AB9IL.net: DNSCrypt

Written and curated by Philip Collier / AB9IL
HOME Software Defined Radio WiFi Antennas Air and Space Radio Linux or Windows Digital Audio Liberation Tech Video Gallery Photo Gallery

Live Internet SDR List Radio Caroline BBC Radio 4 LW


Advertisement
Censorship's Grave
How autocrats lost the fight to block your internet.

We earn a commission if you make a purchase, at no additional cost to you.

DNS, as most commonly used, is not cryptographically protected. Attackers monitor the DNS query that your computer is sending through the network and can send your computer a DNS response that appears to be from the legitimate DNS server but that actually contains data selected by the attacker. The forged response will fool your computer into connecting to a different IP address, such as a fake web server. If you're making an HTTPS connection then your browser normally will show a warning about an "invalid certificate" and not show the bogus web pages. That is good, but the attacker has still denied you access to the web page you wanted! Also, most people's internet traffic uses regular HTTP, SMTP (email), and other unprotected connections. Even with a VPN service, this traffic leaves the gateway "in plaintext."

Similar to the way the SSL turns HTTP web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic resistant to eavesdropping and man-in-the-middle attacks. It requires no changes to domain names or how they work and simply provides a method for securely encrypting communication between end users and DNSCrypt-aware DNS servers (opendns.com). Outgoing DNS queries to those servers, and the DNS responses sent back to your computer from those servers, will be protected with strong elliptic curve cryptography. DNSCrypt makes it impossible for the adversary to use a DNS blacklist for censoring internet access.

Can OpenDNS be trusted? Yes - they are a company of competent and resourceful people who take internet security and freedom seriously. What about DNSCrypt? The source code is available on Github and may be checked and analysed by anyone. To date, cryptographic experts see no flaws and peer reviews conclude that it is strong but not widely deployed.

In Linux, DNSCrypt runs locally as a daemon, serving as a DNS proxy between a regular client and a DNSCrypt-aware resolver (opendns.com). When properly installed and configured, it starts at boot time and encrypts all DNS traffic sent through the local proxy (nameserver 127.0.0.1 or nameserver 127.0.0.2).


Debian, WITH a local caching server
  1. Download the DNSCrypt deb from Github
  2. As root, install the dnscrypt-proxy deb for example:
     dpkg -i dnscrypt-proxy_0.9_amd64.deb
  1. Install a caching DNS Server:
       apt-get install unbound
  1. Bring up a 2nd local IP Address for DNScrypt:
       ifconfig lo:1 127.0.0.2 up
  1. Then add the following to /etc/network/interfaces (so the interface survives reboots):
      auto lo:1
      iface lo:1 inet static
      address 127.0.0.2
      netmask 255.0.0.0
  1. Add the following to the server section of /etc/unbound/unbound.conf:
forward-zone:
name: "."
forward-addr: 127.0.0.2@40
  1. If you obtain your IP Address by DHCP add the following to /etc/dhcp/dhclient.conf:
     supersede domain-name-servers 127.0.0.2;
  1. If you do not use DHCP change /etc/resolv.conf:
     nameserver 127.0.0.2
  1. If you have resolvconf installed, edit /etc/resolvconf/resolv.conf.d/base:
     nameserver 127.0.0.2
  1. DNScrypt must use address 127.0.0.2 when a local caching server (such as unbound) is on the local system. Create the file /etc/init.d/dnscrypt and write the following code in it:
#!/bin/sh
# This is for the file /etc/init.d/dnscrypt
### BEGIN INIT INFO
# Provides:          dnscrypt
# Required-Start:    
# Required-Stop:     
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: DNSCrypt for OpenDNS
# Description:       Launch the dnscrypt to communicate with OpenDNS
### END INIT INFO
DAEMON="/usr/sbin/dnscrypt-proxy"
NAME="dnscrypt"

dnscrypt_start()
{
    echo "Starting dnscrypt"
    dnscrypt-proxy --local-port=40 --local-address=127.0.0.2 --daemonize   
}

dnscrypt_stop()
{
    echo "Stopping dnscrypt"
    start-stop-daemon --oknodo --stop --quiet --retry=0/3/KILL/3 --exec "" > /dev/null
}

case "$1" in
    start)
   dnscrypt_start
   ;;
  stop)
   dnscrypt_stop
  ;;
  restart|force-reload)
   dnscrypt_stop
  dnscrypt_start
   ;;
    *)
   echo "Usage: /etc/init.d/ {start|stop|restart|force-reload}" >&2
   exit 1
   ;;
esac

exit 0

  1. Make the script executable and set to start on boot:
     chmod +x /etc/init.d/dnscrypt
     update-rc.d dnscrypt defaults
  1. Enter the following lines in /etc/init.d/rc.local:
      #Start dnscrypt
      /usr/sbin/dnscrypt-proxy -a 127.0.0.1
  1. Issue a daemonize command:
/usr/sbin/dnscrypt-proxy --daemonize
  1. Start services:
     killall dhclient
     service dnscrypt start
     service unbound start
  1. Reconfigure your normal interface (eth0 or wlan0) or reboot the system:
     ifdown eth0 && ifup eth0
  1. Verify that DNS is resolving correctly:
host www.ab9il.net
  1. Verify the system is using OpenDNS by visiting the OpenDNS Welcome Page.

Debian, WITHOUT a local caching server:
  1. Download the DNSCrypt deb from Github
  2. As root, install the dnscrypt-proxy deb for example:
     dpkg -i dnscrypt-proxy_0.9_amd64.deb
  1. If you obtain your IP Address by DHCP add the following to /etc/dhcp/dhclient.conf:
     supersede domain-name-servers 127.0.0.1;
  1. If you do not use DHCP change /etc/resolv.conf:
     nameserver 127.0.0.1
  1. If you have resolvconf installed, edit /etc/resolvconf/resolv.conf.d/base:
     nameserver 127.0.0.1
  1. DNScrypt will be configured to use nameserver address 127.0.0.1 Create the file /etc/init.d/dnscrypt and write the following code in it:
#!/bin/sh
# This is for the file /etc/init.d/dnscrypt
### BEGIN INIT INFO
# Provides:          dnscrypt
# Required-Start:    
# Required-Stop:     
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: DNSCrypt for OpenDNS
# Description:       Launch the dnscrypt to communicate with OpenDNS
### END INIT INFO
DAEMON="/usr/sbin/dnscrypt-proxy"
NAME="dnscrypt"

dnscrypt_start()
{
    echo "Starting dnscrypt"
    dnscrypt-proxy --local-port=40 --local-address=127.0.0.1 --daemonize   
}

dnscrypt_stop()
{
    echo "Stopping dnscrypt"
    start-stop-daemon --oknodo --stop --quiet --retry=0/3/KILL/3 --exec "" > /dev/null
}

case "$1" in
    start)
   dnscrypt_start
   ;;
  stop)
   dnscrypt_stop
  ;;
  restart|force-reload)
  dnscrypt_stop
  dnscrypt_start
   ;;
    *)
   echo "Usage: /etc/init.d/ {start|stop|restart|force-reload}" >&2
   exit 1
   ;;
esac

exit 0

  1. Make the script executable and set to start on boot:
     chmod +x /etc/init.d/dnscrypt
     update-rc.d dnscrypt defaults
  1. Enter the following lines in /etc/init.d/rc.local:
      #Start dnscrypt
      /usr/sbin/dnscrypt-proxy -a 127.0.0.1
  1. Issue a daemonize command:
/usr/sbin/dnscrypt-proxy --daemonize
  1. Start the dnscrypt service service:
     killall dhclient
     service dnscrypt start
  1. Reconfigure your normal interface (eth0 or wlan0) or reboot the system:
     ifdown eth0 && ifup eth0
  1. Verify that DNS is resolving correctly:
     host www.ab9il.net
  1. Verify the system is using OpenDNS by visiting the OpenDNS Welcome Page.

Autostarting DNSCrypt in Ubuntu Linux

To make DNSCrypt start automatically in Ubuntu, use the following start-up script. In Ubuntu 12.04 there is a local DNS cache running on 127.0.0.1 (dnsmasq), therefore DNSCrypt must be configured to use 127.0.0.2:

# script /etc/init/dnscrypt.conf 
description "dnscrypt startup script"

start on (local-filesystems and started dbus and stopped udevtrigger)
stop on runlevel [016]

script
        exec /usr/sbin/dnscrypt-proxy -a 127.0.0.2
end script

As the root user, link the new "job definition file" to the dnscrypt script:

sudo ln -s /lib/init/dnscrypt.conf  /etc/init.d/dnscrypt

Continuing with root priveleges, start dnscrypt:

sudo start dnscrypt

DNSCrypt should now start automatically when you boot. To stop it, you can use:

sudo stop dnscrypt

Installing DNScrypt in Porteus / Slackware Linux

Installing DNScrypt in Porteus / Slackware resembles the procedure followed for Debian and Ubuntu, except for some differences in how the daemon is starded. It is necessary to create a start-up script and then reference it in rc.local as shown below.

  1. Download the DNSCrypt tar.gz file from Github.
  2. Extract the tarball contents to a folder.
  3. Compile DNScrypt according to the DNScrypt compilation suggestions. Briefly, these shell commands, given as root, should configure, build, and install this package:
    ./configure; make; make install
  1. Put the following script, named "cryptns" in /etc/rc.d/:
          #!/bin/sh
          # start dnscrypt daemon
          /usr/local/sbin/dnscrypt-proxy --daemonize
  1. Make the script executable by issuing this command as root:
chmod +x /etc/rc.d/dnscrypt
  1. Put the following lines in /etc/rc.d/rc.local:
      #Start dnscrypt
      sh /etc/rc.d/rc.dnscrypt
  1. If you obtain your IP Address by DHCP add the following to /etc/dhcp/dhclient.conf:
     supersede domain-name-servers 127.0.0.1;
  1. If you do not use DHCP change /etc/resolv.conf:
     nameserver 127.0.0.1
  1. If you have resolvconf installed, edit /etc/resolvconf/resolv.conf.d/base:
     nameserver 127.0.0.1
  1. Verify the system is using OpenDNS by visiting the OpenDNS Welcome Page.

Encrypted DNS should be a part of any personal computer system hardened against surveillance and tampering. The instructions above will help users of Linux to install and configure DNSCrypt, which is presently the best option for protecting a critical element of free and unrestricted internet access. Be aware that most governments also censor network access with IP blacklists. To overcome these, it is suggested to use a VPN service.




© 2005 - 2024 AB9IL.net, All Rights Reserved.
About Philip Collier / AB9IL, Commentaries and Op-Eds, Contact, Privacy Policy and Affiliate Disclosure, XML Sitemap.

This website is reader-supported. As an Amazon affiliate, I earn from qualifying purchases.