Jul 092012
 

OpenDNS is a popular DNS provider used widely both in the server as in home desktop, one of the feature they provide to their customer is DNSCrypt, a security enhancement that should add protection against all DNS based attacks, such as cache poisoning.

In the same way the SSL turns HTTP web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks. It doesn’t require any changes to domain names or how they work, it simply provides a method for securely encrypting communication between OpenDNS customers and their DNS servers. The software is released as open source on GitHub.

At the moment this solution only works in conjunction with OpenDNS, which means that you need to change your computer’s DNS provider to OpenDNS to make use of the this security feature, that’s their business after all.

Let’s see in detail how to use it on Linux.


Installation for Debian should work also on Ubuntu.
The following guide is based on the article found on http://shadowmax.referata.com/ in Italian.

Prerequisites

To improve performance we can use a Name Service Caching Daemonnscd:

sudo apt-get install nscd
sudo service nscd stop

sudo sed -i -E -e '/^\s*persistent\s*(passwd|group|hosts|services|netgroup)\s*yes/s/yes/no/g' \
               -e '/^\s*enable-cache\s*(passwd|group|services|netgroup)\s*yes/s/yes/no/g' \
               -e '/^\s*enable-cache\s*hosts\s*no/s/no/yes/g' /etc/nscd.conf
sudo service nscd start

We enable also the support to the Extension Mechanisms for DNS:

echo "options edns0" | sudo tee -a /etc/resolvconf/resolv.conf.d/tail

and we disable the local resolver:

sudo sed -i 's/^dns=dnsmasq/#dns=dnsmasq/g' /etc/NetworkManager/NetworkManager.conf
sudo restart network-manager

Now we create a dedicated user on the system without a shell and with an empty home directory, to be used to run dnscrypt-proxy:

sudo adduser --system --quiet --home /run/dnscrypt --shell /bin/false \
             --group --disabled-password --disabled-login dnscrypt

Installation

Download the package dnscrypt-proxy in the deb format:

https://github.com/opendns/dnscrypt-proxy/downloads

and install it with :

sudo dpkg --install dnscrypt-proxy_*.deb

Now we create an Upstart script, in this way DNSCrypt will start automatically at boot:

echo '
description "dnscrypt-proxy startup script"

pre-start script
    mkdir -p /run/dnscrypt
end script

start on (local-filesystems and net-device-up IFACE=lo)
stop on runlevel [!2345]

exec /usr/sbin/dnscrypt-proxy --local-address=127.0.0.2 \
                              --edns-payload-size=4096 \
                              --pidfile=/run/dnscrypt-proxy.pid \
                              --resolver-port=443 \
                              --user=dnscrypt \
                              --local-port=53 \
                              --tcp-only
' | sudo tee /etc/init/dnscrypt-proxy.conf
sudo ln -s /lib/init/upstart-job /etc/init.d/dnscrypt-proxy
sudo start dnscrypt-proxy

Configuration

To use DNSCrypt you just have to change in the network property the DNS servers with 127.0.0.2.
To test that everything is working properly, go here

Installation for Mint, Red Hat Enterprise, Centos and Fedora.

dnscrypt-proxy is also available as rpm package in the official Downlaod Page: https://github.com/opendns/dnscrypt-proxy/downloads, install it and after this run:

sudo /usr/sbin/dnscrypt-proxy --daemonize

After this you’ll have to setup your network connection, changing the DNS namserver to 127.0.0.1

edit-network

if everything works, and you want an automatic start of dnscrypt-proxy at boot add this line to your /etc/rc.local file:

/usr/sbin/dnscrypt-proxy --daemonize

And at last if you use Linux Mint there is a good guide on the installation of DNSCrypt on the official Mint forum

Conclusions

In my point of view this is a good option to add an additional layer of security, if you can and want to use opendns as your Nameserver, but i also think this is not easily doable in many company, because you need to use your OWN DNS server to properly map private domains, so as first thing you could test this solution on your home computers.

Popular Posts:

Flattr this!

  10 Responses to “DNSCrypt, crypt your DNS request”

  1. You forgot to mention that opendns is a censoring DNS that censors specific domains, so by using opendns you will be at the mercy of what opendns decides you are allowed to see.

  2. I miss Ubuntu (or Debian) package with DNScrypt, package with well designed start/stop scripts. I noticed some try to create Ubuntu package in the past but that try was not well done. This article is nice but well designed package for #1 distribution can do more for DNScrypt…

  3. DNScrypt being related to OpenDNS you must be aware of two facts.

    The only openness of OpenDNS is in its name and price (free as free in beer).

    But OpenDNS is not free as free in speech. Quite the contrary, OpenDNS is filtering web access based on “political correctness” rules (at least this was true the last time i had checked it, something like two years ago, no risk for me to come back to a censor company 😉 ). So depending of your choice this may be or not be a good decision. You are only warned from now on.

    • Ok… give some examples, please… Since I can access thepiratebay fine through opendns, I can’t imagine what sites (other than what they state they censor) they would censor. Oh, and please suggest other free non-censoring dns-providers to use. Where I am all isp’s, censors blocks access to many, many websites (it’s the law…). Google very much wants to track you (but you _can_ opt-out, then you just have to trust they don’t) and are definately under US censoring laws (not sure about opendns)… blah… blah…

  4. In ubuntu 12.04 (3.2.0-26-generic x86_64) the following commands doesn’t work:

    1) sudo sed -i -E -e ‘/^s*persistents*(passwd|group|hosts|services|netgroup)s*yes/s/yes/no/g’
    -e ‘/^s*enable-caches*(passwd|group|services|netgroup)s*yes/s/yes/no/g’
    -e ‘/^s*enable-caches*hostss*no/s/no/yes/g’ /etc/nscd.conf

    error: “no input files”

    2) sudo adduser –system –quiet –home /run/dnscrypt –shell /bin/false
    –group –disabled-password –disabled-login dnscrypt

    error “only one or two names allowed”

    3) sudo start dnscrypt-proxy
    works this way:
    sudo dnscrypt-proxy start

  5. […] guide got me 90% of the way. http://linuxaria.com/howto/dnscrypt-crypt-your-dns-request?lang=en Share this:TwitterFacebookLike this:LikeBe the first to like […]

  6. The instructions above don’t work.

    And it is not an OpenDNS product. They are just running it on their servers like others.

    The official DNSCrypt website is https://dnscrypt.org

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

*