OpenDNS is a popular DNS provider used widely both in the server as in home desktop, one of the feature they provide to their customer is DNSCrypt, a security enhancement that should add protection against all DNS based attacks, such as cache poisoning.
In the same way the SSL turns HTTP web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks. It doesn’t require any changes to domain names or how they work, it simply provides a method for securely encrypting communication between OpenDNS customers and their DNS servers. The software is released as open source on GitHub.
At the moment this solution only works in conjunction with OpenDNS, which means that you need to change your computer’s DNS provider to OpenDNS to make use of the this security feature, that’s their business after all.
Let’s see in detail how to use it on Linux.
Installation for Debian should work also on Ubuntu.
The following guide is based on the article found on http://shadowmax.referata.com/ in Italian.
To improve performance we can use a Name Service Caching Daemon, nscd:
sudo apt-get install nscd
sudo service nscd stop sudo sed -i -E -e '/^\s*persistent\s*(passwd|group|hosts|services|netgroup)\s*yes/s/yes/no/g' \ -e '/^\s*enable-cache\s*(passwd|group|services|netgroup)\s*yes/s/yes/no/g' \ -e '/^\s*enable-cache\s*hosts\s*no/s/no/yes/g' /etc/nscd.conf
sudo service nscd start
We enable also the support to the Extension Mechanisms for DNS:
echo "options edns0" | sudo tee -a /etc/resolvconf/resolv.conf.d/tail
and we disable the local resolver:
sudo sed -i 's/^dns=dnsmasq/#dns=dnsmasq/g' /etc/NetworkManager/NetworkManager.conf sudo restart network-manager
Now we create a dedicated user on the system without a shell and with an empty home directory, to be used to run dnscrypt-proxy:
sudo adduser --system --quiet --home /run/dnscrypt --shell /bin/false \ --group --disabled-password --disabled-login dnscrypt
Download the package dnscrypt-proxy in the deb format:
and install it with :
sudo dpkg --install dnscrypt-proxy_*.deb
Now we create an Upstart script, in this way DNSCrypt will start automatically at boot:
echo ' description "dnscrypt-proxy startup script" pre-start script mkdir -p /run/dnscrypt end script start on (local-filesystems and net-device-up IFACE=lo) stop on runlevel [!2345] exec /usr/sbin/dnscrypt-proxy --local-address=127.0.0.2 \ --edns-payload-size=4096 \ --pidfile=/run/dnscrypt-proxy.pid \ --resolver-port=443 \ --user=dnscrypt \ --local-port=53 \ --tcp-only ' | sudo tee /etc/init/dnscrypt-proxy.conf
sudo ln -s /lib/init/upstart-job /etc/init.d/dnscrypt-proxy
sudo start dnscrypt-proxy
To use DNSCrypt you just have to change in the network property the DNS servers with 127.0.0.2.
To test that everything is working properly, go here
Installation for Mint, Red Hat Enterprise, Centos and Fedora.
dnscrypt-proxy is also available as rpm package in the official Downlaod Page: https://github.com/opendns/dnscrypt-proxy/downloads, install it and after this run:
sudo /usr/sbin/dnscrypt-proxy --daemonize
After this you’ll have to setup your network connection, changing the DNS namserver to 127.0.0.1
if everything works, and you want an automatic start of dnscrypt-proxy at boot add this line to your /etc/rc.local file:
And at last if you use Linux Mint there is a good guide on the installation of DNSCrypt on the official Mint forum
In my point of view this is a good option to add an additional layer of security, if you can and want to use opendns as your Nameserver, but i also think this is not easily doable in many company, because you need to use your OWN DNS server to properly map private domains, so as first thing you could test this solution on your home computers.