LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Blogs > arniekat
User Name
Password

Notices


Rate this Entry

Slackware-14.2-Pdns-Recursor-4.0.6-Dnssec-Dnscrypt

Posted 07-21-2017 at 08:45 PM by arniekat

GENERAL INFORMATION

Source - ArchLinux Wiki and linoxide.com and PowerDNS Website

The PowerDNS recursor is part of the source tarball of the main PowerDNS distribution, but it is released separately. It is known to power the resolving needs of over 150 million internet connections.

This particular setup will use powerdns-recursor caching with Adblocking and DNSSEC (DNS Security Extensions) and DnsCrypt-Proxy to encrypt all DNS queries.

Since PowerDNS-Recursor will be listening in at 127.0.0.1:53, we will have to make dnscrypt-proxy listen on another address. I chose 127.0.0.2, 127.0.0.3 and 127.0.0.4 to match Arch Linux's instructions. There will be three (3) instances of dnscrypt-proxy running for redundancy.

DNSCrypt-Proxy is a tool for securing communications between a client and a DNS resolver. It provides a local service which can be used directly as your local resolver or as a DNS forwarder, encrypting and authenticating requests using the DNSCrypt protocol and passing them to an upstream server. By default dnscrypt-proxy is configured to use OpenDNS' servers.

DNSSEC allows a zone (such as a domain) to be signed by its owner, and allows a resolver (for instance, Comcast's DNS servers) to verify the signature, and therefore be sure that the zone data it gets is authentic. It protects the resolver from receiving bad data, but does nothing to prevent MITM or snooping between you and the resolver.

1) The dns server names from the source package file dnscrypt-proxy-1.9.5/dnscrypt-resolvers.csv (LibreOffice-Calc will open it) tend to get stale. When they go stale, you will get the error messages.

Get a fresh file from:

https://github.com/jedisct1/dnscrypt...-resolvers.csv

and copy/overwrite it to: /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv

Be sure to use one of the entries from the fresh dnscrypt-resolvers.csv file in your dnscrypt-proxy configuration file!

2) If you are using DNSSEC Security Extensions, try to pick IPv6-Ready Dnssec-Capable Resolvers from the dnscrypt-resolvers.csv list so that it will be 100% Compliant with the test from https://en.internet.nl If you have any IPv4 dns servers in dnscrypt-proxy, the test from https://en.internet.nl WILL NOT BE 100% compliant if it uses those servers. I will use three (3) IPv6 DNS Servers.

3) You will also see some dnscrypt-proxy servers in the main list that are listed as "Adguard DNS Family Protection" and "Remove ads and protect your computer from malware". OpenDNS runs its own DNS Servers with lists of malware and adserver sites, however, they are NOT DNSSEC-Enabled so I did not use them. Also, I will be creating my own list of Malware and Ad Servers List with approximately 70,000 entries which works perfectly for me.

4) You can also use OpenNIC DNS Servers. They have a list of Servers that are Dnscrypt-Capable and Dnssec-Enabled. Use the "ping" (included in Slackware) or "fping" (available in SlackBuilds.org) command to test for which one(s) are the fastest and place those in the /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv. Be sure to list them in the configuration file /etc/default/dnscrypt-proxy

DNSCRYPT-PROXY SETUP/CONFIGURATION

DNSCrypt-Proxy secures your communication between your computer and a DNS Resolver. This particular setup caches the DNS entries on-disk with Unbound, which speeds things up for DNS queries.

Compile and install:

libsodium-1.0.12
dnscrypt-proxy-1.9.5

The configuration file is setup to use the "dnscrypt" user by default, and to chroot into that user's home directory to maximize security. In order to use the default configuration you should create a dnscrypt user and group with the following commands:

# groupadd -g 293 dnscrypt
# useradd -u 293 -g 293 -c "DNSCrypt" -d /run/dnscrypt -s /bin/false dnscrypt

If you decide to use another user you should edit the CHROOTDIR and USER options in /etc/default/dnscrypt-proxy (there are example settings provided for the user 'nobody'). Compile and install the three applications.

Edit the file /etc/default/dnscrypt-proxy and place three instances of dnscrypt-proxy for redundancy. Since I will be using the DNS Security Extensions, I need to find three different servers from the dnscrypt-resolvers.csv file that are DNSSEC enabled. The three I chose are DNS Servers that are dnssec-enabled and do not keep logs. I chose three IPv6 Servers.

Country Name
Poland soltysiak-ipv6
Netherlands dnscrypt.eu-nl-ipv6
Denmark dnscrypt.eu-dk-ipv6

# vi /etc/default/dnscrypt-proxy

CHROOTDIR[0]="/run/dnscrypt"
LOCALADDRESS[0]="127.0.0.2"
PIDFILE[0]="/var/run/dnscrypt-proxy/dnscrypt-proxy-0.pid"
USER[0]="dnscrypt"
RESOLVERNAME[0]="soltysiak-ipv6"
RESOLVERSLIST[0]="/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv"
EDNSPAYLOADSIZE[0]="4096"
LOGFILE[0]="/var/log/dnscrypt-proxy/dnscrypt-proxy-0.log"

CHROOTDIR[1]="/run/dnscrypt"
LOCALADDRESS[1]="127.0.0.3"
PIDFILE[1]="/var/run/dnscrypt-proxy/dnscrypt-proxy-1.pid"
USER[1]="dnscrypt"
RESOLVERNAME[1]="dnscrypt.eu-dk-ipv6"
RESOLVERSLIST[1]="/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv"
LOGFILE[1]="/var/log/dnscrypt-proxy/dnscrypt-proxy-1.log"

CHROOTDIR[2]="/run/dnscrypt"
LOCALADDRESS[2]="127.0.0.4"
PIDFILE[2]="/var/run/dnscrypt-proxy/dnscrypt-proxy-2.pid"
USER[2]="dnscrypt"
RESOLVERNAME[2]="dnscrypt.eu-nl-ipv6"
RESOLVERSLIST[2]="/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv"
LOGFILE[2]="/var/log/dnscrypt-proxy/dnscrypt-proxy-2.log"

Save the file and exit.

Make sure the file /etc/rc.d/rc.dnscrypt-proxy is executable. If is not, then use the following command:

# chmod +x /etc/rc.d/rc.dnscrypt-proxy

Now, edit the file /etc/rc.d/rc.local and add these lines:

# Start DNSCrypt-Proxy
if [ -x /etc/rc.d/rc.dnscrypt-proxy ]; then
/etc/rc.d/rc.dnscrypt-proxy start
fi

To properly stop dnscrypt-proxy on system shutdown, add the following to /etc/rc.d/rc.local_shutdown

# vi /etc/rc.d/rc.local_shutdown

# Stop DNSCrypt-Proxy
if [ -x /etc/rc.d/rc.dnscrypt-proxy ]; then
/etc/rc.d/rc.dnscrypt-proxy stop
fi

Save the file and exit.

RESOLV.CONF AND DHCLIENT.CONF

You need to make two changes to system files in order to use Dnscrypt-Proxy and Pdns-Recursor.

Here is the flow of information:

DNS Request > Pdns-Recursor with Adblock > Dnscrypt-Proxy (With DNSSEC Verification and Dnscrypt Encryption)

In order to send all DNS requests through, then out to dnscrypt-proxy, you will need to update /etc/resolv.conf to point to localhost. DHCP will overwrite this file on every reboot, so you need to enter the information and make the /etc/resolv.conf file immutable. I enabled EDNS by using the "options edns0" directive.

# vi /etc/resolv.conf

nameserver 127.0.0.1
options edns0

Save the file and exit. Change the immutable attribute to make this file immutable so your DHCP System does not change this at the next reboot.

# chattr +i /etc/resolv.conf
# lsattr /etc/resolv.conf
----i---------e---- /etc/resolv.conf

NOTE - If your /etc/resolv.conf file keeps changing back to your old setting even after editing it, the reason is that the networking system is locking the file. When my computer did this, I turned off the wicd script (or NetworkManager)

# chmod -x /etc/rc.d/rc.wicd
# chmod -x /etc/rc.d/rc.networkmanager

and rebooted so that my Wireless Network was not turned on. Then I edited the file /etc/resolv.conf and made it immutable. After that I changed the rc.wicd or rc.networkmanager script to executable

# chmod +x /etc/rc.d/rc.wicd
# chmod +x /etc/rc.d/rc.networkmanager

and rebooted. The file /etc/resolv.conf accepted the changes and became immutable and everything worked fine.

