It is currently Wed Oct 01, 2014 12:08 pm



Welcome
Welcome to antiX-forum.

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. Registration is fast, simple, and absolutely free, so please, join our community today!


Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: Secure DNS with DNScrypt
PostPosted: Sun Feb 19, 2012 8:59 am 
Offline

Joined: Wed Jan 18, 2012 8:42 pm
Posts: 73
Securing DNS queries with DNScrypt from OpenDNS.

Quote:
Why DNSCrypt is so significant

In the same way the SSL turns HTTP web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks. It doesn't require any changes to domain names or how they work, it simply provides a method for securely encrypting communication between our customers and our DNS servers in our data centers.

DNSCrypt has the potential to be the most impactful advancement in Internet security since SSL, significantly improving every single Internet user's online security and privacy.

(1) Download & install the dnscrypt-proxy deb.

*EDIT #2* - latest deb build is now on the github link above (it's really 1.0 but called 0.10)

*EDIT* - I noticed today on github the source is 0.93 & the deb 0.90 so to compile & build the latest deb grab the latest source from here & in the source directory:
Code:
./autogen.sh
./configure --prefix=/usr
make
checkinstall
### & if you are upgrading
sudo service dnscrypt restart

I have put the dnscrypt-proxy_0.93 deb here. You can also find a deb for KeypassX 0.43 here.

(2) Install a caching DNS Server:
Code:
apt-get install unbound

(3) Bring up a 2nd local IP Address for DNScrypt:
Code:
ifconfig lo:1 127.0.0.2 up

Add the following to /etc/network/interfaces (so the interface survives reboots):
Code:
auto lo:1
iface lo:1 inet static
address 127.0.0.2
netmask 255.0.0.0

(4) Add the following to the server section of /etc/unbound/unbound.conf:
Code:
forward-zone:
  name: "."
  forward-addr: 127.0.0.2@40

(5) If you obtain your IP Address by DHCP add the following to /etc/dhcp/dhclient.conf
Code:
supersede domain-name-servers 127.0.0.1;

If you do not use DHCP change /etc/resolv.conf
Code:
nameserver 127.0.0.1

(6) Create /etc/init.d/dnscrypt & add the following:
Code:
#!/bin/sh
### BEGIN INIT INFO
# Provides:          dnscrypt
# Required-Start:    $network $remote_fs $syslog
# Required-Stop:     $network $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start dnscrypt
# Description:       Encrypt DNS queries.
### END INIT INFO
DAEMON="/usr/sbin/dnscrypt-proxy"
NAME="dnscrypt"

dnscrypt_start()
{
    echo "Starting dnscrypt"
    dnscrypt-proxy --local-port=40 --local-address=127.0.0.2 --daemonize   
}

dnscrypt_stop()
{
    echo "Stopping dnscrypt"
    start-stop-daemon --oknodo --stop --quiet --retry=0/3/KILL/3 --exec "$DAEMON" > /dev/null
}

case "$1" in
    start)
   dnscrypt_start
   ;;
  stop)
   dnscrypt_stop
  ;;
  restart|force-reload)
   dnscrypt_stop
  dnscrypt_start
   ;;
    *)
   echo "Usage: /etc/init.d/$NAME {start|stop|restart|force-reload}" >&2
   exit 1
   ;;
esac

exit 0

make the script executable & set to start on boot:
Code:
chmod +x /etc/init.d/dnscrypt
update-rc.d dnscrypt defaults

(7) Start services:
Code:
killall dhclient
service dnscrypt start
service unbound start

Reconfigure your normal interface (eth0 or wlan0) - or reboot:
Code:
ifdown eth0 && ifup eth0

Test DNS is resolving correctly:
Code:
host www.google.com


Last edited by tradetaxfree on Wed Jun 20, 2012 7:02 pm, edited 2 times in total.

Top
 Profile  
 
 
 Post subject: Re: Secure DNS with DNScrypt
PostPosted: Sun May 20, 2012 9:29 am 
Offline

Joined: Sun May 20, 2012 3:37 am
Posts: 1
I tried this and have 1 problem. Unbound is not forwarding to dnscrypt. I can get dnscrypt to work correctly by itself and I can get unbound to work corrctly by itself. But I cannot get unbound to forward to dnscrypt. Ifconfig shows my second loop address 127.0.0.2 but there is no activity on port 40. I use wireshark to monitor my server activity. Can you suggest anything? Also, thanks for writing an exellent and useful article.


Top
 Profile  
 
 Post subject: Re: Secure DNS with DNScrypt
PostPosted: Sun May 20, 2012 2:04 pm 
Offline

Joined: Wed Jan 18, 2012 8:42 pm
Posts: 73
To check DNScrypt was listening I used:
Code:
netstat -lnptu | grep 127.0.0.2:40

Which should show an output of:
Code:
tcp        0      0 127.0.0.2:40            0.0.0.0:*               LISTEN      -               
udp        0      0 127.0.0.2:40            0.0.0.0:*

Are you using wireless & not restarted the wireless interface wlan0 so it uses the new settings for DNS ?
Code:
sudo -s
killall dhclient
service dnscrypt restart
service unbound restart
ifdown wlan0 && ifup wlan0


Top
 Profile  
 
 Post subject: Re: Secure DNS with DNScrypt
PostPosted: Sat Sep 29, 2012 9:32 pm 
Offline

Joined: Wed Jan 18, 2012 8:42 pm
Posts: 73
I'm unable to modify the original post due to the forum bug.

**EDIT** - v1.1 was released 25/9/12 here - change line 17 of the init script to "dnscrypt-proxy --local-address=127.0.0.2:40 --daemonize" (with no quotes)

& after changing run "sudo update-rc.d dnscrypt defaults"


Top
 Profile  
 
 Post subject: Re: Secure DNS with DNScrypt
PostPosted: Mon Sep 23, 2013 1:10 am 
Offline

Joined: Wed Jan 18, 2012 8:42 pm
Posts: 73
Am unable to update the original post due to the forum bug.

Today I've built the latest 32 bit dnscrypt-proxy (v.1.3.3) & it's new crypto dependency libsodium. A zip with both files can be found here

After installing the libsodium deb run:
Code:
sudo ldconfig

Then install dnscrypt-proxy.

The instructions in the 1st post above for compiling from source will work for both libsodium & dnscrypt-proxy.

Don't forget to change line 17 of the init script above to:
Code:
dnscrypt-proxy --local-address=127.0.0.2:40 --daemonize

** If you are running the current Debian Stable (Wheezy) then version 1.3.3 of DNScrypt will not work for you (it requires LibC 2.15 or 2.17) - there is a 32 bit deb here of DNScrypt v1.2 which will work with Wheezy. To compile the 1.2.1 branch look here.

There are now some alternative DNS servers that can be queried by DNScrypt which keep no logs. Just add the new setting to line 17 of the script:
Code:
--resolver-address=<ip>[:port] --provider-name=<certificate provider FQDN> --provider-key=<provider public key>


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
suspicion-preferred