Securing DNS queries with DNScrypt from OpenDNS.Quote:
Why
DNSCrypt is so significant
In the same way the SSL turns HTTP web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks. It doesn't require any changes to domain names or how they work, it simply provides a method for securely encrypting communication between our customers and our DNS servers in our data centers.
DNSCrypt has the potential to be the most impactful advancement in Internet security since SSL, significantly improving every single Internet user's online security and privacy.
(1) Download & install the
dnscrypt-proxy deb.
*EDIT #2* - latest deb build is now on the github link above (it's really 1.0 but called 0.10)
*EDIT* - I noticed today on github the source is 0.93 & the deb 0.90 so to compile & build the latest deb grab the latest source from
here & in the source directory:
Code:
./autogen.sh
./configure --prefix=/usr
make
checkinstall
### & if you are upgrading
sudo service dnscrypt restart
I have put the dnscrypt-proxy_0.93 deb
here. You can also find a deb for
KeypassX 0.43
here.
(2) Install a caching DNS Server:
Code:
apt-get install unbound
(3) Bring up a 2nd local IP Address for DNScrypt:
Code:
ifconfig lo:1 127.0.0.2 up
Add the following to
/etc/network/interfaces (so the interface survives reboots):
Code:
auto lo:1
iface lo:1 inet static
address 127.0.0.2
netmask 255.0.0.0
(4) Add the following to the server section of
/etc/unbound/unbound.conf:
Code:
forward-zone:
name: "."
forward-addr: 127.0.0.2@40
(5) If you obtain your IP Address by DHCP add the following to
/etc/dhcp/dhclient.confCode:
supersede domain-name-servers 127.0.0.1;
If you
do not use DHCP change
/etc/resolv.confCode:
nameserver 127.0.0.1
(6) Create
/etc/init.d/dnscrypt & add the following:
Code:
#!/bin/sh
### BEGIN INIT INFO
# Provides: dnscrypt
# Required-Start: $network $remote_fs $syslog
# Required-Stop: $network $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start dnscrypt
# Description: Encrypt DNS queries.
### END INIT INFO
DAEMON="/usr/sbin/dnscrypt-proxy"
NAME="dnscrypt"
dnscrypt_start()
{
echo "Starting dnscrypt"
dnscrypt-proxy --local-port=40 --local-address=127.0.0.2 --daemonize
}
dnscrypt_stop()
{
echo "Stopping dnscrypt"
start-stop-daemon --oknodo --stop --quiet --retry=0/3/KILL/3 --exec "$DAEMON" > /dev/null
}
case "$1" in
start)
dnscrypt_start
;;
stop)
dnscrypt_stop
;;
restart|force-reload)
dnscrypt_stop
dnscrypt_start
;;
*)
echo "Usage: /etc/init.d/$NAME {start|stop|restart|force-reload}" >&2
exit 1
;;
esac
exit 0
make the script executable & set to start on boot:
Code:
chmod +x /etc/init.d/dnscrypt
update-rc.d dnscrypt defaults
(7) Start services:
Code:
killall dhclient
service dnscrypt start
service unbound start
Reconfigure your normal interface (eth0 or wlan0) - or reboot:
Code:
ifdown eth0 && ifup eth0
Test DNS is resolving correctly:
