Slackware-14.1-DnsCrypt Proxy 1.4.3
Posted 02-08-2015 at 08:49 PM by arniekat
How To Secure DNS with DNSCrypt-Proxy. DNSCrypt-Proxy secures your communication between your computer and a DNS Resolver. This particular setup optionally caches the DNS entries within RAM, which speeds things up for DNS queries. If you want/need to cache them on your hard drive, pdnsd would be a better solution.
Source - SlackBuilds.org and ArchLinux Wiki
Compile and install:
1. ldns-1.6.17
2. libsodium-1.0.2
3. dnscrypt-proxy-1.4.3
The configuration file is setup to use the "dnscrypt" user by default, and to chroot into that user's home directory to maximize security. In order to use the default configuration you should create a dnscrypt user and group with the following commands:
# groupadd -g 293 dnscrypt
# useradd -u 293 -g 293 -c "DNSCrypt" -d /run/dnscrypt -s /bin/false dnscrypt
If you decide to use another user you should edit the CHROOTDIR and USER options in /etc/default/dnscrypt-proxy (there are example settings provided for the user 'nobody'). Compile and install the three applications.
EXTENSION MECHANISM FOR DNS
EDNS is an extension mechanism for DNS to expand the size of several parameters of the DNS System. It is backware compatible with older DNS System's since they will just ignore the OPT information, so it is safe to activate.
To test edns0 on your system, you can issue the following command which will test your system with a DNS Reply Size Test Server. Dig is part of the bind package.
$ dig +short rs.dns-oarc.net txt
rst.x1384.rs.dns-oarc.net.
rst.x1394.x1384.rs.dns-oarc.net.
rst.x1353.x1394.x1384.rs.dns-oarc.net.
"2620:0:cc8::15 DNS reply size limit is at least 1394"
"2620:0:cc8::15 sent EDNS buffer size 1410"
"Tested at 2015-01-05 04:32:56 UTC"
Edit the file /etc/default/dnscrypt-proxy
# vi /etc/default/dnscrypt-proxy
# Transparently add an OPT pseudo-RR to outgoing queries in order to enable
# the EDNS0 extension mechanism. The payload size is the size of the largest
# response we accept from the resolver before retrying over TCP. This feature
# is enabled by default, with a payload size of 1252 bytes. Any value below
# 512 disables it.
#EDNSPAYLOADSIZE[0]="1252"
EDNSPAYLOADSIZE[0]="2048"
Save the file and exit.
ETC/RESOLV.CONF
My /etc/resolv.conf file before the changes is as follows:
# cat /etc/resolv.conf
# Generated by NetworkManager
domain attlocal.net
search attlocal.net
nameserver 192.168.1.254
In order to send all DNS requests through dnscrypt-proxy, you will need to update /etc/resolv.conf to point to localhost. DHCP will overwrite this file on every reboot, so you need to enter the information and make the /etc/resolv.conf file immutable.
Make the /etc/resolv.conf file look like the following. I enabled EDNS by using the "options edns0" directive.
# vi /etc/resolv.conf
nameserver 127.0.0.1
options edns0
Save the file and exit. Make the file immutable so it will not be changed by your dns system when you reboot.
# chattr +i /etc/resolv.conf
# lsattr /etc/resolv.conf
----i--------e-- /etc/resolv.conf
NOTE - If your /etc/resolv.conf file keeps changing back to your old setting even after editing it, the reason is that the networking system is locking the file. When my computer did this, I turned off the wicd script (or NetworkManager)
# chmod -x /etc/rc.d/rc.wicd
and rebooted so that my Wireless Network was not turned on. Then I edited the file /etc/resolv.conf and made it immutable. After that I changed the rc.wicd script to executable
# chmod +x /etc/rc.d/rc.wicd
and rebooted. The file /etc/resolv.conf accepted the changes and became immutable and everything worked fine.
WICD
If you are using a wireless network manager like NetworkManager or Wicd, you need to add the DNS Server 1 entry 127.0.0.1. For wicd, left-click the wicd icon and click on the "Properties" of your Wifi connection.
CHECK Use Static DNS
DNS domain
Search domain
DNS server 1 127.0.0.1
DNS server 2
DNS server 3
Click "OK"
NETWORK MANAGER
Left-click the Network Manager System Tray Icon. Select your Active Wireless Connection. Click the wrench at the upper right-hand corner of the dialog box. The Connection Editor Dialog Box will appear. Click the Connection Name. Now, a wrench with "Edit" on it will appear. Click the Wrench button. Now you can edit your Wifi Connection.
Click the IPV4 Tab
Other DNS Servers: 127.0.0.1
Click "OK"
DNSCRYPT-PROXY SETUP
Make sure the file /etc/rc.d/rc.dnscrypt-proxy is executable. If is not, then use the following command:
# chmod +x /etc/rc.d/rc.dnscrypt-proxy
Now, edit the file /etc/rc.d/rc.local and add these lines:
# Start DNSCrypt-Proxy
if [ -x /etc/rc.d/rc.dnscrypt-proxy ]; then
/etc/rc.d/rc.dnscrypt-proxy start
fi
Save the file and exit and be sure that file is executable:
# chmod +x /etc/rc.d/rc.local
To properly stop dnscrypt-proxy on system shutdown, add the following to /etc/rc.d/rc.local_shutdown
# vi /etc/rc.d/rc.local_shutdown
# Stop DNSCrypt-Proxy
if [ -x /etc/rc.d/rc.dnscrypt-proxy ]; then
/etc/rc.d/rc.dnscrypt-proxy stop
fi
Save the file and exit. Reboot your computer or start DNSCrypt-Proxy by running the following command:
# /etc/rc.d/rc.dnscrypt-proxy start
Check to see if the the following service is running:
# netstat -lundt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
udp 0 0 127.0.0.1:53 0.0.0.0:*
Port 53 is the DNS Server.
Make sure that the user "dnscrypt" is the one running the DNSCrypt-Proxy Application
# ps aufx | grep dnscrypt
root 767 0.0 0.0 22572 208 ? Ss 20:43 0:00 /usr/sbin/dnscrypt-proxy -d --local-address=127.0.0.1:55 --pidfile=/var/run/dnscrypt-proxy/dnscrypt-proxy-0.pid --user=dnscrypt --resolver-name=opendns --resolvers-list=/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv --logfile=/var/log/dnscrypt-proxy/dnscrypt-proxy.log
dnscrypt 768 0.0 0.1 22572 2124 ? SL 20:43 0:00 \_ /usr/sbin/dnscrypt-proxy -d --local-address=127.0.0.1:55 --pidfile=/var/run/dnscrypt-proxy/dnscrypt-proxy-0.pid --user=dnscrypt --resolver-name=opendns --resolvers-list=/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv --logfile=/var/log/dnscrypt-proxy/dnscrypt-proxy.log
Root creates the jail, then places dnscrypt-proxy in there to run as its own user.
Confirm you are using OpenDNS at by going to the following website and also check the second web address which should be blocked by OpenDNS as a phishing site. My Web Browser said I wasn't using OpenDNS, but the phishing site was blocked, so it is OK.
http://www.opendns.com/welcome
http://www.internetbadguys.com/
What you have accomplished is that your DNS requests are now sent to the OpenDNS Servers in encrypted form. Reboot your computer to see if the settings hold.
DNS RAM CACHE (OPTIONAL)
Source - ArchLinux Wiki
DNSCrypt-Proxy is a DNS resolver, but can also be configured to cache DNS queries. It will cache queries in RAM, not on your Hard Drive. If you want to cache on your hard drive, use pdnsd.
The SlackBuild has two configuration files for dnsmasq (a small DNS and DHCP Server) and for bind/named (DNS Server and Utilities). I will be using dnsmasq. Copy the configuration file dnsmasq.conf from the SlackBuild Framework over as /etc/dnsmasq.conf
If you decide to use dnsmasq as a dns ram cache, Dnsmasq will run on port 53, cache dns entries in RAM, and forwards lookups to dnscrypt-proxy running on port 55. In order to use this configuration you will need to change the port dnscrypt-proxy runs on in /etc/default/dnscrypt-proxy.
# cp /location/of/dnscrypt-proxy/slackbuild/dnsmasq.conf /etc/dnsmasq.conf
# chmod +x /etc/rc.d/rc.dnsmasq
ETC/DNSMASQ.CONF
Here is the content of the /etc/dnsmasq.conf file included in the SlackBuild Tarball. I changed it according to the ArchLinux Wiki suggestions.
# Use dnsmasq as a caching DNS forwarder to dnscrypt-proxy. This configuration
# assumes dnscrypt-proxy is running on port 55.
# Never forward plain names (without a dot or domain part)
domain-needed
# Never forward addresses in the non-routed address spaces.
bogus-priv
# Don't use /etc/resolv.conf. Forward all queries to dnscrypt-proxy.
no-resolv
# Use the resolver on localhost port 55 (dnscrypt-proxy)
server=127.0.0.2#55
# Listen on localhost. Default port 53
listen-address=127.0.0.1
# Pass on the upstream DNSSEC flag. Only enable this if you trust the upstream
# resolver.
#proxy-dnssec
Now, change the dnscrypt-proxy configuration file so that dnscrypt-proxy uses port 55 with a local address of 127.0.0.2. I commented-out the old entry and created a new one.
# vi /etc/default/dnscrypt-proxy
# The local address and (optional) port to listen on. The default port is 53.
#LOCALADDRESS[0]="127.0.0.1:53"
# Change the listening port to 55 so we can cache the dns queries.
LOCALADDRESS[0]="127.0.0.2:55"
Save the file, exit and reboot.
CHECKING DNSMASQ RAM CACHE
This will do a dns lookup speed test. You need to select a website you have not visited since dnsmasq will store it in RAM.
$ dig slackware.com | grep "Query time"
;; Query time: 69 msec
Running the command again will use the cached DNS IP and result in a faster lookup time if dnsmasq is setup correctly:
$ dig slackware.com | grep "Query time"
;; Query time: 0 msec
Source - SlackBuilds.org and ArchLinux Wiki
Compile and install:
1. ldns-1.6.17
2. libsodium-1.0.2
3. dnscrypt-proxy-1.4.3
The configuration file is setup to use the "dnscrypt" user by default, and to chroot into that user's home directory to maximize security. In order to use the default configuration you should create a dnscrypt user and group with the following commands:
# groupadd -g 293 dnscrypt
# useradd -u 293 -g 293 -c "DNSCrypt" -d /run/dnscrypt -s /bin/false dnscrypt
If you decide to use another user you should edit the CHROOTDIR and USER options in /etc/default/dnscrypt-proxy (there are example settings provided for the user 'nobody'). Compile and install the three applications.
EXTENSION MECHANISM FOR DNS
EDNS is an extension mechanism for DNS to expand the size of several parameters of the DNS System. It is backware compatible with older DNS System's since they will just ignore the OPT information, so it is safe to activate.
To test edns0 on your system, you can issue the following command which will test your system with a DNS Reply Size Test Server. Dig is part of the bind package.
$ dig +short rs.dns-oarc.net txt
rst.x1384.rs.dns-oarc.net.
rst.x1394.x1384.rs.dns-oarc.net.
rst.x1353.x1394.x1384.rs.dns-oarc.net.
"2620:0:cc8::15 DNS reply size limit is at least 1394"
"2620:0:cc8::15 sent EDNS buffer size 1410"
"Tested at 2015-01-05 04:32:56 UTC"
Edit the file /etc/default/dnscrypt-proxy
# vi /etc/default/dnscrypt-proxy
# Transparently add an OPT pseudo-RR to outgoing queries in order to enable
# the EDNS0 extension mechanism. The payload size is the size of the largest
# response we accept from the resolver before retrying over TCP. This feature
# is enabled by default, with a payload size of 1252 bytes. Any value below
# 512 disables it.
#EDNSPAYLOADSIZE[0]="1252"
EDNSPAYLOADSIZE[0]="2048"
Save the file and exit.
ETC/RESOLV.CONF
My /etc/resolv.conf file before the changes is as follows:
# cat /etc/resolv.conf
# Generated by NetworkManager
domain attlocal.net
search attlocal.net
nameserver 192.168.1.254
In order to send all DNS requests through dnscrypt-proxy, you will need to update /etc/resolv.conf to point to localhost. DHCP will overwrite this file on every reboot, so you need to enter the information and make the /etc/resolv.conf file immutable.
Make the /etc/resolv.conf file look like the following. I enabled EDNS by using the "options edns0" directive.
# vi /etc/resolv.conf
nameserver 127.0.0.1
options edns0
Save the file and exit. Make the file immutable so it will not be changed by your dns system when you reboot.
# chattr +i /etc/resolv.conf
# lsattr /etc/resolv.conf
----i--------e-- /etc/resolv.conf
NOTE - If your /etc/resolv.conf file keeps changing back to your old setting even after editing it, the reason is that the networking system is locking the file. When my computer did this, I turned off the wicd script (or NetworkManager)
# chmod -x /etc/rc.d/rc.wicd
and rebooted so that my Wireless Network was not turned on. Then I edited the file /etc/resolv.conf and made it immutable. After that I changed the rc.wicd script to executable
# chmod +x /etc/rc.d/rc.wicd
and rebooted. The file /etc/resolv.conf accepted the changes and became immutable and everything worked fine.
WICD
If you are using a wireless network manager like NetworkManager or Wicd, you need to add the DNS Server 1 entry 127.0.0.1. For wicd, left-click the wicd icon and click on the "Properties" of your Wifi connection.
CHECK Use Static DNS
DNS domain
Search domain
DNS server 1 127.0.0.1
DNS server 2
DNS server 3
Click "OK"
NETWORK MANAGER
Left-click the Network Manager System Tray Icon. Select your Active Wireless Connection. Click the wrench at the upper right-hand corner of the dialog box. The Connection Editor Dialog Box will appear. Click the Connection Name. Now, a wrench with "Edit" on it will appear. Click the Wrench button. Now you can edit your Wifi Connection.
Click the IPV4 Tab
Other DNS Servers: 127.0.0.1
Click "OK"
DNSCRYPT-PROXY SETUP
Make sure the file /etc/rc.d/rc.dnscrypt-proxy is executable. If is not, then use the following command:
# chmod +x /etc/rc.d/rc.dnscrypt-proxy
Now, edit the file /etc/rc.d/rc.local and add these lines:
# Start DNSCrypt-Proxy
if [ -x /etc/rc.d/rc.dnscrypt-proxy ]; then
/etc/rc.d/rc.dnscrypt-proxy start
fi
Save the file and exit and be sure that file is executable:
# chmod +x /etc/rc.d/rc.local
To properly stop dnscrypt-proxy on system shutdown, add the following to /etc/rc.d/rc.local_shutdown
# vi /etc/rc.d/rc.local_shutdown
# Stop DNSCrypt-Proxy
if [ -x /etc/rc.d/rc.dnscrypt-proxy ]; then
/etc/rc.d/rc.dnscrypt-proxy stop
fi
Save the file and exit. Reboot your computer or start DNSCrypt-Proxy by running the following command:
# /etc/rc.d/rc.dnscrypt-proxy start
Check to see if the the following service is running:
# netstat -lundt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
udp 0 0 127.0.0.1:53 0.0.0.0:*
Port 53 is the DNS Server.
Make sure that the user "dnscrypt" is the one running the DNSCrypt-Proxy Application
# ps aufx | grep dnscrypt
root 767 0.0 0.0 22572 208 ? Ss 20:43 0:00 /usr/sbin/dnscrypt-proxy -d --local-address=127.0.0.1:55 --pidfile=/var/run/dnscrypt-proxy/dnscrypt-proxy-0.pid --user=dnscrypt --resolver-name=opendns --resolvers-list=/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv --logfile=/var/log/dnscrypt-proxy/dnscrypt-proxy.log
dnscrypt 768 0.0 0.1 22572 2124 ? SL 20:43 0:00 \_ /usr/sbin/dnscrypt-proxy -d --local-address=127.0.0.1:55 --pidfile=/var/run/dnscrypt-proxy/dnscrypt-proxy-0.pid --user=dnscrypt --resolver-name=opendns --resolvers-list=/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv --logfile=/var/log/dnscrypt-proxy/dnscrypt-proxy.log
Root creates the jail, then places dnscrypt-proxy in there to run as its own user.
Confirm you are using OpenDNS at by going to the following website and also check the second web address which should be blocked by OpenDNS as a phishing site. My Web Browser said I wasn't using OpenDNS, but the phishing site was blocked, so it is OK.
http://www.opendns.com/welcome
http://www.internetbadguys.com/
What you have accomplished is that your DNS requests are now sent to the OpenDNS Servers in encrypted form. Reboot your computer to see if the settings hold.
DNS RAM CACHE (OPTIONAL)
Source - ArchLinux Wiki
DNSCrypt-Proxy is a DNS resolver, but can also be configured to cache DNS queries. It will cache queries in RAM, not on your Hard Drive. If you want to cache on your hard drive, use pdnsd.
The SlackBuild has two configuration files for dnsmasq (a small DNS and DHCP Server) and for bind/named (DNS Server and Utilities). I will be using dnsmasq. Copy the configuration file dnsmasq.conf from the SlackBuild Framework over as /etc/dnsmasq.conf
If you decide to use dnsmasq as a dns ram cache, Dnsmasq will run on port 53, cache dns entries in RAM, and forwards lookups to dnscrypt-proxy running on port 55. In order to use this configuration you will need to change the port dnscrypt-proxy runs on in /etc/default/dnscrypt-proxy.
# cp /location/of/dnscrypt-proxy/slackbuild/dnsmasq.conf /etc/dnsmasq.conf
# chmod +x /etc/rc.d/rc.dnsmasq
ETC/DNSMASQ.CONF
Here is the content of the /etc/dnsmasq.conf file included in the SlackBuild Tarball. I changed it according to the ArchLinux Wiki suggestions.
# Use dnsmasq as a caching DNS forwarder to dnscrypt-proxy. This configuration
# assumes dnscrypt-proxy is running on port 55.
# Never forward plain names (without a dot or domain part)
domain-needed
# Never forward addresses in the non-routed address spaces.
bogus-priv
# Don't use /etc/resolv.conf. Forward all queries to dnscrypt-proxy.
no-resolv
# Use the resolver on localhost port 55 (dnscrypt-proxy)
server=127.0.0.2#55
# Listen on localhost. Default port 53
listen-address=127.0.0.1
# Pass on the upstream DNSSEC flag. Only enable this if you trust the upstream
# resolver.
#proxy-dnssec
Now, change the dnscrypt-proxy configuration file so that dnscrypt-proxy uses port 55 with a local address of 127.0.0.2. I commented-out the old entry and created a new one.
# vi /etc/default/dnscrypt-proxy
# The local address and (optional) port to listen on. The default port is 53.
#LOCALADDRESS[0]="127.0.0.1:53"
# Change the listening port to 55 so we can cache the dns queries.
LOCALADDRESS[0]="127.0.0.2:55"
Save the file, exit and reboot.
CHECKING DNSMASQ RAM CACHE
This will do a dns lookup speed test. You need to select a website you have not visited since dnsmasq will store it in RAM.
$ dig slackware.com | grep "Query time"
;; Query time: 69 msec
Running the command again will use the cached DNS IP and result in a faster lookup time if dnsmasq is setup correctly:
$ dig slackware.com | grep "Query time"
;; Query time: 0 msec
Total Comments 1
Comments
-
Cool setup. I have a similar deal with unbound caching via dnscrypt to a dnscrypt server I operate and via tor for all onion addresses. Nice to see other LQers looking into dnscrypt =)Posted 02-08-2015 at 09:03 PM by rocket357 
