LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Blogs > arniekat
User Name
Password

Notices


Rate this Entry

Slackware-14.2-Unbound-1.6.3-Dnssec-Dnscrypt-Part-2

Posted 06-17-2017 at 06:56 PM by arniekat

SLAAC SECURITY EXTENSIONS

https://wiki.archlinux.org/index.php/IPv6

Privacy extensions

When a client acquires an address through SLAAC its IPv6 address is derived from the advertised prefix and the MAC address of the network interface of the client. This may raise security concerns as the MAC address of the computer can be easily derived by the IPv6 address. In order to tackle this problem the IPv6 Privacy Extensions standard (RFC 4941) has been developed. With privacy extensions the kernel generates a temporary address that is mangled from the original autoconfigured address. Private addresses are preferred when connecting to a remote server so the original address is hidden. To enable Privacy Extensions reproduce the following steps:

NOTE - These settings MUST be placed on the machine you are using as a DNS Server! If you are using a Raspberry Pi as a DNS Server, place them on the Raspberry Pi.

You can use ifconfig to find the name of your Network Card, usually wlan0 for a Wireless NIC and eth0 for an Ethernet NIC.

You could try and add these lines to /etc/sysctl.conf, but it did not work for me. I had to add them to /etc/rc.d/rc.local

# vi /etc/sysctl.conf

# Enable IPv6 Privacy Extensions
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.wlan0.use_tempaddr = 2

Save the file and exit. Here is the procedure for using rc.local.

# vi /etc/rc.d/rc.local

# IPv6 SLAAC Security Extensions
echo 2 > /proc/sys/net/ipv6/conf/all/use_tempaddr
echo 2 > /proc/sys/net/ipv6/conf/default/use_tempaddr
echo 2 > /proc/sys/net/ipv6/conf/wlan0/use_tempaddr

Save the file, exit and reboot. After a reboot, the IPv6 Privacy Extensions should be enabled.

SLACKWARE FILE DESCRIPTORS

Source - http://slackwiki.com/Resource_Limits and Squid-Cache Wiki

If you configure Unbound to use more than 1024 file descriptors, you need to enable them in Slackware.

You can check the Soft Limit (User Limits) and the Hard Limit (System Limits) with the following commands:

# ulimit -Sn
1024

# ulimit -Hn
4096

To change the Soft Limit to 8192 and the Hard Limit to 32768, do the following:

# cp /sbin/initscript.sample /etc/initscript

Edit the file /etc/initscript and make it look like this:

# Set umask to safe level, and enable core dumps.
# umask 022
# ulimit -c 2097151
# PATH=/bin:/sbin:/usr/bin:/usr/sbin
# export PATH

# Raise the Hard Limits
ulimit -Hn 32768

# Raise the Soft Limits
ulimit -Sn 8192

# Execute the program.
eval exec "$4"

Save the file and exit. Slackware will automatically run /etc/initscript. You MUST leave the last line as "eval exec "$4"" or your system will lock up and you will have to use a Rescue CD to erase the /etc/initscript file. When you reboot, you can check the soft and hard limits again to make sure it worked.

# ulimit -Sn
8192

# ulimit -Hn
32768

Also, if you are using IPv6, increase the address space by adding the following to /etc/rc.d/rc.local

echo 16384 > /proc/sys/net/ipv6/route/max_size

EXTENDED DNSCRYPT-PROXY AND UNBOUND TESTS

Try to start Dnscrypt-Proxy and Unbound and see if there are any errors.

# /etc/rc.d/rc.dnscrypt-proxy start
Tue Jun 13 16:33:10 2017 [INFO] + DNS Security Extensions are supported
Tue Jun 13 16:33:10 2017 [INFO] + Provider supposedly doesn't keep logs
Tue Jun 13 16:33:10 2017 [INFO] + DNS Security Extensions are supported
Tue Jun 13 16:33:10 2017 [INFO] + Provider supposedly doesn't keep logs
Tue Jun 13 16:33:10 2017 [INFO] + DNS Security Extensions are supported
Tue Jun 13 16:33:10 2017 [INFO] + Namecoin domains can be resolved
Tue Jun 13 16:33:10 2017 [INFO] + Provider supposedly doesn't keep logs

# /etc/rc.d/rc.unbound start
Starting unbound: [ OK ]

Right here is where you may get some errors regarding the Unbound Hosts. If Unbound does not start, check to see if any errors were logged in /var/log/messages and erase those entries from the hosts file.

Reboot the computer so everything starts. Check that everything is running correctly. Are you able to access the Internet? That is always a good sign.

$ netstat -lundt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:5353 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:5354 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:5355 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp6 0 0 ::1:53 :::* LISTEN
udp 0 0 127.0.0.1:5353 0.0.0.0:*
udp 0 0 127.0.0.1:5354 0.0.0.0:*
udp 0 0 127.0.0.1:5355 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp6 0 0 ::1:53 :::*

Here is the netstat command showing separate IP Addresses:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.4:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.3:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.2:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp6 0 0 ::1:53 :::*
udp 0 0 127.0.0.4:53 0.0.0.0:*
udp 0 0 127.0.0.3:53 0.0.0.0:*
udp 0 0 127.0.0.2:53 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp6 0 0 ::1:53 :::*

DNSCrypt is running three instances at 127.0.0.1:5353, 127.0.0.1:5354 and 127.0.0.1:5355

Unbound is listening for tcp connections at 127.0.0.1:53, tcp6 connections at ::1:53, udp connections at 127.0.0.1:53 and udp6 connections at ::1:53

Check if dnscrypt-proxy is running as the dnscrypt-proxy user:

$ ps aufx | grep dnscrypt-proxy

root 1374 0.0 0.0 3640 184 ? Ss 15:37 0:00 /usr/sbin/dnscrypt-proxy -d --local-address=127.0.0.1:5353 --pidfile=/var/run/dnscrypt-proxy/dnscrypt-proxy-0.pid --user=dnscrypt --resolver-name=dnscrypt.eu-nl --resolvers-list=/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv --edns-payload-size=4096 --logfile=/var/log/dnscrypt-proxy/dnscrypt-proxy-0.log
dnscrypt 1377 0.0 0.1 3640 2400 ? SL 15:37 0:00 \_ /usr/sbin/dnscrypt-proxy -d --local-address=127.0.0.1:5353 --pidfile=/var/run/dnscrypt-proxy/dnscrypt-proxy-0.pid --user=dnscrypt --resolver-name=dnscrypt.eu-nl --resolvers-list=/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv --edns-payload-size=4096 --logfile=/var/log/dnscrypt-proxy/dnscrypt-proxy-0.log

root 1378 0.0 0.0 3640 192 ? Ss 15:37 0:00 /usr/sbin/dnscrypt-proxy -d --local-address=127.0.0.1:5354 --pidfile=/var/run/dnscrypt-proxy/dnscrypt-proxy-1.pid --user=dnscrypt --resolver-name=dnscrypt.eu-dk --resolvers-list=/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv --logfile=/var/log/dnscrypt-proxy/dnscrypt-proxy-1.log
dnscrypt 1383 0.0 0.1 3640 2532 ? SL 15:37 0:00 \_ /usr/sbin/dnscrypt-proxy -d --local-address=127.0.0.1:5354 --pidfile=/var/run/dnscrypt-proxy/dnscrypt-proxy-1.pid --user=dnscrypt --resolver-name=dnscrypt.eu-dk --resolvers-list=/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv --logfile=/var/log/dnscrypt-proxy/dnscrypt-proxy-1.log

root 1384 0.0 0.0 3640 180 ? Ss 15:37 0:00 /usr/sbin/dnscrypt-proxy -d --local-address=127.0.0.1:5355 --pidfile=/var/run/dnscrypt-proxy/dnscrypt-proxy-2.pid --user=dnscrypt --resolver-name=soltysiak --resolvers-list=/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv --logfile=/var/log/dnscrypt-proxy/dnscrypt-proxy-2.log
dnscrypt 1387 0.0 0.1 3640 2396 ? SL 15:37 0:00 \_ /usr/sbin/dnscrypt-proxy -d --local-address=127.0.0.1:5355 --pidfile=/var/run/dnscrypt-proxy/dnscrypt-proxy-2.pid --user=dnscrypt --resolver-name=soltysiak --resolvers-list=/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv --logfile=/var/log/dnscrypt-proxy/dnscrypt-proxy-2.log

Root starts three instances of dnscrypt-proxy as root and places each of them in sandboxes then changes the process to one owned by the dnscrypt user.

Check if Unbound is running as the unbound user:

$ ps aufx | grep unbound
unbound 1344 0.0 1.5 56940 29008 ? Ss 17:30 0:00 /usr/sbin/unbound -c /etc/unbound/unbound.conf

Check that your Ad Server DNS Queries are being sent to 0.0.0.0 when they go to Unbound.

$ nslookup doubleclick.net
Server: 127.0.0.1
Address: 127.0.0.1#53

Name: doubleclick.net
Address: 0.0.0.0

Check that dnscrypt-proxy will resolve addresses by itself.

$ nslookup -port=5353 doubleclick.net
Server: 127.0.0.1
Address: 127.0.0.1#5353

Non-authoritative answer:
Name: doubleclick.net
Address: 74.125.192.100

$ nslookup -port=5354 doubleclick.net
Server: 127.0.0.1
Address: 127.0.0.1#5354

Non-authoritative answer:
Name: doubleclick.net
Address: 216.58.206.110

$ nslookup -port=5355 doubleclick.net
Server: 127.0.0.1
Address: 127.0.0.1#5355

Non-authoritative answer:
Name: doubleclick.net
Address: 172.217.11.78

Check that legitimate Web Sites are being resolved correctly.

$ nslookup slackware.com
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: slackware.com
Address: 64.57.102.36

EDNS is an extension mechanism for DNS to expand the size of several parameters of the DNS System. It is backware compatible with older DNS System's since they will just ignore the OPT information, so it is safe to activate. Before I installed dnscrypt-proxy, this command would return NOTHING.

To test edns0 on your system, you can issue the following command which will test your system with a DNS Reply Size Test Server. Dig is part of the bind package.

$ dig +short rs.dns-oarc.net txt

rst.x1008.rs.dns-oarc.net.
rst.x1968.x1008.rs.dns-oarc.net.
rst.x2454.x1968.x1008.rs.dns-oarc.net.
"Tested at 2017-06-17 23:45:19 UTC"
"77.66.84.233 sent EDNS buffer size 4096"
"77.66.84.233 DNS reply size limit is at least 2454"

This will do a dns lookup speed test. You need to select a website you have not visited since unbound will store it in on-disk cache.

$ dig slackware.com | grep "Query time"
;; Query time: 231 msec

$ dig slackware.com | grep "Query time"
;; Query time: 0 msec

Due to using dnssec validation and dnscrypt-proxy encryption, your initial lookout will be slow while subsequent lookups will be faster.

DNSSEC AND IPV6 AND DNSLEAKS VERIFICATION

Go to http://dnssec.vs.uni-due.de and see if dnssec is being used. Click "Start Test". This test determines whether your DNS resolver validates DNSSEC signatures. For this test you need JavaScript turned on.

You should see a thumbs up if dnssec is verifying signatures along with "Yes, your DNS resolver validates DNSSEC signatures."

Go to http://en.conn.internet.nl/connection for an Extended DNSSEC Test. Click on the Detailed Report.

CHECK All internet destinations reachable (IPv6)
CHECK Protected from redirection to false IP addresses (DNSSEC)

All internet destinations reachable (IPv6)

Congratulations; your internet provider has given you a moderen IPv6 address in addition to your IPv4 address. That allows you to reach all internet destinations, including those that have only IPv6 addresses.

I saw 100% compliance with dnssec.

Go to http://test-ipv6.com to test your IPV6 Compliance.

Test your IPv6 connectivity. This will do a series of tests and let you know if it passed.

Your readiness score
10/10 for your IPv6 stability and readiness, when publishers are forced to go IPv6 only

What is a DNS leak and why should I care?

When using an anonymity or privacy service, it is extremely important that all traffic originating from your computer is routed through the anonymity network. If any traffic leaks outside of the secure connection to the network, any adversary monitoring your traffic will be able to log your activity.

DNS or the domain name system is used to translate domain names such as www.privacyinternational.org into numerical IP addresses e.g. 123.123.123.123 which are required to route packets of data on the Internet. Whenever your computer needs to contact a server on the Internet, such as when you enter a URL into your browser, your computer contacts a DNS server and requests the IP address. Most Internet service providers assign their customers a DNS server which they control and use for logging and recording your Internet activities.

Under certain conditions, even when connected to the anonymity network, the operating system will continue to use its default DNS servers instead of the anonymous DNS servers assigned to your computer by the anonymity network. DNS leaks are a major privacy threat since the anonymity network may be providing a false sense of security while private data is leaking.

Go to DNSLeak to make sure that the only resolvers that are being used are the ones listed in your dnscrypt-proxy configuration file. I have three servers listed there.

Country Name Provider
Netherlands dnscrypt.eu-nl-ipv6 2.dnscrypt-cert.resolver2.dnscrypt.eu
Denmark dnscrypt.eu-dk-ipv6 2.dnscrypt-cert.resolver1.dnscrypt.eu
Poland soltysiak-ipv6 2.dnscrypt-cert.soltysiak.com

Go to https://www.dnsleaktest.com to check for dns leaks. Click on Standard Test.

Query round Progress... Servers found
1 ...... 2

IP Hostname ISP Country
176.56.237.171 resolver1.dnscrypt.eu RouteLabel V.O.F. Netherlands
77.66.84.233 resolver2.dnscrypt.eu Netgroup A/S Denmark

Click on the Extended Test.

Query round Progress... Servers found
1 ...... 2
2 ...... 2
3 ...... 2
4 ...... 2
5 ...... 2
6 ...... 2

IP Hostname ISP Country
176.56.237.171 resolver1.dnscrypt.eu RouteLabel V.O.F. Netherlands
77.66.84.233 resolver2.dnscrypt.eu Netgroup A/S Denmark

You should only see the IPv6 resolvers shown in the dnscrypt-proxy configuration file /etc/default/dnscrypt-proxy.

ADBLOCKING TESTS

Before setting up unbound adblocking, go and visit some websites which have ads in their pages like Yahoo or YouTube. Then, setup the AdBlocking and revisit those sites to see the difference.

Open up your web browser, type the URL in the appropriate location and go to this website as a test:

http://fastclick.net/

You will get a blank page since the domain is set as NXDOMAIN or "Non'Existent Domain"

MAINTAINING UNBOUND

To get the current server status, use the following command.

# unbound-control status
version: 1.6.3
verbosity: 1
threads: 2
modules: 2 [ validator iterator ]
uptime: 946 seconds
options: control(ssl)
unbound (pid 3937) is running...

Dumping DNS Cache

If in-case you would like to have a dump of a DNS cache information in a text file, you can redirect it to some file using below command for future use.

# unbound-control dump_cache > /tmp/DNS_cache.txt

To restore or import the cache from the dumped file, you can use following command.

# unbound-control dump_cache < /tmp/DNS_cache.txt

Flushing DNS Records

To check whether the specific address was resolved by our forwarders in unbound cache Server, use the below command.

# unbound-control lookup google.com

Some times if our DNS cache server will not reply our query, in mean time we can use to flush the cache to remove information such as A, AAA, NS, SO, CNAME, MX, PTR etc... records from DNS cache. We can remove all information using flush_zone this will remove all informations.

# unbound-control flush www.digitalocean.com
# unbound-control flush_zone tecmintlocal.com

To check which forwards are currently used to resolve.

# unbound-control list_forwards

To remove a single entry from the cache

# unbound-control flush_infra <IP_Address>

To completely flush all the cached information

# unbound-control flush_infra all
ok
Posted in Uncategorized
Views 115 Comments 0
« Prev     Main     Next »
Total Comments 0

Comments

 

  



All times are GMT -5. The time now is 06:22 PM.

Main Menu
Advertisement
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration