DNSCrypt Tools Pet Preliminary

Configuration wizards, scanners, remote desktop, etc.
Post Reply
Message
Author
s243a
Posts: 2580
Joined: Tue 02 Sep 2014, 04:48
Contact:
Contact s243a

DNSCrypt Tools Pet Preliminary

#1 Post by s243a »

Edit!!!!!
Please use the combined package at the moment:
https://www.dropbox.com/s/6tjk8axv7s1m0 ... 0.pet?dl=0
(Contains libsodicum, dnscrypt-proxy and DNSCrypt-tools)
I need to update the individual pacakge for dnscrypt-proxy
End Edit



Old content below:
----------------------
Here is a preliminary package for "DNSCrypt Tools"
https://www.dropbox.com/s/6gucl545pfdod ... 1.pet?dl=0

This requires "DNSCrypt" (pet found on this thread)

The Current source for "DNSCrypt Tools" can be found here:
http://sourceforge.net/projects/dnscrypt-tools/

I built this pet by extracting
dnscrypt-tools-1.1.xzm

using UExtract (see UExtract Thread)

In both of the file:

Code: Select all

/usr/local/bin/dnscrypt-tools
/usr/share/freestyler/dnscrypt-tools/dnscrypt-gui.sh
I deleted any reference to kdesu because my version of puppylinux (i.e. precise) does not support this command. kdesu changes the user for one command. Something like this might be handy if running as spot because spot doesn't have the right permissions to run this. However, it is not an issue if you are running as root. I'm open to suggestions on how to make this work if running as spot.

----------------------------
It is worth looking at the code in:
/usr/share/freestyler/dnscrypt-tools/dnscrypt-gui.sh

The start button launches:

Code: Select all

/usr/local/sbin/dnscrypt-proxy --daemonize --local-address=127.0.0.2 --resolver-address=176.56.237.171:443 --provider-name=2.dnscrypt-cert.resolver1.dnscrypt.eu --provider-key=67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66
which tells us to run the thread in the background, binding dns requets to 127.0.0.2 and using "2.dnscrypt-cert.resolver1.dnscrypt.eu" as the DNS provider.

We can change the dns resolver if we like. A list of dns resolvers supporting dns crypt is given here:
https://github.com/jedisct1/dnscrypt-pr ... ers.csv#L6

pay attention to, the country where they are located, and whether it says something like "no-logging" or "not censored". Just as a guess, say someone wanted to connect to a Swedish website and they thought it would be censored in their country, then they could either try a non-censored dns provider in their own country or perhaps try a Swedish dns provider because if they have a dns name registered in Sweden then it shouldn't be censored in Sweden.

Another thing that a person might want to do is add logging. More info can be found here:
http://dnscrypt.org/
https://github.com/jedisct1/dnscrypt-pr ... E.markdown

TODO
It would be nice if the gui gave the option of changing both the ip address that the DNS request binds to and also if there was an option to change the DNS resolver. I may try to do this in the future but have no experience using gtkdialog.
Last edited by s243a on Thu 23 Apr 2015, 05:52, edited 7 times in total.
Top
s243a
Posts: 2580
Joined: Tue 02 Sep 2014, 04:48
Contact:
Contact s243a

#2 Post by s243a »

So I tested it by changing the nameserver in

Code: Select all

/etc/resolv.conf
to

Code: Select all

nameserver 127.0.0.2
Once this is done the web-browser will not be able to resolve the DNS server when dnscrypt is not running.

Launch the GUI in one of three ways:
1. Via the menu: (Network/DNS Crypt Tools)
2. Via the command: "dnscrypt-tools" (located in /usr/local/bin/)
3. By directly calling the GUI: /usr/share/freestyler/dnscrypt-tools/dnscrypt-gui.sh

Once the GUI is opened, click start, and now the web browser should be able to resolve dns adresses via DNSCrypt.

There is also a button called "Enable" and "Disable" which control whether the proxy intiates during stratup.
Top
musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#3 Post by musher0 »

Is it compatible with all Internet Providers?
I get my Internet feed from videotron.ca. I tried OpenDNS on my Puppy
and couldn't get connected anymore.
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)
Top
s243a
Posts: 2580
Joined: Tue 02 Sep 2014, 04:48
Contact:
Contact s243a

#4 Post by s243a »

musher0 wrote:Is it compatible with all Internet Providers?
I get my Internet feed from videotron.ca. I tried OpenDNS on my Puppy
and couldn't get connected anymore.
As a non expert, I would say that the internet provider shouldn't matter because all the DNS resolver does is gives you a way of looking up the ip address. However, someone between you and the DNS resolver could filter the DNS query based on the port number:

Code: Select all

Queries using nonstandard ports / over TCP

Some routers and firewalls can block outgoing DNS queries or transparently redirect them to their own resolver. This especially happens on public Wifi hotspots, such as coffee shops.

As a workaround, the port number can be changed using the --resolver-port=<port> option. For example, OpenDNS servers reply to queries sent to ports 53, 443 and 5353.

By default, dnscrypt-proxy sends outgoing queries to UDP port 443.

In addition, the DNSCrypt proxy can force outgoing queries to be sent over TCP. For example, TCP port 443, which is commonly used for communication over HTTPS, may not be filtered.

The --tcp-only command-line switch forces this behavior. When an incoming query is received, the daemon immediately replies with a "response truncated" message, forcing the client to retry over TCP. The daemon then authenticates the query and forwards it over TCP to the resolver.

--tcp-only is slower than UDP, and this workaround should never be used except when bypassing a filter is actually required. Moreover, multiple queries over a single TCP connections aren't supported yet.
http://dnscrypt.org/

So from reading the above, It looks like that the requests could be filtered or blocked. However, this can be subverted by connecting to the DNSCrypt sever via TCP rather than UDP.

Aside from this one should make sure that they set everything up correctly. If using the default "DNS tools" setup than in /etc/resolv.conf one should have:

Code: Select all

nameserver 127.0.0.2
If you are woried about messing up your network connection you can back this file up. The file "/etc/rc.d/rc.local" is also modified if you click the button to enable DNSCrypt on startup, so if parranoid you may want to back up this file as well.

Follow the links for the prerequisite in my original post (DNSCrypt-proxy, and libsodicum) because you'll need them for "DNSCrypt tools" to work. I'll combine these into a single pet shortly.
Top
s243a
Posts: 2580
Joined: Tue 02 Sep 2014, 04:48
Contact:
Contact s243a

#5 Post by s243a »

I created a combined packages. I built the combined package in precise (one of my versions of puppy) and tested in in a fresh install of tahrpup (newest PAE version).
Please see not on first post.

boring technical note
When I tested it on tahrpup tonight I realized that for DNSCrypt-proxy to install into a target directly, the prefix had to be passed to the configure script. It isn't enough to just change it on the makefile because DNSCrypt-proxy uses several make files and recursive targets. The macro which sets the prefix in the makefile isn't passed down to child make process. It worked on my system without doing this because what didn't install to where I set the prefix installed into the normal place on my system when I did "make install".

The correct configure command which I used tonight for DNSCrypt-proxy is::

Code: Select all

./configure --prefix /tmp/DNSCrypt/
Needless to say all the required files should be within the pet now and it should run on 32bit pups. I will do more testing, and keep people informed.

Also I should mention that when I installed it on tahrpup I had it configured with the default firewall settings.
Top
s243a
Posts: 2580
Joined: Tue 02 Sep 2014, 04:48
Contact:
Contact s243a

#6 Post by s243a »

As mentioned in the first post, please use the combined version, and verify the hashes in case dropbox didn't correctly update the file. Here are the hashes:

MD5: 001cde1db99d842a47970a8f08e00d72
SHA1: 6d0846f9f304b3f0a1a7fd027b7d227e0bd9f3f2
SHA256: 9e504276a27c3eb068b5ccc4257dd2fce10e279da191b999ad044f96b23ad675

This seems to be working on Tahrpup, so I'll save my session on Tahrpup and try it on a different version of puppy (fresh install) tommorow. Perhaps debiandog.
Top
s243a
Posts: 2580
Joined: Tue 02 Sep 2014, 04:48
Contact:
Contact s243a

#7 Post by s243a »

I found an issue with rebooting. resolv.conf gets over written by dhcpcd. Presumably this happens when you request your ip address via dhcp. This problem applies to the version of puppylinux called "precise". Precise uses "dhcpcd 5.6.4 (c) 2006-2012 Roy Marples"
http://roy.marples.name/projects/dhcpcd/index

There is a configure file associated with this version of dchcp:

Code: Select all

/etc/dhcpcd.conf
Presumably, I need to change line 12 which says:

Code: Select all

Line#11 # A list of options to request from the DHCP server.
Line#12 option domain_name_servers, domain_name, domain_search, 
Line#13 option classless_static_routes
so that "domain_name_servers is removed"

Here is the complete configure file

Code: Select all

# A sample configuration for dhcpcd.
# See dhcpcd.conf(5) for details.

# Inform the DHCP server of our hostname for DDNS.
hostname
# To share the DHCP lease across OSX and Windows a ClientID is needed.
# Enabling this may get a different lease than the kernel DHCP client.
# Some upstream DHCP servers may also require a ClientID, such as FRITZ!Box.
#clientid

# A list of options to request from the DHCP server.
option domain_name_servers, domain_name, domain_search, host_name
option classless_static_routes
# Most distributions have NTP support.
option ntp_servers
# Respect the network MTU.
option interface_mtu
# A ServerID is required by RFC2131.
require dhcp_server_identifier

# A hook script is provided to lookup the hostname if not set by the DHCP
# server, but it should not be run by default.
nohook lookup-hostname
I'll give it a try later and post the results.
Top
s243a
Posts: 2580
Joined: Tue 02 Sep 2014, 04:48
Contact:
Contact s243a

#8 Post by s243a »

Part 1 saving changes to dns name server
So, I succeeded in getting the name server to stay as:
127.0.0.2
on reboot by using the menu wizards that came with puppylinux (precise)

I used the more advanced wizard. First I get an IP adress using DHCP, then I I go to the static IP address wizard and set the nameserver.

I know that this is the wrong way to do it because I don't know how long the lease is on this ip address given through DHCP. Also, there should be a way to configure the dns nameserver without being required to use a static ip address. Also if I use a static ip adress, I should use one that is outside of the name range assigned by my routers DHCP server.


**note I discuss more about what I learned about the puppylinux (precise configuration) network configuration/starupt in the thread "Shell Functions that are Never Called?!?! Yet Run?"


Part 2 DNS PRoxy Automatic Startup on boot
-----------------
Another problem I am having is getting DNStools to work on startup. I can start it through the menu but I need to learn about the startup process before I can make this automatic.

DNSCryptTools tries to make DNSCrypt-proxy start on startup by modifying /etc/rc.d/rc.local. The exact code is:

Code: Select all

#! /bin/bash
Encoding=UTF-8

cat /etc/rc.d/rc.local | sed '/dnscrypt/d' >> /etc/rc.d/rc.tmp;
mv /etc/rc.d/rc.tmp /etc/rc.d/rc.local;
sed -i '$a exec /usr/local/sbin/dnscrypt-proxy --daemonize --local-address=127.0.0.2' /etc/rc.d/rc.local
chmod a+x /etc/rc.d/rc.local
I'll have to read through /etc/rc.d/rc.sysint to better understand the startup process and why the modifications to rc.local aren't causing the proxy to start upon startup. My rc.local looks like:

Code: Select all

#this file called from rc.sysinit
#you can edit this file
#When firewall is installed, will append lines to this file...

if [ -x /etc/rc.d/rc.firewall ]; then
  /etc/rc.d/rc.firewall start
fi
exec /usr/local/sbin/dnscrypt-proxy --daemonize --local-address=127.0.0.2

Perhaps the firewall for some reason overwrites the last line before this script gets executed.

Part 3 Trying to have DHDCP setup the network
------------------------------------
My prefered way to setup the network would be by using dhcpcd

In /etc/dhcpcd.conf


I modified

Code: Select all

# A list of options to request from the DHCP server.
option domain-name-servers , domain_name, domain_search, host_name
to

Code: Select all

# Set the DNS server to be used by the
# DHCP clients

option domain-name-servers 127.0.0.2;

# A list of options to request from the DHCP server.
option domain_name, domain_search, host_name

however, this didn't seem to do anything.

Here are some links that may be helpful for dhdcd

http://www.linuxhomenetworking.com/wiki ... T3Tnhfx5US
http://www.phystech.com/download/dhcpcd_man.html

The dhdcp.conf file within my version of puppy (precise) is considerably simpler then the one in the linked example. As I mentioned above seeting the dns name server though dhcpcd.conf doesn't seem to have any effect on the nameserver used by my version of puppylinux (precise 5.7.1).
Top
Post Reply

Return to “Network”