LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Blogs > arniekat
User Name
Password

Notices


Rate this Entry

Slackware 14.2-Dnsmasq-2.77-Dnssec-Dnscrypt-Part-2

Posted 06-08-2017 at 11:18 AM by arniekat

SLAAC SECURITY EXTENSIONS

https://wiki.archlinux.org/index.php/IPv6

Privacy extensions

When a client acquires an address through SLAAC its IPv6 address is derived from the advertised prefix and the MAC address of the network interface of the client. This may raise security concerns as the MAC address of the computer can be easily derived by the IPv6 address. In order to tackle this problem the IPv6 Privacy Extensions standard (RFC 4941) has been developed. With privacy extensions the kernel generates a temporary address that is mangled from the original autoconfigured address. Private addresses are preferred when connecting to a remote server so the original address is hidden. To enable Privacy Extensions reproduce the following steps:

NOTE - These settings MUST be placed on the machine you are using as a DNS Server! If you are using a Raspberry Pi as a DNS Server, place them on the Raspberry Pi.

You can use ifconfig to find the name of your Network Card, usually wlan0 for a Wireless NIC and eth0 for an Ethernet NIC.

You could try and add these lines to /etc/sysctl.conf, but it did not work for me. I had to add them to /etc/rc.d/rc.local

# vi /etc/sysctl.conf

# Enable IPv6 Privacy Extensions
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.wlan0.use_tempaddr = 2

Save the file and exit. Here is the procedure for using rc.local.

# vi /etc/rc.d/rc.local

# IPv6 SLAAC Security Extensions
echo 2 > /proc/sys/net/ipv6/conf/all/use_tempaddr
echo 2 > /proc/sys/net/ipv6/conf/default/use_tempaddr
echo 2 > /proc/sys/net/ipv6/conf/wlan0/use_tempaddr

Save the file, exit and reboot. After a reboot, the IPv6 Privacy Extensions should be enabled.

SLACKWARE FILE DESCRIPTORS

Source - http://slackwiki.com/Resource_Limits and Squid-Cache Wiki

DNS Servers tend to use more than 1024 file descriptors. Here is how you need to enable them in Slackware.

You can check the Soft Limit (User Limits) and the Hard Limit (System Limits) with the following commands:

# ulimit -Sn
1024

# ulimit -Hn
4096

To change the Soft Limit to 8192 and the Hard Limit to 32768, do the following:

# cp /sbin/initscript.sample /etc/initscript

Edit the file /etc/initscript and make it look like this:

# Set umask to safe level, and enable core dumps.
# umask 022
# ulimit -c 2097151
# PATH=/bin:/sbin:/usr/bin:/usr/sbin
# export PATH

# Raise the Hard Limits
ulimit -Hn 32768

# Raise the Soft Limits
ulimit -Sn 8192

# Execute the program.
eval exec "$4"

Save the file and exit. Slackware will automatically run /etc/initscript. You MUST leave the last line as "eval exec "$4"" or your system will lock up and you will have to use a Rescue CD to erase the /etc/initscript file. When you reboot, you can check the soft and hard limits again to make sure it worked.

# ulimit -Sn
8192

# ulimit -Hn
32768

Also, if you are using IPv6, increase the address space by adding the following to /etc/rc.d/rc.local

echo 16384 > /proc/sys/net/ipv6/route/max_size

FIRST-TIME REBOOT AND EXTENDED DNSMASQ CHECKS

Start Dnscrypt-Proxy first.

# /etc/rc.d/rc.dnscrypt-proxy start

Tue May 30 19:21:10 2017 [INFO] + DNS Security Extensions are supported
Tue May 30 19:21:10 2017 [INFO] + Provider supposedly doesn't keep logs
Tue May 30 19:21:10 2017 [INFO] + DNS Security Extensions are supported
Tue May 30 19:21:10 2017 [INFO] + Provider supposedly doesn't keep logs
Tue May 30 19:21:10 2017 [INFO] + DNS Security Extensions are supported
Tue May 30 19:21:10 2017 [INFO] + Provider supposedly doesn't keep logs

Now, try to start dnsmasq.

# /etc/rc.d/rc.dnsmasq start

Here are the messages from /var/log/messages

# cat /var/log/messages

dnsmasq[27739]: started, version 2.77 cachesize 8000
dnsmasq[27739]: compile time options: IPv6 GNU-getopt DBus i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect inotify
dnsmasq[27739]: DNSSEC validation enabled
dnsmasq[27739]: using nameserver 127.0.0.1#5355
dnsmasq[27739]: using nameserver 127.0.0.1#5354
dnsmasq[27739]: using nameserver 127.0.0.1#5353
dnsmasq[27739]: read /etc/hosts - 3 addresses
dnsmasq[27739]: read /etc/dnsmasq.d/adblock.nsakey.20170526 - 69417 addresses

Reboot the computer so everything starts. Check that everything is running correctly. Are you able to access the Internet? That is always a good sign.

$ netstat -lundt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:5353 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:5354 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:5355 0.0.0.0:* LISTEN
tcp6 0 0 :::53 :::* LISTEN
udp 0 0 127.0.0.1:5353 0.0.0.0:*
udp 0 0 127.0.0.1:5354 0.0.0.0:*
udp 0 0 127.0.0.1:5355 0.0.0.0:*
udp 0 0 0.0.0.0:53 0.0.0.0:*
udp6 0 0 :::53 :::*

DNSCrypt is running three instances at 127.0.0.1:5353, 127.0.0.1:5354 and 127.0.0.1:5355
Dnsmasq is listening for tcp connections at 0.0.0.0:53, tcp6 connections at :::53, udp connections at 0.0.0.0:53 and udp6 connections at :::53

Check if dnscrypt-proxy is running as the dnscrypt-proxy user:

$ ps aufx | grep dnscrypt-proxy

root 24073 0.0 0.0 3644 184 ? Ss 22:01 0:00 /usr/sbin/dnscrypt-proxy -d --local-address=127.0.0.1:5353 --pidfile=/var/run/dnscrypt-proxy/dnscrypt-proxy-0.pid --user=dnscrypt --resolver-name=dnscrypt.eu-nl-ipv6 --resolvers-list=/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv --edns-payload-size=4096 --logfile=/var/log/dnscrypt-proxy/dnscrypt-proxy-0.log
dnscrypt 24076 0.0 0.0 3644 184 ? SL 22:01 0:00 \_ /usr/sbin/dnscrypt-proxy -d --local-address=127.0.0.1:5353 --pidfile=/var/run/dnscrypt-proxy/dnscrypt-proxy-0.pid --user=dnscrypt --resolver-name=dnscrypt.eu-nl-ipv6 --resolvers-list=/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv --edns-payload-size=4096 --logfile=/var/log/dnscrypt-proxy/dnscrypt-proxy-0.log

root 24077 0.0 0.0 3640 184 ? Ss 22:01 0:00 /usr/sbin/dnscrypt-proxy -d --local-address=127.0.0.1:5354 --pidfile=/var/run/dnscrypt-proxy/dnscrypt-proxy-1.pid --user=dnscrypt --resolver-name=dnscrypt.eu-dk-ipv6 --resolvers-list=/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv --logfile=/var/log/dnscrypt-proxy/dnscrypt-proxy-1.log
dnscrypt 24080 0.0 0.0 3640 184 ? SL 22:01 0:00 \_ /usr/sbin/dnscrypt-proxy -d --local-address=127.0.0.1:5354 --pidfile=/var/run/dnscrypt-proxy/dnscrypt-proxy-1.pid --user=dnscrypt --resolver-name=dnscrypt.eu-dk-ipv6 --resolvers-list=/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv --logfile=/var/log/dnscrypt-proxy/dnscrypt-proxy-1.log

root 24081 0.0 0.0 3644 184 ? Ss 22:01 0:00 /usr/sbin/dnscrypt-proxy -d --local-address=127.0.0.1:5355 --pidfile=/var/run/dnscrypt-proxy/dnscrypt-proxy-2.pid --user=dnscrypt --resolver-name=soltysiak-ipv6 --resolvers-list=/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv --logfile=/var/log/dnscrypt-proxy/dnscrypt-proxy-2.log
dnscrypt 24082 0.0 0.1 3644 2520 ? SL 22:01 0:00 \_ /usr/sbin/dnscrypt-proxy -d --local-address=127.0.0.1:5355 --pidfile=/var/run/dnscrypt-proxy/dnscrypt-proxy-2.pid --user=dnscrypt --resolver-name=soltysiak-ipv6 --resolvers-list=/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv --logfile=/var/log/dnscrypt-proxy/dnscrypt-proxy-2.log

Root starts three instances of dnscrypt-proxy as root and places each of them in sandboxes then changes the process to one owned by the dnscrypt user.

Check if Dnsmasq is running as the dnsmasq user:

$ ps aufx | grep dnsmasq
dnsmasq 24088 0.0 0.4 10936 9304 ? S 22:01 0:00 /usr/sbin/dnsmasq

Check that your Ad Server DNS Queries are failing, which is what you want.

$ nslookup doubleclick.net
Server: 127.0.0.1
Address: 127.0.0.1#53

Name: doubleclick.net
Address: 0.0.0.0

Check that dnscrypt-proxy will resolve addresses by itself.

$ nslookup -port=5353 doubleclick.net
Server: 127.0.0.1
Address: 127.0.0.1#5353

Non-authoritative answer:
Name: doubleclick.net
Address: 172.217.17.78

$ nslookup -port=5354 doubleclick.net
Server: 127.0.0.1
Address: 127.0.0.1#5354

Non-authoritative answer:
Name: doubleclick.net
Address: 172.217.4.238

$ nslookup -port=5355 doubleclick.net
Server: 127.0.0.1
Address: 127.0.0.1#5355

Non-authoritative answer:
Name: doubleclick.net
Address: 172.217.17.46
Name: doubleclick.net
Address: 172.217.17.46
Name: doubleclick.net
Address: 172.217.17.46

Check that legitimate Web Sites are being resolved correctly.

$ nslookup slackware.com
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: slackware.com
Address: 64.57.102.36

EDNS is an extension mechanism for DNS to expand the size of several parameters of the DNS System. It is backware compatible with older DNS System's since they will just ignore the OPT information, so it is safe to activate. Before I installed dnscrypt-proxy, this command would return NOTHING.

To test edns0 on your system, you can issue the following command which will test your system with a DNS Reply Size Test Server. Dig is part of the bind package.

$ dig +short rs.dns-oarc.net txt

rst.x1008.rs.dns-oarc.net.
rst.x1968.x1008.rs.dns-oarc.net.
rst.x2454.x1968.x1008.rs.dns-oarc.net.
"178.216.201.222 DNS reply size limit is at least 2454"
"178.216.201.222 sent EDNS buffer size 4096"
"Tested at 2017-06-03 05:19:31 UTC"

This will do a dns lookup speed test. You need to select a website you have not visited since dnsmasq will store it in on-memory cache.

$ dig slackware.com | grep "Query time"
;; Query time: 231 msec

$ dig slackware.com | grep "Query time"
;; Query time: 0 msec

Due to using dnssec validation, your initial lookout will be slow while subsequent lookups will be fast.

DNSSEC AND IPV6 AND DNSLEAKS VERIFICATION

Go to http://dnssec.vs.uni-due.de and see if dnssec is being used. Click "Start Test". This test determines whether your DNS resolver validates DNSSEC signatures. For this test you need JavaScript turned on.

You should see a thumbs up if dnssec is verifying signatures along with "Yes, your DNS resolver validates DNSSEC signatures."

Go to http://en.conn.internet.nl/connection for an Extended DNSSEC Test. Click on the Detailed Report.

CHECK All internet destinations reachable (IPv6)
CHECK Protected from redirection to false IP addresses (DNSSEC)

All internet destinations reachable (IPv6)

I saw 100% compliance with dnssec.

Go to http://test-ipv6.com to test your IPV6 Compliance.

Test your IPv6 connectivity. This will do a series of tests and let you know if it passed.

Your readiness score
10/10 for your IPv6 stability and readiness, when publishers are forced to go IPv6 only

Now, check to see if you have a DNS Leak, which basically means you are using other name servers other than the ones configured in dnscrypt-proxy.

Go to DNSLeak to make sure that the only resolvers that are being used are the ones listed in your dnscrypt-proxy configuration file. I have three servers listed there.

Country Name Provider
Netherlands dnscrypt.eu-nl-ipv6 2.dnscrypt-cert.resolver2.dnscrypt.eu
Denmark dnscrypt.eu-dk-ipv6 2.dnscrypt-cert.resolver1.dnscrypt.eu
Poland soltysiak-ipv6 2.dnscrypt-cert.soltysiak.com

Go to https://www.dnsleaktest.com to check for dns leaks. Click on Standard Test.

Query round Progress... Servers found
1 ...... 2

IP Hostname ISP Country
176.56.237.171 resolver1.dnscrypt.eu RouteLabel V.O.F. Netherlands
77.66.84.233 resolver2.dnscrypt.eu Netgroup A/S Denmark

Click on the Extended Test.

Query round Progress... Servers found
1 ...... 2
2 ...... 2
3 ...... 2
4 ...... 2
5 ...... 2
6 ...... 2

IP Hostname ISP Country
176.56.237.171 resolver1.dnscrypt.eu RouteLabel V.O.F. Netherlands
77.66.84.233 resolver2.dnscrypt.eu Netgroup A/S Denmark

You should only see the IPv6 resolvers shown in the dnscrypt-proxy configuration file /etc/default/dnscrypt-proxy.

ADBLOCKING TESTS

Before setting up unbound adblocking, go and visit some websites which have ads in their pages like Yahoo or YouTube. Then, setup the AdBlocking and revisit those sites to see the difference.

Open up your web browser,type the URL in the appropriate location and go to one of the websites in your dnsmasq addl-hosts file as a test:

http://fastclick.net/

You will get an error message:

This site can’t be reached

fastclick.net refused to connect.
Try: Checking the connection or Checking the proxy and the firewall
ERR_CONNECTION_REFUSED
Posted in Uncategorized
Views 1208 Comments 0
« Prev     Main     Next »
Total Comments 0

Comments

 

  



All times are GMT -5. The time now is 10:51 PM.

Main Menu
Advertisement
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration