OpenDNS is a popular DNS provider used widely both in the server as in home desktop, one of the feature they provide to their customer is DNSCrypt, a security enhancement that should add protection against all DNS based attacks, such as cache poisoning.
In the same way the SSL turns HTTP web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks. It doesn’t require any changes to domain names or how they work, it simply provides a method for securely encrypting communication between OpenDNS customers and their DNS servers. The software is released as open source on GitHub.
At the moment this solution only works in conjunction with OpenDNS, which means that you need to change your computer’s DNS provider to OpenDNS to make use of the this security feature, that’s their business after all.
Let’s see in detail how to use it on Linux.
Installation for Debian should work also on Ubuntu.
The following guide is based on the article found on http://shadowmax.referata.com/ in Italian.
Prerequisites
To improve performance we can use a Name Service Caching Daemon, nscd:
sudo apt-get install nscd
sudo service nscd stop
sudo sed -i -E -e '/^\s*persistent\s*(passwd|group|hosts|services|netgroup)\s*yes/s/yes/no/g' \
-e '/^\s*enable-cache\s*(passwd|group|services|netgroup)\s*yes/s/yes/no/g' \
-e '/^\s*enable-cache\s*hosts\s*no/s/no/yes/g' /etc/nscd.conf
sudo service nscd start
We enable also the support to the Extension Mechanisms for DNS:
echo "options edns0" | sudo tee -a /etc/resolvconf/resolv.conf.d/tail
and we disable the local resolver:
sudo sed -i 's/^dns=dnsmasq/#dns=dnsmasq/g' /etc/NetworkManager/NetworkManager.conf sudo restart network-manager
Now we create a dedicated user on the system without a shell and with an empty home directory, to be used to run dnscrypt-proxy:
sudo adduser --system --quiet --home /run/dnscrypt --shell /bin/false \
--group --disabled-password --disabled-login dnscrypt
Installation
Download the package dnscrypt-proxy in the deb format:
https://github.com/opendns/dnscrypt-proxy/downloads
and install it with :
sudo dpkg --install dnscrypt-proxy_*.deb
Now we create an Upstart script, in this way DNSCrypt will start automatically at boot:
echo '
description "dnscrypt-proxy startup script"
pre-start script
mkdir -p /run/dnscrypt
end script
start on (local-filesystems and net-device-up IFACE=lo)
stop on runlevel [!2345]
exec /usr/sbin/dnscrypt-proxy --local-address=127.0.0.2 \
--edns-payload-size=4096 \
--pidfile=/run/dnscrypt-proxy.pid \
--resolver-port=443 \
--user=dnscrypt \
--local-port=53 \
--tcp-only
' | sudo tee /etc/init/dnscrypt-proxy.conf
sudo ln -s /lib/init/upstart-job /etc/init.d/dnscrypt-proxy
sudo start dnscrypt-proxy
Configuration
To use DNSCrypt you just have to change in the network property the DNS servers with 127.0.0.2.
To test that everything is working properly, go here
Installation for Mint, Red Hat Enterprise, Centos and Fedora.
dnscrypt-proxy is also available as rpm package in the official Downlaod Page: https://github.com/opendns/dnscrypt-proxy/downloads, install it and after this run:
sudo /usr/sbin/dnscrypt-proxy --daemonize |
After this you’ll have to setup your network connection, changing the DNS namserver to 127.0.0.1
if everything works, and you want an automatic start of dnscrypt-proxy at boot add this line to your /etc/rc.local file:
/usr/sbin/dnscrypt-proxy --daemonize
And at last if you use Linux Mint there is a good guide on the installation of DNSCrypt on the official Mint forum
Conclusions
In my point of view this is a good option to add an additional layer of security, if you can and want to use opendns as your Nameserver, but i also think this is not easily doable in many company, because you need to use your OWN DNS server to properly map private domains, so as first thing you could test this solution on your home computers.
Popular Posts:
- None Found
You forgot to mention that opendns is a censoring DNS that censors specific domains, so by using opendns you will be at the mercy of what opendns decides you are allowed to see.
Can you make examples or post links about this… ?
You are right. And that censorship is why I use OpenDNS… 😉
http://www.opendns.com/phishing-protection
OpenDNS is a company that logs everything and even boasts about how much logs they store. No, thanks. But dnscrypt works with other services that are more privacy aware.
I miss Ubuntu (or Debian) package with DNScrypt, package with well designed start/stop scripts. I noticed some try to create Ubuntu package in the past but that try was not well done. This article is nice but well designed package for #1 distribution can do more for DNScrypt…
DNScrypt being related to OpenDNS you must be aware of two facts.
The only openness of OpenDNS is in its name and price (free as free in beer).
But OpenDNS is not free as free in speech. Quite the contrary, OpenDNS is filtering web access based on “political correctness” rules (at least this was true the last time i had checked it, something like two years ago, no risk for me to come back to a censor company 😉 ). So depending of your choice this may be or not be a good decision. You are only warned from now on.
Ok… give some examples, please… Since I can access thepiratebay fine through opendns, I can’t imagine what sites (other than what they state they censor) they would censor. Oh, and please suggest other free non-censoring dns-providers to use. Where I am all isp’s,
censorsblocks access to many, many websites (it’s the law…). Google very much wants to track you (but you _can_ opt-out, then you just have to trust they don’t) and are definately under US censoring laws (not sure about opendns)… blah… blah…In ubuntu 12.04 (3.2.0-26-generic x86_64) the following commands doesn’t work:
1) sudo sed -i -E -e ‘/^s*persistents*(passwd|group|hosts|services|netgroup)s*yes/s/yes/no/g’
-e ‘/^s*enable-caches*(passwd|group|services|netgroup)s*yes/s/yes/no/g’
-e ‘/^s*enable-caches*hostss*no/s/no/yes/g’ /etc/nscd.conf
error: “no input files”
2) sudo adduser –system –quiet –home /run/dnscrypt –shell /bin/false
–group –disabled-password –disabled-login dnscrypt
error “only one or two names allowed”
3) sudo start dnscrypt-proxy
works this way:
sudo dnscrypt-proxy start
[…] guide got me 90% of the way. http://linuxaria.com/howto/dnscrypt-crypt-your-dns-request?lang=en Share this:TwitterFacebookLike this:LikeBe the first to like […]
The instructions above don’t work.
And it is not an OpenDNS product. They are just running it on their servers like others.
The official DNSCrypt website is https://dnscrypt.org