dnscrypt-proxy

dnscrypt-proxy is a DNS proxy client with support for the encrypted DNS protocols DNS over HTTPS and DNSCrypt, which can be used to prevent man-in-the-middle attacks and eavesdropping. dnscrypt-proxy is also compatible with DNSSEC.

Installation

Install the dnscrypt-proxy package.

Configuration

Startup

Note: Even though there are two ways to start the proxy, upstream recommends the service one.

The service can be started in two mutually exclusive ways (i.e. only one of the two may be enabled):

  1. With the systemd service dnscrypt-proxy.service.
    • The listen_addresses option must be configured (e.g. listen_addresses = ['127.0.0.1:53', '[::1]:53']) in the configuration file when using the service.
  2. Through socket activation using dnscrypt-proxy.socket.
    • The listen_addresses option must be set to empty (i.e. ) in the configuration file, since systemd is taking care of the socket configuration.

Select resolver

By leaving commented out in the configuration file , dnscrypt-proxy will choose the fastest server from the sources already configured under . The lists will be downloaded, verified, and automatically updated . Thus, configuring a specific set of servers is optional.

To manually set which server is used, edit and uncomment the variable, selecting one or more of the servers. For example, to use Cloudflare's servers:

server_names = ['cloudflare', 'cloudflare-ipv6']

A full list of resolvers is located at the upstream page or Github. If dnscrypt-proxy has run successfully on the system before, /var/cache/dnscrypt-proxy/public-resolvers.md will also contain a list. Look at the description for servers note which validate DNSSEC, do not log, and are uncensored. These requirements can be configured globally with the , , options.

Disable any services bound to port 53

Tip: If using #Unbound as your local DNS cache this section can be ignored, as unbound runs on port 53 by default.

To see if any programs are using port 53, run:

 $ ss -lp 'sport = :domain'

If the output contains more than the first line of column names, you need to disable whatever service is using port 53. One common culprit is (NetworkManager#Unit dbus-org.freedesktop.resolve1.service not found), but other network managers may have analogous components. You are ready to proceed once the above command outputs nothing more than the following line:

 Netid               State                 Recv-Q                Send-Q                                 Local Address:Port                                   Peer Address:Port

Modify resolv.conf

Modify the resolv.conf file and replace the current set of resolver addresses with the address for localhost and options :

nameserver ::1
nameserver 127.0.0.1
options edns0

Other programs may overwrite this setting; see resolv.conf#Overwriting of /etc/resolv.conf for details.

Start systemd service

Finally, start/enable the dnscrypt-proxy.service unit or dnscrypt-proxy.socket, depending on which method you chose above.

Check if dnscrypt-proxy is working

Open the browser and head to DnsLeakTest and do an extended test, if the results show servers that you have set in the configuration files it means that dnscrypt-proxy is working, otherwise something is wrong.

Tips and tricks

Local DNS cache configuration

It is recommended to run dnscrypt-proxy as a forwarder for a local DNS cache if not using dnscrypt-proxy's cache feature; otherwise, every single query will make a round-trip to the upstream resolver. Any local DNS caching program should work. In addition to setting up dnscrypt-proxy, you must setup your local DNS cache program.

Change port

In order to forward queries from a local DNS cache, dnscrypt-proxy should listen on a port different from the default , since the DNS cache itself needs to listen on and query dnscrypt-proxy on a different port. Port number 53000 is used as an example in this section. In this example, the port number is larger than 1024 so dnscrypt-proxy is not required to be run by root.

There are two methods for changing the default port:

Socket method

Edit dnscrypt-proxy.socket with the following contents:

[Socket]
ListenStream=
ListenDatagram=
ListenStream=127.0.0.1:53000
ListenStream=[::1]:53000
ListenDatagram=127.0.0.1:53000
ListenDatagram=[::1]:53000

When queries are forwarded from the local DNS cache to 53000, dnscrypt-proxy.socket will start dnscrypt-proxy.service.

Service method

Edit the listen_addresses option in with the following:

listen_addresses = ['127.0.0.1:53000', '[::1]:53000']

Example local DNS cache configurations

The following configurations should work with dnscrypt-proxy and assume that it is listening on port 53000.

Unbound

Configure Unbound to your liking (in particular, see Unbound#Local DNS server) and add the following lines to the end of the section in :

  do-not-query-localhost: no
forward-zone:
  name: "."
  forward-addr: ::1@53000
  forward-addr: 127.0.0.1@53000

Restart to apply the changes.

dnsmasq

Configure dnsmasq as a local DNS cache. The basic configuration to work with dnscrypt-proxy:

If you configured dnscrypt-proxy to use a resolver with enabled DNSSEC validation, make sure to enable it also in dnsmasq:

Restart dnsmasq.service to apply the changes.

pdnsd

Install pdnsd. A basic configuration to work with dnscrypt-proxy is:

Restart to apply the changes.

Enable EDNS0

Extension Mechanisms for DNS that, among other things, allows a client to specify how large a reply over UDP can be.

Add the following line to your :

options edns0

You may also wish to append the following to :

EDNSPayloadSize <bytes>

Where <bytes> is a number, the default size being 1252, with values up to 4096 bytes being purportedly safe. A value below or equal to 512 bytes will disable this mechanism, unless a client sends a packet with an OPT section providing a payload size.

Test EDNS0

Make use of the DNS Reply Size Test Server, use the drill command line tool to issue a TXT query for the name rs.dns-oarc.net:

$ drill rs.dns-oarc.net TXT

With EDNS0 supported, the "answer section" of the output should look similar to this:

rst.x3827.rs.dns-oarc.net.
rst.x4049.x3827.rs.dns-oarc.net.
rst.x4055.x4049.x3827.rs.dns-oarc.net.
"2a00:d880:3:1::a6c1:2e89 DNS reply size limit is at least 4055 bytes"
"2a00:d880:3:1::a6c1:2e89 sent EDNS buffer size 4096"
gollark: That seems... pretty terrible, as a system? I mean, with stocks, the point is that they pay dividends and give you control of the company.
gollark: What could possibly go wrong?
gollark: G
gollark: Actually no, it'd be hard as there does not seem to be API documentation now.
gollark: Probably?
This article is issued from Archlinux. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.