If you need to edit this file again, remove the executable bit from the file:

# chattr -i /etc/resolv.conf

then edit the file, save and set the immutable bit again.

Open and edit the file /etc/dhclient.conf and add the following line:

# vi /etc/dhclient.conf

prepend domain-name-servers 127.0.0.1;

Save the file and exit.

POWERDNS-RECURSOR INSTALLATION

SlackBuilds.org has pdns-recursor-3.2 I used the latest version 4.0.6, but I had to make some changes for it to work.

1) The configuration directory is /etc and I could not change it without some kind of patch
2) The configuration file is /etc/recursor.conf
3) The nsakey hosts file formatted for pdns-recursor MUST be placed in /etc/powerdns since if I put it in /etc, powerdns will try to load ALL the configuration files that end in .conf
4) Pdns-Recursor does not have an init script for pdns-recursor-4.0.6. Get the init script from the pdns-recursor-3.2 Source Code. The file is named "pdns-recursor.init.d" Copy this file to the new pdns-recursor-4.0.6 directory with the SlackBuild tree. I renamed it pdns-recursor as shown below and placed it the SlackBuild folder before compiling.

Create the "powerdns" user and group.

# groupadd -g 325 powerdns
# useradd -d /dev/null -s /bin/false -u 325 -g 325 powerdns

Here are some changes to the SlackBuild so it will compile.

Change the following section(s) from

OPTFLAGS="$SLKCFLAGS" \
make
make install DESTDIR=$PKG
mv $PKG/usr/share/man $PKG/usr/man
mv $PKG/etc/powerdns/recursor.conf-dist $PKG/etc/powerdns/recursor.conf.new
mv $PKG/etc/init.d $PKG/etc/rc.d
mv $PKG/etc/rc.d/pdns-recursor $PKG/etc/rc.d/rc.pdns-recursor.new

...

mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
cp -a \
README \
$PKG/usr/doc/$PRGNAM-$VERSION
cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild

to this:

CFLAGS="$SLKCFLAGS" \
CXXFLAGS="$SLKCFLAGS" \
./configure \
--prefix=/usr \
--libdir=/usr/lib${LIBDIRSUFFIX} \
--sysconfdir=/etc \
--localstatedir=/var \
--mandir=/usr/man \
--with-lua \
--docdir=/usr/doc/$PRGNAM-$VERSION \
--build=$ARCH-slackware-linux

make
make install DESTDIR=$PKG

mv $PKG/etc/recursor.conf-dist $PKG/etc/recursor.conf.new
mkdir -p $PKG/etc/rc.d
cp $CWD/pdns-recursor $PKG/etc/rc.d/rc.pdns-recursor.new
mkdir -p $PKG/etc/powerdns

...

mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
cp -a COPYING NOTICE README $PKG/usr/doc/$PRGNAM-$VERSION
cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild

Compile and install PowerDNS-Recursor

libsodium-1.0.12 (Already installed as part of Dnscrypt-Proxy)
lua-5.1.5
pdns-recursor-4.0.6

Change the excutable bit on the startup script

# chmod +x /etc/rc.d/rc.pdns-recursor

Edit the file /etc/rc.d/rc.local

# vi /etc/rc.d/rc.local

# Start PowerDNS Recursor
if [ -x /etc/rc.d/rc.pdns-recursor ]; then
/etc/rc.d/rc.pdns-recursor start
fi

Save the file and exit.

PDNS-RECURSOR CONFIGURATION

The configuration file is /etc/recursor.conf This is the configuration I am using for this example.

allow-from=127.0.0.1, 192.168.1.0/24
local-address=127.0.0.1
config-dir=/etc
include-dir=/etc/powerdns
query-local-address6=::
dnssec=validate
serve-rfc1918=no
forward-zones-recurse=.=127.0.0.2;127.0.0.3;127.0.0.4
forward-zones-file=/etc/powerdns/adblock.nsakey.20170526
edns-outgoing-bufsize=4096
etc-hosts-file=/etc/hosts
setgid=powerdns
setuid=powerdns

Here is the configuration file if you are using different ports for dnscrypt-proxy. Pdns-Recursor will not start with "local-address=127.0.0.1" so you must change it to "local-address=0.0.0.0"

allow-from=127.0.0.1, 192.168.1.0/24
local-address=0.0.0.0
config-dir=/etc
include-dir=/etc/powerdns
query-local-address6=::
dnssec=validate
serve-rfc1918=no
forward-zones-recurse=.=127.0.0.1:5353;127.0.0.1:5354;127.0.0.1:5355
forward-zones-file=/etc/powerdns/adblock.nsakey.20170526
edns-outgoing-bufsize=4096
etc-hosts-file=/etc/hosts
setgid=powerdns
setuid=powerdns

PDNS-RECURSOR ADBLOCKING

You now need to create a forward-zones-file text file using the regular hosts entries from several sources. This will be used to block ads, scam and tracking domains. This script creates about 70,000 entries. I have also used the hphosts full file (22MB with approx 670K entries) which also worked fine. Run the script to create the Unbound-Formatted Hosts File. Then, use Geany to convert it to a format that pdns-recursor understands.

https://github.com/jodrell/unbound-block-hosts

When you run it, it will create a "tmp" and "lists" folder that can be deleted. The two files in the current directory are "block.conf" and "hosts". The "hosts" file can be appended to /etc/hosts if you want to adblock by that method. The "block.conf" is the Unbound-Formatted hosts file we will be changing so pdns-recursor understands it.

Open the "block.conf" file using Geany. It will look like the following:

local-data: "005.free-counter.co.uk A 0.0.0.0"
local-data: "006.free-adult-counters.x-xtra.com A 0.0.0.0"
local-data: "006.free-counter.co.uk A 0.0.0.0"
local-data: "007.free-counter.co.uk A 0.0.0.0"
local-data: "007.go2cloud.org A 0.0.0.0"

Using Search and Replace, get rid of the

local-data: "

section and Replace the

<SPACE> A 0.0.0.0"

with

=0.0.0.0

Here is the format of the pdns-recursor hosts file named /etc/powerdns/adblock.nsakey.20170526

0.r.msn.com=0.0.0.0
005.free-counter.co.uk=0.0.0.0
006.free-adult-counters.x-xtra.com=0.0.0.0
006.free-counter.co.uk=0.0.0.0
006.freecounters.co.uk=0.0.0.0

In /etc/recursor.conf, the configuration file line is added as follows:

forward-zones-file=/etc/powerdns/adblock.nsakey.20170526

UNBLOCKING ADS FOR DOMAINS

Let's say you want to unblock a domain that is getting blocked by your adblocker. The domain for this example is "doubleclick.com"

$ grep -insr "doubleclick.com" /etc/powerdns/adblock.nsakey.20170526

34495:doubleclick.com=0.0.0.0
37497:ftp.doubleclick.com=0.0.0.0
43140:m.doubleclick.com=0.0.0.0
44260:mediavisor.doubleclick.com=0.0.0.0
50575:reports.doubleclick.com=0.0.0.0
51942:search.doubleclick.com=0.0.0.0
53883:static.doubleclick.com=0.0.0.0
54546:studio.doubleclick.com=0.0.0.0
65140:www.doubleclick.com=0.0.0.0
68473:www2.doubleclick.com=0.0.0.0
68538:www3.doubleclick.com=0.0.0.0

Let say for example it is located on Line 43140 of that file. Use vi and the goto feature to find and delete the line.

# vi /etc/powerdns/adblock.nsakey.20170526

Hit ESC two times. Type the line number, and then press Shift-g . If you press Esc and then Shift-g without specifying a line number, it will take you to the last line in the file.

43140:m.doubleclick.com=0.0.0.0

You will be placed at Line 43140. Press dd to delete the line and :wq to save the file and exit.
Posted in Uncategorized
Views 303 Comments 0
« Prev     Main     Next »
Total Comments 0

Comments

 

  



All times are GMT -5. The time now is 12:25 PM.

Main Menu
Advertisement
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration