LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Debian (http://www.linuxquestions.org/questions/debian-26/)
-   -   DNSCrypt (http://www.linuxquestions.org/questions/debian-26/dnscrypt-930439/)

craigevil 02-21-2012 02:07 AM

DNSCrypt
 
Encrypt DNS Traffic In Linux With DNSCrypt (Via OpenDNS) ~ Web Upd8: Ubuntu / Linux blog : http://www.webupd8.org/2012/02/encry...inux-with.html

Start DNSCrypt at boot.
Quote:

nano /etc/init.d/dnscrypt.sh
Paste:

### BEGIN INIT INFO
# Provides: dnscrypt
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: DNSCrypt for OpenDNS
# Description: Launch the dnscrypt to communicate with OpenDNS
### END INIT INFO

/usr/sbin/dnscrypt-proxy --daemonize

Save then:
cd /etc/init.d/
chmod +x dnscrypt.sh
update-rc.d dnscrypt.sh defaults
update-rc.d dnscrypt.sh enable

Configure your connection manager to use 127.0.0.1 as DNS and now it should work
Tested, it works with no problems here.

You can download the actual package from the OpenDNS blog.
OpenDNS Community > Blog > Tales from the DNSCrypt: Linux Rising : http://blog.opendns.com/2012/02/16/t...-linux-rising/

k3lt01 02-21-2012 02:23 AM

Thanks for posting this, I've bookmarked the article and will give it a go tomorrow sometime.

craigevil 02-23-2012 07:36 PM

Really surprised more people haven't commented on this.

For me at least it is just one more step in being safe, secure, and more or less anonymous.

dnscrypt+tor+HTTPS Everywhere(SSL)

Added the info about DNSCrypt to my blog post:
Security and Privacy on the Internet - LinuxQuestions.org : http://www.linuxquestions.org/questi...internet-3080/

the trooper 02-24-2012 04:34 AM

Working for me here.
Had to use the .deb file you linked to.
The only other thing I had to do was re-start my router.
Thanks craigevil.

craigevil 03-02-2012 07:30 PM

Post in antiX forum that goes into way more detail on how to use DNDCrypt with the unbound dns cache.

antiX-forum - View topic - Secure DNS with DNScrypt - http://antix.freeforums.org/post23679.html#p23679

the trooper 03-13-2012 05:37 PM

Seems I may have spoken too soon.Lost dns resolution with dns crypt.
I could ping on ip address,just not on a url.
Removed the dns crypt .deb and re-configured my router accordingly.
Not reliable enough for me.

craigevil 03-13-2012 06:05 PM

Quote:

Originally Posted by the trooper (Post 4626080)
Seems I may have spoken too soon.Lost dns resolution with dns crypt.
I could ping on ip address,just not on a url.
Removed the dns crypt .deb and re-configured my router accordingly.
Not reliable enough for me.

No issues with it here. Although just to be on the safe side I do have the normal OpenDNS nameserves in my resolv.conf

Code:

  cat /etc/resolv.conf
nameserver 127.0.0.1
nameserver 208.67.220.220
nameserver 208.67.222.222

Using dig I receive an instant response.
Code:

$ dig @127.0.0.1 www.yahoo.com

; <<>> DiG 9.8.1-P1 <<>> @127.0.0.1 www.yahoo.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22767
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: Messages has 101 extra bytes at end

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.yahoo.com.                IN      A

;; ANSWER SECTION:
www.yahoo.com.          125    IN      CNAME  fp3.wg1.b.yahoo.com.
fp3.wg1.b.yahoo.com.    9      IN      CNAME  any-fp3-lfb.wa1.b.yahoo.com.
any-fp3-lfb.wa1.b.yahoo.com. 17 IN      CNAME  any-fp3-real.wa1.b.yahoo.com.
any-fp3-real.wa1.b.yahoo.com. 17 IN    A      98.139.183.24
any-fp3-real.wa1.b.yahoo.com. 17 IN    A      209.191.122.70

;; Query time: 49 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Mar 13 19:04:13 2012
;; MSG SIZE  rcvd: 256


RobertEachus 03-15-2012 08:27 AM

Why DNSCRYPT?
 
Ok, so you can encrypt your DNS queries all the way to OpenDNS who then decrypts all your requests and can log all of your queries by IP address with a nice date and time stamp. Hmmm don't want to provide this information to OpenDNS or your ISP? Run a full recursion DNS server. Now only the sites you connect to will get the information about when you connected to them, however someone intercepting the traffic between you and your ISP would still be able to tell where you are going... well without the DNS information they could still look at all the other traffic and see where it is going (destination IP). So what exactly are we getting by encrypting our DNS traffic?

Don't get me wrong this is great and I am sure this will find some great applications that I just haven't thought of yet but so far I haven't thought of them. ;)


All times are GMT -5. The time now is 04:47 PM.