topic title: Secure DNS with DNScrypt
Posts: 75
tradetaxfree
Joined: 18 Jan 2012
#1
Securing DNS queries with DNScrypt from OpenDNS.
Why
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://www.opendns.com/technology/dnscrypt/"
linktext was:"DNSCrypt"
====================================
is so significant

In the same way the SSL turns HTTP web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks. It doesn't require any changes to domain names or how they work, it simply provides a method for securely encrypting communication between our customers and our DNS servers in our data centers.

DNSCrypt has the potential to be the most impactful advancement in Internet security since SSL, significantly improving every single Internet user's online security and privacy.
(1) Download & install the
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://github.com/opendns/dnscrypt-proxy/downloads"
linktext was:"dnscrypt-proxy"
====================================
deb.

*EDIT #2* - latest deb build is now on the github link above (it's really 1.0 but called 0.10)

*EDIT* - I noticed today on github the source is 0.93 & the deb 0.90 so to compile & build the latest deb grab the latest source from
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://github.com/opendns/dnscrypt-proxy/zipball/master"
linktext was:"here"
====================================
& in the source directory:

Code: Select all

./autogen.sh
./configure --prefix=/usr
make
checkinstall
### & if you are upgrading
sudo service dnscrypt restart
I have put the dnscrypt-proxy_0.93 deb
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"http://www.mediafire.com/file/6l6ttq7icknx41c/dnscrypt-proxy_0.93-1_i386.deb"
linktext was:"here"
====================================
. You can also find a deb for
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"http://www.keepassx.org/"
linktext was:"KeypassX"
====================================
0.43
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"http://www.mediafire.com/file/jhodplgiuhy4y7h/keepassx_0.4.3-1_i386.deb"
linktext was:"here"
====================================
.

(2) Install a caching DNS Server:

Code: Select all

apt-get install unbound
(3) Bring up a 2nd local IP Address for DNScrypt:

Code: Select all

ifconfig lo:1 127.0.0.2 up
Add the following to /etc/network/interfaces (so the interface survives reboots):

Code: Select all

auto lo:1
iface lo:1 inet static
address 127.0.0.2
netmask 255.0.0.0

(4) Add the following to the server section of /etc/unbound/unbound.conf:

Code: Select all

forward-zone:
  name:"."
  forward-addr: 127.0.0.2@40
(5) If you obtain your IP Address by DHCP add the following to /etc/dhcp/dhclient.conf

Code: Select all

supersede domain-name-servers 127.0.0.1;
If you do not use DHCP change /etc/resolv.conf

Code: Select all

nameserver 127.0.0.1
(6) Create /etc/init.d/dnscrypt & add the following:

Code: Select all

#!/bin/sh
### BEGIN INIT INFO
# Provides:          dnscrypt
# Required-Start:    $network $remote_fs $syslog
# Required-Stop:     $network $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start dnscrypt
# Description:       Encrypt DNS queries.
### END INIT INFO
DAEMON="/usr/sbin/dnscrypt-proxy"
NAME="dnscrypt"

dnscrypt_start()
{
    echo"Starting dnscrypt"
    dnscrypt-proxy --local-port=40 --local-address=127.0.0.2 --daemonize    
}

dnscrypt_stop()
{
    echo"Stopping dnscrypt"
    start-stop-daemon --oknodo --stop --quiet --retry=0/3/KILL/3 --exec"$DAEMON" > /dev/null
}

case"$1" in
    start)
    dnscrypt_start
    ;;
  stop)
    dnscrypt_stop
  ;;
  restart|force-reload)
    dnscrypt_stop
  dnscrypt_start
    ;;
    *)
    echo"Usage: /etc/init.d/$NAME {start|stop|restart|force-reload}" >&2
    exit 1
    ;;
esac

exit 0
make the script executable & set to start on boot:

Code: Select all

chmod +x /etc/init.d/dnscrypt
update-rc.d dnscrypt defaults
(7) Start services:

Code: Select all

killall dhclient
service dnscrypt start
service unbound start
Reconfigure your normal interface (eth0 or wlan0) - or reboot:

Code: Select all

ifdown eth0 && ifup eth0
Test DNS is resolving correctly:

Code: Select all

host www.google.com
Last edited by tradetaxfree on 20 Jun 2012, 17:02, edited 2 times in total.
Posts: 1
ShinyPC
Joined: 20 May 2012
#2
I tried this and have 1 problem. Unbound is not forwarding to dnscrypt. I can get dnscrypt to work correctly by itself and I can get unbound to work corrctly by itself. But I cannot get unbound to forward to dnscrypt. Ifconfig shows my second loop address 127.0.0.2 but there is no activity on port 40. I use wireshark to monitor my server activity. Can you suggest anything? Also, thanks for writing an exellent and useful article.
Posts: 75
tradetaxfree
Joined: 18 Jan 2012
#3
To check DNScrypt was listening I used:

Code: Select all

netstat -lnptu | grep 127.0.0.2:40
Which should show an output of:

Code: Select all

tcp        0      0 127.0.0.2:40            0.0.0.0:*               LISTEN      -               
udp        0      0 127.0.0.2:40            0.0.0.0:*
Are you using wireless & not restarted the wireless interface wlan0 so it uses the new settings for DNS ?

Code: Select all

sudo -s
killall dhclient
service dnscrypt restart
service unbound restart
ifdown wlan0 && ifup wlan0
Posts: 75
tradetaxfree
Joined: 18 Jan 2012
#4
I'm unable to modify the original post due to the forum bug.

**EDIT** - v1.1 was released 25/9/12
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://github.com/opendns/dnscrypt-proxy/downloads"
linktext was:"here"
====================================
- change line 17 of the init script to"dnscrypt-proxy --local-address=127.0.0.2:40 --daemonize" (with no quotes)

& after changing run"sudo update-rc.d dnscrypt defaults"
Posts: 75
tradetaxfree
Joined: 18 Jan 2012
#5
Am unable to update the original post due to the forum bug.

Today I've built the latest 32 bit
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://github.com/opendns/dnscrypt-proxy"
linktext was:"dnscrypt-proxy"
====================================
(v.1.3.3) & it's new crypto dependency
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://github.com/jedisct1/libsodium"
linktext was:"libsodium"
====================================
. A zip with both files can be found
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"http://www.mediafire.com/download/jc2v2sgg11udocl/dnscrypt-proxy_1.3.3_i386.deb.zip"
linktext was:"here"
====================================


After installing the libsodium deb run:

Code: Select all

sudo ldconfig
Then install dnscrypt-proxy.

The instructions in the 1st post above for compiling from source will work for both libsodium & dnscrypt-proxy.

Don't forget to change line 17 of the init script above to:

Code: Select all

dnscrypt-proxy --local-address=127.0.0.2:40 --daemonize
** If you are running the current Debian Stable (Wheezy) then version 1.3.3 of DNScrypt will not work for you (it requires LibC 2.15 or 2.17) - there is a
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://www.mediafire.com/download/e9u4yt8t5vkt2kc/dnscrypt-proxy_1.2-1_i386.deb"
linktext was:"32 bit deb here of DNScrypt v1.2"
====================================
which will work with Wheezy. To compile the 1.2.1 branch look
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://github.com/opendns/dnscrypt-proxy/releases/tag/1.2.1"
linktext was:"here"
====================================
.

There are now some
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://github.com/opendns/dnscrypt-proxy"
linktext was:"alternative DNS servers"
====================================
that can be queried by DNScrypt which keep no logs. Just add the new setting to line 17 of the script:

Code: Select all

--resolver-address=<ip>[:port] --provider-name=<certificate provider FQDN> --provider-key=<provider public key>