DNS, as most commonly used, is not cryptographically protected. Attackers monitor the DNS query that your computer is sending through the network and can send your computer a DNS response that appears to be from the legitimate DNS server but that actually contains data selected by the attacker. The forged response will fool your computer into connecting to a different IP address, such as a fake web server. If you're making an HTTPS connection then your browser normally will show a warning about an "invalid certificate" and not show the bogus web pages. That is good, but the attacker has still denied you access to the web page you wanted! Also, most people's internet traffic uses regular HTTP, SMTP (email), and other unprotected connections. Even with a VPN service, this traffic leaves the gateway "in plaintext."
Similar to the way the SSL turns HTTP web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic resistant to eavesdropping and man-in-the-middle attacks. It requires no changes to domain names or how they work and simply provides a method for securely encrypting communication between end users and DNSCrypt-aware DNS servers (opendns.com). Outgoing DNS queries to those servers, and the DNS responses sent back to your computer from those servers, will be protected with strong elliptic curve cryptography. DNSCrypt makes it impossible for the adversary to use a DNS blacklist for censoring internet access.
Can OpenDNS be trusted? Yes - they are a company of competent and resourceful people who take internet security and freedom seriously. What about DNSCrypt? The source code is available on Github and may be checked and analysed by anyone. To date, cryptographic experts see no flaws and peer reviews conclude that it is strong but not widely deployed.
In Linux, DNSCrypt runs locally as a daemon, serving as a DNS proxy between a regular client and a DNSCrypt-aware resolver (opendns.com). When properly installed and configured, it starts at boot time and encrypts all DNS traffic sent through the local proxy (nameserver 127.0.0.1 or nameserver 127.0.0.2).
dpkg -i dnscrypt-proxy_0.9_amd64.deb
apt-get install unbound
ifconfig lo:1 127.0.0.2 up
auto lo:1 iface lo:1 inet static address 127.0.0.2 netmask 255.0.0.0
forward-zone: name: "." forward-addr: 127.0.0.2@40
supersede domain-name-servers 127.0.0.2;
nameserver 127.0.0.2
nameserver 127.0.0.2
#!/bin/sh # This is for the file /etc/init.d/dnscrypt ### BEGIN INIT INFO # Provides: dnscrypt # Required-Start: # Required-Stop: # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: DNSCrypt for OpenDNS # Description: Launch the dnscrypt to communicate with OpenDNS ### END INIT INFO DAEMON="/usr/sbin/dnscrypt-proxy" NAME="dnscrypt" dnscrypt_start() { echo "Starting dnscrypt" dnscrypt-proxy --local-port=40 --local-address=127.0.0.2 --daemonize } dnscrypt_stop() { echo "Stopping dnscrypt" start-stop-daemon --oknodo --stop --quiet --retry=0/3/KILL/3 --exec "" > /dev/null } case "$1" in start) dnscrypt_start ;; stop) dnscrypt_stop ;; restart|force-reload) dnscrypt_stop dnscrypt_start ;; *) echo "Usage: /etc/init.d/ {start|stop|restart|force-reload}" >&2 exit 1 ;; esac exit 0
chmod +x /etc/init.d/dnscrypt update-rc.d dnscrypt defaults
#Start dnscrypt /usr/sbin/dnscrypt-proxy -a 127.0.0.1
/usr/sbin/dnscrypt-proxy --daemonize
killall dhclient service dnscrypt start service unbound start
ifdown eth0 && ifup eth0
host www.ab9il.net
dpkg -i dnscrypt-proxy_0.9_amd64.deb
supersede domain-name-servers 127.0.0.1;
nameserver 127.0.0.1
nameserver 127.0.0.1
#!/bin/sh # This is for the file /etc/init.d/dnscrypt ### BEGIN INIT INFO # Provides: dnscrypt # Required-Start: # Required-Stop: # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: DNSCrypt for OpenDNS # Description: Launch the dnscrypt to communicate with OpenDNS ### END INIT INFO DAEMON="/usr/sbin/dnscrypt-proxy" NAME="dnscrypt" dnscrypt_start() { echo "Starting dnscrypt" dnscrypt-proxy --local-port=40 --local-address=127.0.0.1 --daemonize } dnscrypt_stop() { echo "Stopping dnscrypt" start-stop-daemon --oknodo --stop --quiet --retry=0/3/KILL/3 --exec "" > /dev/null } case "$1" in start) dnscrypt_start ;; stop) dnscrypt_stop ;; restart|force-reload) dnscrypt_stop dnscrypt_start ;; *) echo "Usage: /etc/init.d/ {start|stop|restart|force-reload}" >&2 exit 1 ;; esac exit 0
chmod +x /etc/init.d/dnscrypt update-rc.d dnscrypt defaults
#Start dnscrypt /usr/sbin/dnscrypt-proxy -a 127.0.0.1
/usr/sbin/dnscrypt-proxy --daemonize
killall dhclient service dnscrypt start
ifdown eth0 && ifup eth0
host www.ab9il.net
To make DNSCrypt start automatically in Ubuntu, use the following start-up script. In Ubuntu 12.04 there is a local DNS cache running on 127.0.0.1 (dnsmasq), therefore DNSCrypt must be configured to use 127.0.0.2:
# script /etc/init/dnscrypt.conf description "dnscrypt startup script" start on (local-filesystems and started dbus and stopped udevtrigger) stop on runlevel [016] script exec /usr/sbin/dnscrypt-proxy -a 127.0.0.2 end script
As the root user, link the new "job definition file" to the dnscrypt script:
sudo ln -s /lib/init/dnscrypt.conf /etc/init.d/dnscrypt
Continuing with root priveleges, start dnscrypt:
sudo start dnscrypt
DNSCrypt should now start automatically when you boot. To stop it, you can use:
sudo stop dnscrypt
Installing DNScrypt in Porteus / Slackware resembles the procedure followed for Debian and Ubuntu, except for some differences in how the daemon is starded. It is necessary to create a start-up script and then reference it in rc.local as shown below.
./configure; make; make install
#!/bin/sh # start dnscrypt daemon /usr/local/sbin/dnscrypt-proxy --daemonize
chmod +x /etc/rc.d/dnscrypt
#Start dnscrypt sh /etc/rc.d/rc.dnscrypt
supersede domain-name-servers 127.0.0.1;
nameserver 127.0.0.1
nameserver 127.0.0.1
Encrypted DNS should be a part of any personal computer system hardened against surveillance and tampering. The instructions above will help users of Linux to install and configure DNSCrypt, which is presently the best option for protecting a critical element of free and unrestricted internet access. Be aware that most governments also censor network access with IP blacklists. To overcome these, it is suggested to use a VPN service.