Wednesday, October 14, 2015
Encrypt DNS Traffic In Ubuntu With DNSCrypt [Ubuntu PPA]
This article was posted a while back but I've decided to repost it because there's a new PPA that you can use to install dnscrypt-proxy in Ubuntu (14.10, 14.04 and 12.04) and also, some parts of the article needed to be updated.
DNSCrypt is a protocol for securing communications between a client and a DNS resolver, preventing spying, spoofing or man-in-the-middle attacks. To use it, you'll need a tool called dnscrypt-proxy, which "can be used directly as your local resolver or as a DNS forwarder, authenticating requests using the DNSCrypt protocol and passing them to an upstream server".
Thanks to Pascal Mons (work based on Sergey "Shnatsel" Davidoff's initial PPA, which doesn't have packages for Ubuntu 14.04 or 14.10 right now), you can easily install it Ubuntu. His packages use 127.0.0.2 as the local IP address so it doesn't interfere with Ubuntu's default setup. Also, for extra security, the packages use a dedicated system user, with no privileges - DNSCrypt will chroot to this user's home directory and drop root privileges for this user's uid as soon as possible.
The default DNSCrypt-enabled resolver used by Pascal's package is DNSCrypt.eu Resolver #1 @ The Hague, Holland, but this, along with other settings, can be changed by editing the /etc/default/dnscrypt-proxy configuration file (use "sudo service dnscrypt-proxy restart" after making changes to the configuration file). A list of public DNS resolvers supporting DNSCrypt can be found HERE (note that to get to the actual provider name, address and public key, you need to scroll to the right - annoying, I know).
According to Pascal, he didn't use the US based OpenDNS resolver, because it keeps logs of the websites you visit and it hijacks the homepage on all browsers, redirecting any URL bar search to its own servers in some cases, which does not happen with the DNSCrypt.eu servers.
According to Pascal, he didn't use the US based OpenDNS resolver, because it keeps logs of the websites you visit and it hijacks the homepage on all browsers, redirecting any URL bar search to its own servers in some cases, which does not happen with the DNSCrypt.eu servers.
If you want to add DNSCrypt support to your own public or private resolver, check out DNSCrypt-Wrapper, a server-side dnscrypt proxy that works with any name resolver.
Install DNSCrypt (dnscrypt-proxy) in Ubuntu / Linux Mint via PPA
1. To add Pascal's DNSCrypt PPA and install dnscrypt-proxy in Ubuntu, Linux Mint, elementary OS or other Ubuntu-based Linux distributions (including armhf), use the following commands:
sudo add-apt-repository ppa:anton+/dnscrypt
sudo apt-get update
sudo apt-get install dnscrypt-proxyNote: the PPA description provides information on how to check the authenticity of the code used for building the packages.
2. After installing DNSCrypt, you need to set your network connection DNS server to 127.0.0.2.
To do this in Unity, from the Network Manager indicator select Edit Connections, then select the connection and click Edit, switch to the IPv4 Settings tab and:
- if you're using Manual (static IP) as the "Method", enter "127.0.0.2" under "DNS servers" (and remember / note your original DNS server in case you want to go back to it), then click "Save":
- if you're using "Automatic (DHCP)" as the "Method", switch it to "Automatic (DHCP) addresses only" and enter "127.0.0.2" under "DNS servers", then click "Save":
3. And finally, restart your network connection (under Unity: select Network indicator > Enable Networking twice to disable and then re-enable it) and web browser.
You may want to check if the "127.0.0.2" DNS is actually in use (it needs to be the only DNS) - to do this in Unity, from the Network indicator select Connection Information.
Because the dnscrypt-proxy packages from Pascal's PPA don't use OpenDNS, you can't check to see if the DNS are used via the "dig txt debug.opendns.com" command or by visiting OpenDNS' test pages. However, you can check this by visiting https://dnsleaktest.com/ and running a DNS check - if you didn't change the default dnscrypt-proxy package resolver, it should display something like this:
Another way of checking if dnscrypt-proxy is working is by using the following command:
sudo tcpdump -i NETWORK-INTERFACE dst host 176.56.237.171(where NETWORK-INTERFACE is your active network interface like eth0, p5p1, etc. - you can find it using "ifconfig" -, and "176.56.237.171" is the default resolver used by Pascal's packages - if you've used a different one, change it in the command above with yours!)
The command output should look like this:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on p5p1, link-type EN10MB (Ethernet), capture size 262144 bytes
16:14:53.142488 IP ubuntu-desktop.local.57467 > resolver1.dnscrypt.eu.https: UDP, length 512
16:14:53.142514 IP ubuntu-desktop.local.57467 > resolver1.dnscrypt.eu.https: UDP, length 512
16:14:53.291372 IP ubuntu-desktop.local.57467 > resolver1.dnscrypt.eu.https: UDP, length 512
16:14:53.291450 IP ubuntu-desktop.local.57467 > resolver1.dnscrypt.eu.https: UDP, length 512
16:14:53.464624 IP ubuntu-desktop.local.57467 > resolver1.dnscrypt.eu.https: UDP, length 512
16:14:53.464641 IP ubuntu-desktop.local.57467 > resolver1.dnscrypt.eu.https: UDP, length 512
16:14:53.751950 IP ubuntu-desktop.local.57467 > resolver1.dnscrypt.eu.https: UDP, length 512
16:14:53.815789 IP ubuntu-desktop.local.57467 > resolver1.dnscrypt.eu.https: UDP, length 512Tip: DNSCrypt can be used with Unbound or dnsmasq (I didn't test it though) - for this and other tips, see THIS ArchWiki entry.
For more information on DNSCrypt / dnscrypt-proxy, check out the following links:
- https://github.com/jedisct1/dnscrypt-proxy
- http://dnscrypt.org/
- http://www.opendns.com/about/innovations/dnscrypt/
seen @ desdelinux.net, thanks to Pascal Mons for the PPA!
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment