Here is the content of the file /etc/dnsmasq.d/trust-anchors.conf

# The root DNSSEC trust anchor, valid as at 10/02/2017

# Note that this is a DS record (ie a hash of the root Zone Signing Key)
# If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml

trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D

Change the executable bit for /etc/rc.d/rc.dnsmasq so it will start with every boot.

# chmod +x /etc/rc.d/rc.dnsmasq

Add the localhost6 address to /etc/hosts:

# vi /etc/hosts

# For loopbacking.
127.0.0.1 localhost
127.0.0.1 hyacinth.linux.net hyacinth
::1 localhost localhost6

RESOLV.CONF AND DHCLIENT.CONF

You nees to make two changes to system files in order to use Dnscrypt-Proxy and Dnsmasq.

Here is the flow of information:
DNS Request > Dnsmasq > Dnscrypt-Proxy (With DNSSEC Vefification)

In order to send all DNS requests through Dnsmasq, then out to dnscrypt-proxy, you will need to update /etc/resolv.conf to point to localhost. DHCP will overwrite this file on every reboot, so you need to enter the information and make the /etc/resolv.conf file immutable. I enabled EDNS by using the "options edns0" directive.

# vi /etc/resolv.conf

nameserver 127.0.0.1
options edns0

Save the file and exit. Change the immutable attribute to make this file immutable so your DHCP System does not change this at the next reboot.

# chattr +i /etc/resolv.conf
# lsattr /etc/resolv.conf
----i---------e---- /etc/resolv.conf

NOTE - If your /etc/resolv.conf file keeps changing back to your old setting even after editing it, the reason is that the networking system is locking the file. When my computer did this, I turned off the wicd script (or NetworkManager)

# chmod -x /etc/rc.d/rc.wicd
# chmod -x /etc/rc.d/rc.networkmanager

and rebooted so that my Wireless Network was not turned on. Then I edited the file /etc/resolv.conf and made it immutable. After that I changed the rc.wicd or rc.networkmanager script to executable

# chmod +x /etc/rc.d/rc.wicd
# chmod +x /etc/rc.d/rc.networkmanager

and rebooted. The file /etc/resolv.conf accepted the changes and became immutable and everything worked fine.

If you need to edit this file again, remove the executable bit from the file:

# chattr -i /etc/resolv.conf

then edit the file, save and set the immutable bit again.

Open and edit the file /etc/dhclient.conf and add the following line:

# vi /etc/dhclient.conf

prepend domain-name-servers 127.0.0.1;

Save the file and exit.

DNSMASQ ADBLOCKING

You now need to create a hosts file using the regular hosts entries from several sources. This will be used to block ads, scam and tracking domains. This script creates about 70,000 entries from 6 different sources. When you rune the script, it will create an Unbound-Formatted hosts file, but you can use Geany or any Text Editor to convert it to a Dnsmasq-Format file.

https://github.com/jodrell/unbound-block-hosts

When you run it, it will create a "tmp" and "lists" folder that can be deleted. The two files in the current directory are "block.conf" and "hosts". Convert either of these files so it looks like the following:

0.0.0.0 0.r.msn.com
0.0.0.0 005.free-counter.co.uk
0.0.0.0 006.free-adult-counters.x-xtra.com
0.0.0.0 006.free-counter.co.uk
0.0.0.0 006.freecounters.co.uk

Save the file as /etc/dnsmasq.d/adblock.nsakey.20170526

In /etc/dnsmasq.conf, the configuration file line is added as follows:

addn-hosts=/etc/dnsmasq.d/adblock.nsakey.20170526

UNBLOCKING ADS FOR DOMAINS

Let's say you want to unblock a domain that is getting blocked by your adblocker. The domain for this example is "doubleclick.com"

$ grep -insr "doubleclick.com" /etc/dnsmasq.d/adblock.nsakey.20170526

34495:0.0.0.0 doubleclick.com
37497:0.0.0.0 ftp.doubleclick.com
43140:0.0.0.0 m.doubleclick.com
44260:0.0.0.0 mediavisor.doubleclick.com
50575:0.0.0.0 reports.doubleclick.com
51942:0.0.0.0 search.doubleclick.com
53883:0.0.0.0 static.doubleclick.com
54546:0.0.0.0 studio.doubleclick.com
65140:0.0.0.0 www.doubleclick.com
68473:0.0.0.0 www2.doubleclick.com
68538:0.0.0.0 www3.doubleclick.com

Let say for example it is located on Line 43140 of that file. Use vi and the goto feature to find and delete the line.

# vi /etc/dnsmasq.d/adblock.nsakey.20170526

Hit ESC two times. Type the line number, and then press Shift-g . If you press Esc and then Shift-g without specifying a line number, it will take you to the last line in the file.

43140:0.0.0.0 m.doubleclick.com

You will be placed at Line 43140. Press dd to delete the line and :wq to save the file and exit.
Posted in Uncategorized
Views 241 Comments 0
« Prev     Main     Next »
Total Comments 0

Comments

 

  



All times are GMT -5. The time now is 06:22 PM.

Main Menu
Advertisement
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration