Port of the week: dnscrypt-proxy

Author: Solène

Date: 19 October 2016

Tags: unix security portoftheweek

NIL### 2020 Update

Now, unwind on OpenBSD and unbound can support DNS over TLS or DNS

over HTTPS, dnscrypt lost a bit of relevance but it's still usable

and a good alternative.

Dnscrypt

Today I will talk about net/dnscrypt-proxy. This let you encrypt your

DNS traffic between your resolver and the remote DNS recursive

server. More and more countries and internet provider use DNS to block

some websites, and now they tend to do "man in the middle" with DNS

answers, so you can't just use a remote DNS you find on the

internet. While a remote dnscrypt DNS server can still be affected by

such "man in the middle" hijack, there is a very little chance DNS

traffic is altered in datacenters / dedicated server hosting.

The article also deal with unbound as a dns cache because dnscrypt is

a bit slow and asking multiple time the same domain in a few minutes

is a waste of cpu/network/time for everyone. So I recommend setting up

a DNS cache on your side (which can also permit to use it on a LAN).

At the time I write this article, their is a very good explanation

about "how to install it" is named dnscrypt-proxy-1.9.5p3 in the

folder /usr/local/share/doc/pkg-readmes/. The following article is

made from this file. (Article updated at the time of OpenBSD 6.3)

While I write for OpenBSD this can be easily adapted to anthing else

Unix-like.

Install dnscrypt ###

pkg_add dnscrypt-proxy

Resolv.conf ###

Modify your resolv.conf file to this

**/etc/resolv.conf** :

nameserver 127.0.0.1

lookup file bind

options edns0

When using dhcp client ###

If you use dhcp to get an address, you can use the following line to

force having 127.0.0.1 as nameserver by modifying dhclient config

file. Beware, if you use it, when upgrading the system from bsd.rd,

you will get 127.0.0.1 as your DNS server but no service running.

**/etc/dhclient.conf** :

supersede domain-name-servers 127.0.0.1;

Unbound ###

Now, we need to modify unbound config to tell him to ask DNS at

127.0.0.1 port 40. Please adapt your config, I will just add what is

mandatory. Unbound configuration file isn't in /etc because it's

chrooted

**/var/unbound/etc/unbound.conf**:

server:

this line is MANDATORY

do-not-query-localhost: no

forward-zone:

name: "."

forward-addr: 127.0.0.1@40

address dnscrypt listen on

If you want to allow other to resolv through your unbound daemon,

please see parameters interface and access-control. You will need to

tell unbound to bind on external interfaces and allow requests on it.

Dnscrypt-proxy ###

Now we need to configure dnscrypt, pick a server in the following LIST

/usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv, the name is

the first column.

As root type the following (or use doas/sudo), in the example we

choose dnscrypt.eu-nl as a DNS provider

rcctl enable dnscrypt_proxy

rcctl set dnscrypt_proxy flags -E -m1 -R dnscrypt.eu-nl -a 127.0.0.1:40

rcctl start dnscrypt_proxy

Conclusion ###

You should be able to resolv address through dnscrypt now. You can use

tcpdump on your external interface to see if you see something on udp

port 53, you should not see traffic there.

If you want to use `dig hostname -p 40 @127.0.0.1` to make DNS request

to dnscrypt without unbound, you will need net/isc-bind which will

provide /usr/local/bin/dig. OpenBSD base dig can't use a port

different than 53.