We are still actively working on the spam issue.

Difference between revisions of "DNSCrypt"

From InstallGentoo Wiki
Jump to: navigation, search
m (Remove systemd as a dependancy)
Line 1: Line 1:
 
{{Stub}}
 
{{Stub}}
  
'''DNSCrypt''' acts as a local DNS resolver and uses elliptic-curve cryptography when passing messages to and from the DNS server.  This is extremely useful for mitigating MITM attacks on DNS.  Only a few servers are known to currently support DNSCrypt, however, adoption is growing.
+
'''DNSCrypt''' acts as a local DNS resolver and uses elliptic-curve cryptography when passing messages to and from the DNS server.  This is extremely useful for mitigating MITM attacks on DNS.   
  
Note: if you install DNSCrypt, be sure to change the server it's using to something other than OpenDNS, as OpenDNS is known to hijack and block certain domains by default.  Also be sure to change your DNS server address to that of the local resolver (usually 127.0.0.2 or 127.0.0.1).
+
Only a few servers are known to currently support DNSCrypt, however, adoption is growing.
  
 
== Installation ==
 
== Installation ==
 
=== Linux ===
 
=== Linux ===
==== From Source ====
+
==== Requirements & dependencies ====
  # git clone git://github.com/jedisct1/dnscrypt-proxy.git
+
  `-- dev-libs/libsodium
  # cd dnscrypt-proxy
+
  `-- net-libs/ldns
  # ./autogen.sh
+
  `--  [https://wiki.installgentoo.com/index.php/DNSCrypt#Remove_systemd_as_a_dependency sys-apps/systemd] (optional!)
  # ./configure --prefix=/usr
+
  `-- virtual/pkgconfig
  # make
 
  # sudo make install
 
  # sudo nano /etc/resolv.conf
 
      Remove all lines starting with "nameserver" and add "nameserver 127.0.0.1" and save the file.
 
      Pick a server from [http://dnscrypt.org/ dnscrypt.org] and take note of the Server address, Provider name, and Public key.
 
  # sudo dnscrypt-proxy --daemonize --resolver-address=<Server address> --provider-name=<Provider name> --provider-key=<Public key>
 
  
==== Remove systemd as a dependency ====
+
==== Building ====
 +
# git clone git://github.com/jedisct1/dnscrypt-proxy.git
 +
# cd dnscrypt-proxy
 +
# ./autogen.sh
 +
# ./configure --prefix=/usr
 +
# make
 +
# sudo make install
 +
 
 +
===== Remove systemd as a dependency =====
 
In version 1.6 systemd can be removed from the software by leaving its references out of the <code>configure</code> document before compiling.
 
In version 1.6 systemd can be removed from the software by leaving its references out of the <code>configure</code> document before compiling.
 
Relevant lines can be found around 3258 to 3288 of the <code>configure</code> document.
 
Relevant lines can be found around 3258 to 3288 of the <code>configure</code> document.
 
End result should look something like this:
 
End result should look something like this:
  #MANUAL SYSTEMD PATCH. GO AWAY NSA.
+
  # MANUAL SYSTEMD PATCH. GO AWAY NSA.
 
  have_systemd=no
 
  have_systemd=no
 
  HAVE_SYSTEMD_TRUE=
 
  HAVE_SYSTEMD_TRUE=
Line 58: Line 60:
 
  #  HAVE_SYSTEMD_FALSE=
 
  #  HAVE_SYSTEMD_FALSE=
 
  #fi
 
  #fi
Now run <code>sudo ldconfig</code> and <code>./configure</code>, then <code>make</code> and finally <code>sudo checkinstall</code>. This will produce a .deb package, and install it on the system.
+
Now run <code>echo /usr/local/lib > /etc/ld.so.conf.d/usr_local_lib.conf</code>, <code>sudo ldconfig</code> and <code>./configure</code>, then <code>make</code> and finally <code>sudo make install</code>.
This procedure was performed and tested on Debian 7.3 Wheezy running kernel 3.2.
+
 
 +
== Configuration ==
 +
=== Linux ===
 +
If you would rather run the commands yourself at boot time, edit your /etc/resolv.conf file to look like this:
 +
<code>
 +
domain home
 +
nameserver <the DNSCrypt you picked for --local-address>
 +
options edns0
 +
</code>, lock it with <code>sudo chattr +i /etc/resolv.conf</code>, and then run the following script every time you boot up your PC:
 +
 
 +
<code>sudo dnscrypt-proxy --local-address=<ip>[:port] --daemonize --resolver-address=<Server address> --provider-name=<Provider name> --provider-key=<Public key> --edns-payload-size=4096</code>.
 +
 
 +
Note: I recommend using 127.0.0.1 or 127.0.0.1, and port 40 instead of 53, should you ever want to use Unbound or Dnsmasq with it.
 +
 
 +
==== SystemD ====
 +
WIP
 +
==== OpenRC ====
 +
<code>sudo vim /etc/init.d/dnscrypt-proxy</code> and then
 +
<code>
 +
#!/sbin/runscript
 +
# $Id$
 +
 +
DNSCRYPT_LOGFILE=${DNSCRYPT_LOGFILE:-/var/log/dnscrypt-proxy.log}
 +
 +
rundir=${rundir:-/var/run/dnscrypt-proxy}
 +
pidfile=${pidfile:-${rundir}/dnscrypt-proxy.pid}
 +
rundir=${rundir:-/var/run/dnscrypt-proxy}
 +
runas_user=${runas_user:-dnscrypt}
 +
runas_group=${runas_user:-dnscrypt}
 +
 +
depend() {
 +
use net
 +
before dns
 +
after logger
 +
}
 +
 +
start() {
 +
if [ ! -d "${rundir}" ]; then
 +
mkdir "${rundir}"
 +
if [ -n "${runas_user}" ]; then
 +
touch "${DNSCRYPT_LOGFILE}"
 +
chown ${runas_user}:${runas_group} "${DNSCRYPT_LOGFILE}"
 +
chown -R ${runas_user}:${runas_group} "${rundir}"
 +
fi
 +
fi
 +
 +
ebegin "Starting dnscrypt-proxy"
 +
start-stop-daemon --start --quiet \
 +
--exec /usr/sbin/dnscrypt-proxy \
 +
-- \
 +
--pidfile="${pidfile}" \
 +
--logfile="${DNSCRYPT_LOGFILE}" \
 +
--daemonize --user=${runas_user} \
 +
--local-address=${DNSCRYPT_LOCALIP}:${DNSCRYPT_LOCALPORT} \
 +
--resolver-address=${DNSCRYPT_RESOLVERIP}:${DNSCRYPT_RESOLVERPORT} \
 +
--provider-name=${DNSCRYPT_PROVIDER_NAME} \
 +
--provider-key=${DNSCRYPT_PROVIDER_KEY}
 +
--edns-payload-size=4096
 +
eend $?
 +
}
 +
 +
stop() {
 +
ebegin "Stopping dnscrypt-proxy"
 +
start-stop-daemon --stop --quiet --exec /usr/sbin/dnscrypt-proxy
 +
eend $?
 +
}
 +
</code>
 +
 
 +
You will need to make it executable, <code>sudo chmod +x /etc/init.d/dnscrypt-proxy</code>.
 +
 
 +
This init script will of course require a configuration file, located here /etc/conf.d/dnscrypt-proxy file. Pick two [https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv servers] (one will work as the fallback server), whilst making sure they are compatible with the options you will want to use later on (DNSSEC with unbound, for instance), and add the following text:
 +
<code>
 +
DNSCRYPT_LOCALIP=127.0.0.1
 +
DNSCRYPT_LOCALPORT=40
 +
DNSCRYPT_USER=dnscrypt
 +
 +
DNSCRYPT_PROVIDER_NAME=
 +
DNSCRYPT_PROVIDER_KEY=
 +
DNSCRYPT_RESOLVERIP=
 +
 +
DNSCRYPT_PROVIDER_NAME=
 +
DNSCRYPT_PROVIDER_KEY=
 +
DNSCRYPT_RESOLVERIP=
 +
 +
DNSCRYPT_RESOLVERPORT=443
 +
</code>
 +
Make sure to substitute where appropriate. You will also need to add an account called dnscrypt, with no privileges, by running <code>useradd -G dnscrypt dnscrypt</code>.
 +
To activate the init script, issue <code>sudo rc-update add dnscrypt-proxy</code>
 +
 
 +
Lastly, edit your /etc/resolv.conf file with an editor of your choice, and add the following text:
 +
<code>
 +
domain home
 +
nameserver 127.0.0.1
 +
options edns0
 +
</code>
 +
 
 +
Now you have to do is lock the file with <code>sudo chattr +i /etc/resolv.conf</code>.
  
 +
Should anything fail, issue the same command with <code>-i</code> and temporarily change the nameserver to a DNS server of your choice until you fix the issue.
 
=== Windows ===
 
=== Windows ===
  

Revision as of 23:48, 8 November 2015

DNSCrypt acts as a local DNS resolver and uses elliptic-curve cryptography when passing messages to and from the DNS server. This is extremely useful for mitigating MITM attacks on DNS.

Only a few servers are known to currently support DNSCrypt, however, adoption is growing.

Installation

Linux

Requirements & dependencies

  `--  dev-libs/libsodium
  `--  net-libs/ldns
  `--  sys-apps/systemd (optional!)
  `--  virtual/pkgconfig

Building

  1. git clone git://github.com/jedisct1/dnscrypt-proxy.git
  2. cd dnscrypt-proxy
  3. ./autogen.sh
  4. ./configure --prefix=/usr
  5. make
  6. sudo make install
Remove systemd as a dependency

In version 1.6 systemd can be removed from the software by leaving its references out of the configure document before compiling. Relevant lines can be found around 3258 to 3288 of the configure document. End result should look something like this:

# MANUAL SYSTEMD PATCH. GO AWAY NSA.
have_systemd=no
HAVE_SYSTEMD_TRUE=
HAVE_SYSTEMD_FALSE='#'
 
# Check whether --with-systemd was given.
#if test "${with_systemd+set}" = set; then :
#  withval=$with_systemd;
#fi
#
#if test "x$with_systemd" = "xyes"; then :
#
#  PKG_CHECK_MODULES(SYSTEMD, libsystemd, have_systemd=yes,
#    PKG_CHECK_MODULES([SYSTEMD_DAEMON], [libsystemd-daemon], [have_systemd=yes], [have_systemd=no])
#  )
#  case $with_systemd:$have_systemd in #(
#  yes:no) :
#    as_fn_error $? "systemd expected but libsystemd not found" #"$LINENO" 5 ;; #(
#  *:yes) :
#
#$as_echo "#define HAVE_LIBSYSTEMD 1" >>confdefs.h
#
#   ;; #(
#  *) :
#     ;;
#esac
#
#fi
# if test "x$have_systemd" = "xyes"; then
#  HAVE_SYSTEMD_TRUE=
#  HAVE_SYSTEMD_FALSE='#'
#else
#  HAVE_SYSTEMD_TRUE='#'
#  HAVE_SYSTEMD_FALSE=
#fi

Now run echo /usr/local/lib > /etc/ld.so.conf.d/usr_local_lib.conf, sudo ldconfig and ./configure, then make and finally sudo make install.

Configuration

Linux

If you would rather run the commands yourself at boot time, edit your /etc/resolv.conf file to look like this: domain home nameserver <the DNSCrypt you picked for --local-address> options edns0 , lock it with sudo chattr +i /etc/resolv.conf, and then run the following script every time you boot up your PC:

sudo dnscrypt-proxy --local-address=<ip>[:port] --daemonize --resolver-address=<Server address> --provider-name=<Provider name> --provider-key=<Public key> --edns-payload-size=4096.

Note: I recommend using 127.0.0.1 or 127.0.0.1, and port 40 instead of 53, should you ever want to use Unbound or Dnsmasq with it.

SystemD

WIP

OpenRC

sudo vim /etc/init.d/dnscrypt-proxy and then

#!/sbin/runscript
# $Id$

DNSCRYPT_LOGFILE=${DNSCRYPT_LOGFILE:-/var/log/dnscrypt-proxy.log}

rundir=${rundir:-/var/run/dnscrypt-proxy}
pidfile=${pidfile:-${rundir}/dnscrypt-proxy.pid}
rundir=${rundir:-/var/run/dnscrypt-proxy}
runas_user=${runas_user:-dnscrypt}
runas_group=${runas_user:-dnscrypt}

depend() {
	use net
	before dns
	after logger
}

start() {
	if [ ! -d "${rundir}" ]; then
		mkdir "${rundir}"
		if [ -n "${runas_user}" ]; then
			touch "${DNSCRYPT_LOGFILE}"
			chown ${runas_user}:${runas_group} "${DNSCRYPT_LOGFILE}"
			chown -R ${runas_user}:${runas_group} "${rundir}"
		fi
	fi

	ebegin "Starting dnscrypt-proxy"
	start-stop-daemon --start --quiet \
		--exec /usr/sbin/dnscrypt-proxy \
		-- \
		--pidfile="${pidfile}" \
		--logfile="${DNSCRYPT_LOGFILE}" \
		--daemonize --user=${runas_user} \
		--local-address=${DNSCRYPT_LOCALIP}:${DNSCRYPT_LOCALPORT} \
		--resolver-address=${DNSCRYPT_RESOLVERIP}:${DNSCRYPT_RESOLVERPORT} \
		--provider-name=${DNSCRYPT_PROVIDER_NAME} \
		--provider-key=${DNSCRYPT_PROVIDER_KEY}
		--edns-payload-size=4096
	eend $?
}

stop() {
	ebegin "Stopping dnscrypt-proxy"
	start-stop-daemon --stop --quiet --exec /usr/sbin/dnscrypt-proxy
	eend $?
}

You will need to make it executable, sudo chmod +x /etc/init.d/dnscrypt-proxy.

This init script will of course require a configuration file, located here /etc/conf.d/dnscrypt-proxy file. Pick two servers (one will work as the fallback server), whilst making sure they are compatible with the options you will want to use later on (DNSSEC with unbound, for instance), and add the following text:

DNSCRYPT_LOCALIP=127.0.0.1
DNSCRYPT_LOCALPORT=40
DNSCRYPT_USER=dnscrypt

DNSCRYPT_PROVIDER_NAME=
DNSCRYPT_PROVIDER_KEY=
DNSCRYPT_RESOLVERIP=

DNSCRYPT_PROVIDER_NAME=
DNSCRYPT_PROVIDER_KEY=
DNSCRYPT_RESOLVERIP=

DNSCRYPT_RESOLVERPORT=443

Make sure to substitute where appropriate. You will also need to add an account called dnscrypt, with no privileges, by running useradd -G dnscrypt dnscrypt. To activate the init script, issue sudo rc-update add dnscrypt-proxy

Lastly, edit your /etc/resolv.conf file with an editor of your choice, and add the following text:

domain home
nameserver 127.0.0.1
options edns0

Now you have to do is lock the file with sudo chattr +i /etc/resolv.conf.

Should anything fail, issue the same command with -i and temporarily change the nameserver to a DNS server of your choice until you fix the issue.

Windows

Mac OSX

Android

iOS

External Links

DNSCrypt Homepage