DNSCrypt Proxy 2

Antivirus, forensics, intrusion detection, cryptography, etc.
Post Reply
Message
Author
labbe5
Posts: 2159
Joined: Wed 13 Nov 2013, 14:26
Location: Canada

DNSCrypt Proxy 2

#1 Post by labbe5 »

First, you should read this to have an understanding of what DNSCrypt-proxy offers you in terms of privacy and security. It is a good start :
https://lifehacker.com/how-to-boost-you ... -510386189

http://www.webupd8.org/2014/08/encrypt- ... -with.html

DNSCrypt is a protocol for securing communications between a client and a DNS resolver, preventing spying, spoofing or man-in-the-middle attacks.

For installing on Mintpup and other Dog-based OS.

You need PPA enabled.

Here's the installation steps :

$sudo add-apt-repository ppa:anton+/dnscrypt

Then apt update and apt install dnscrypt-proxy

.deb file available here for Xenial (16.04 - version 1.6.1 which is not the latest) :
https://ubuntu.pkgs.org/16.04/ubuntu-un ... 6.deb.html

After installing DNSCrypt, you need to set your network connection DNS server to 127.0.0.2.

If you have Frisbee, instead of NetworkManager, you open resolv.conf with :
geany /etc/resolv.conf
and replace whatever nameserver with 127.0.0.2
save and close

To check if dnscrypt is working as it should be, visit this site and click standard test.
Result would look like this :
176.56.237.171 resolver1.dnscrypt.eu RouteLabel V.O.F. Netherlands

Now you have an extra security layer when browsing, and your ISP should never know what websites you visit, preventing your ISP from having logs on all your website visits, and helping keep you secure regarding other security threats.

There is a script for downloading and installing dnscrypt, but it failed to install on Mintpup.

You may have better chance than me with this script, but use a fresh install to be on the safe side. It installs dnscrypt from source, with all needed packages for compiling.

At the end resolv.conf has nameserver 127.0.0.2 just as above, but it fails to connect to the Web. I was logged in as root user. You may try it as non-root user.

What the developer says :
This script will automatically and securely set up DNSCrypt as a background service that runs at system startup using DNSCrypt-proxy, the libsodium cryptography library, and the DNSCrypt service provider of your choice. The script also has options that allow you to change the service provider at any time, turn off DNSCrypt to use regular unencrypted DNS, as well as uninstall DNSCrypt.

Here's how to get dnscrypt with wget :
https://github.com/simonclausen/dnscrypt-autoinstall

1.wget https://raw.githubusercontent.com/simon ... utoinstall
2.chmod +x dnscrypt-autoinstall
3.su -c ./dnscrypt-autoinstall

To force uninstallation :
./dnscrypt-autoinstall.sh forcedel

Note 1:
I installed DNSCrypt-proxy on a Fedora-based OS with above autoinstall. I didn't have to change any settings. To see if DNSCrypt-proxy is working well just do : dig google.com in terminal. If you see SERVER 127.0.0.1#53 it is installed and working, launching at boot time. It should work on Ubuntu >=16.04. <16.04 is legacy and may be the reason why autoinstall didn't work on Mintpup. To use dig : install dnsutils.

Note 2:
To secure your resolv.conf file, make it immutable with chattr :
$ chattr +i /etc/resolv.conf
To make it writable again :
chattr -i /etc/resolv.conf

DNS resolvers for DNSCrypt :
https://download.dnscrypt.org/dnscrypt-proxy/

Download file or view dnscrypt-resolvers.csv with LibreOffice calc to find best resolver with dnssec & no logs and make change accordingly. Suggested dnscrypt-compatible resolver : https://www.dnscrypt.eu/ This is a free DNSSEC enabled, non-logged and uncensored DNSCrypt service. With autoinstall script, you need to choose a resolver toward the end of installation, typing a number from a list of resolvers.

Final note :
You may take a look at this Arch wiki about DNSCrypt-proxy. Arch man pages are a useful and comprehensive source of information. Then you may have to adapt this information :
https://wiki.archlinux.org/index.php/DNSCrypt

Security is the name of the game.
Last edited by labbe5 on Wed 31 Oct 2018, 02:25, edited 6 times in total.

labbe5
Posts: 2159
Joined: Wed 13 Nov 2013, 14:26
Location: Canada

DNS hijacking risk

#2 Post by labbe5 »

https://yandex.com/support/browser/secu ... scrypt.xml

The DNS-server request and response are transmitted openly, without encryption.

The lack of encryption means that:

The internet provider or network administrator can find out which sites a user is visiting.
Attackers can tamper with the response from the DNS server and redirect the user to a malicious site. For example, instead of going to a bank's website, a user might end up on a fake site that steals passwords.


Installing and using Yandex web browser can be another way to have dnscrypt enabled.
How to install Yandex (for Dog-based OS) :
https://www.linuxhelp.com/install-yande ... -ubuntu-2/

To enable encryption of DNS requests:
https://yandex.com/support/browser/secu ... pt.xml#off

Click → Settings.
In the lower half of the Settings page, click Show advanced settings.
In the Network section, select Use a DNS server with DNSCrypt encryption.
Choose a DNS server from the drop-down list.
Note. We recommend selecting the Yandex DNS server.
Last edited by labbe5 on Tue 23 May 2017, 17:36, edited 2 times in total.

labbe5
Posts: 2159
Joined: Wed 13 Nov 2013, 14:26
Location: Canada

DNSCrypt-Loader

#3 Post by labbe5 »

https://github.com/gortcodex/dnscrypt-loader

DNSCrypt-loader is a flexible and customizable bash script to manage DNSCrypt-proxy using command line or Whiptail GUI. If you are system adminitrator or common user this script is a handy way to setup DNSCrypt-proxy on your system.

Source code :
https://github.com/GortCodex/DNSCrypt-Loader/releases

Run DNSCrypt-loader installer as root.

On Ubuntu and Debian-based distros :
sudo ./install-loader-debian

labbe5
Posts: 2159
Joined: Wed 13 Nov 2013, 14:26
Location: Canada

Unbound

#4 Post by labbe5 »

https://www.ab9il.net/crypto/dnscrypt.html

You can speed up DNS queries with Unbound.

Installing and configuring the Unbound caching server (link above).

Unbound can be optionally installed alongside DNSCrypt-proxy to speed up DNS queries.

Note :

As a rule, you should try installing and configuring Unbound (or any new app) on a fresh install of Dob-based OS, only then you install it on a save file (or folder) if all went well. In case something goes wrong, you reboot to a fresh install, and you have not broken your system.

labbe5
Posts: 2159
Joined: Wed 13 Nov 2013, 14:26
Location: Canada

dhcpcd config

#5 Post by labbe5 »

dhcpcd, if let alone, rewrites resolv.conf, so every time you change values, it gets erased, and replaced with original values.

There is a few ways to bypass this :

1- open resolv.conf.head :
geany /etc/resolv.conf.head
write your DNS values and save file (for dnscrypt-proxy, it is 127.0.0.1) It can be any public DNS server. Doing so will append your values to resolv.conf permanently.

2- open dhcpcd.conf :
geany /etc/dhcpcd.conf
Add : nohook resolv.conf and save file.
Doing so will prevent dhcp daemon to overwrite your values.
Alternatively you can add, instead of nohook :
static domain_name_servers=8.8.4.4 8.8.8.8 (or any public DNS servers)

If confronted with long hostname lookout, you can reduced time before changing to another alternative nameserver by doing this :
geany /etc/resolv.conf and add :
options timeout:1

All above information will be useful if you try installing DNSCrypt-proxy in a Dog-based OS.

labbe5
Posts: 2159
Joined: Wed 13 Nov 2013, 14:26
Location: Canada

ps aux | grep dns

#6 Post by labbe5 »

In terminal :

ps aux | grep dns

output :

dnscrypt 1232 0.0 0.1 3724 2276 ? SLs 16:19 0:00 /usr/local/sbin/dnscrypt-proxy --user=dnscrypt --ephemeral-keys --resolver-name=dnscrypt.eu-dk --local-address=127.0.0.2:53
dnscrypt 1236 0.1 0.1 3724 2156 ? SLs 16:19 0:00 /usr/local/sbin/dnscrypt-proxy --user=dnscrypt --ephemeral-keys --resolver-name=dnscrypt.eu-dk --local-address=127.0.0.1:53
maccorm+ 3405 0.0 0.0 5196 892 pts/0 S+ 16:23 0:00 grep --color=auto dns

Your output should be similar.
--user=dnscrypt (unprivileged user)

My best result has been with a Fedora-based distro with NetworkManager. I think the script dnscrypt-autoinstall is configured with NetworkManager in mind. Xenialdog using Frisbee, it is not properly configured out-of-the-box.

labbe5
Posts: 2159
Joined: Wed 13 Nov 2013, 14:26
Location: Canada

VPN not working with DNSCrypt-proxy

#7 Post by labbe5 »

If you successfully installed DNSCrypt-proxy, and wanted to use a virtual private network at the same time, you are faced with a dilemma : you only can use one or the other, not both at the same time.

This is the way DNSCrypt-proxy is configured at present, preventing the use of a VPN, such as VPNBook.

There is one option for having both at the same time : use vpn.ac. DNS requests are encrypted using vpn.ac :
https://vpn.ac/features

All DNS queries are encrypted (AES 128-bit) to protect customers against 3rd party DNS monitoring and hijacking

This team has done it right.

User avatar
soniabu
Posts: 162
Joined: Thu 01 Feb 2018, 21:24
Location: Paris

dnscrypt on xenialpup64-7.5

#8 Post by soniabu »

Hello everyone, and Hi Labbe5
On my PC I have xenialpup64 7.5.
Now I added with PPM dnscrypt-proxy 1.6.1-1.
I read your writing about how to set the address 127.0.0.2 in resolv.conf,
however, as soon as I boot, I find in resolv.conf the same DSN addresses - primary and secondary - that I had set up with the internet connection vizard when I configured the static ip to connect to the internet.
In summary: change resolv.conf with 127.0.0.2. I boot, and I find in resolv.conf the same DNS set with the internet vizard.
a loop from which I do not know will go out so I can not try dnscrypt.
If you have any suggestions, I will be grateful.
P.S.
can you also tell me the command to restart the network service without without me booting?
sorry for my bad english.
thanks Sonia
Last edited by soniabu on Thu 08 Feb 2018, 18:28, edited 1 time in total.

matchpoint
Posts: 168
Joined: Fri 26 Jan 2018, 20:54

#9 Post by matchpoint »

Hello soniabu. If you want expected results, download and install PeasyWiFi.

It'll walk you through replacing Xenial's net managers, making itself the default.

User avatar
soniabu
Posts: 162
Joined: Thu 01 Feb 2018, 21:24
Location: Paris

#10 Post by soniabu »

ohhh thx match
I'll try
sonia

matchpoint
Posts: 168
Joined: Fri 26 Jan 2018, 20:54

#11 Post by matchpoint »


User avatar
soniabu
Posts: 162
Joined: Thu 01 Feb 2018, 21:24
Location: Paris

#12 Post by soniabu »

oh! thx again.
Better two than one.
sonia

User avatar
soniabu
Posts: 162
Joined: Thu 01 Feb 2018, 21:24
Location: Paris

#13 Post by soniabu »

I tried again with dns address 127.0.0.1 and I communicate that on xenialpup64 7.5 dnscrypt 1.6.1 works properly.
I set static eth0. I must inform you, however, that not all resolv servers respond correctly; that is, I had to try about ten before it was able to resolve a request with dnscrypt-proxy started. I have not yet figured out what it depends on.
here are the same-more or less- resolver names that you also find in etc / share /dnscrypt-proxy/dnscrypt-resolvers.csv
However what works well for now is this:
dnscrypt-proxy -R cs-fr2
[INFO] - [cs-fr2] does not support DNS Security Extensions
[INFO] + Namecoin domains can be resolved
[INFO] + Provider supposedly does not keep logs
[NOTICE] Starting dnscrypt-proxy 1.6.1
[INFO] Generating a new session key pair
[INFO] Done
[INFO] Server certificate # 808464433 received
[INFO] This certificate is valid
[INFO] Chosen certificate # 808464433 is valid from [2018-02-11] to [2018-02-12]
[INFO] Key fingerprint server is BAB8: 591D: F2F8: 10AA: 362E: 6CF9: AB91: 3573: 1EA9: AD44: 20D5: 6A3F: 492E: 5083: C435: 5236
[NOTICE] Proxying from 127.0.0.1:53 to 212.129.46.32:443

the only thing about this resolver is that it does not verify DNSSEC
this is the result of leak test
Test complete

Query round Progress... Servers found
1 ...... 1

IP Hostname ISP Country
212.129.46.32 alors.deepdns.cryptostorm.net Free SAS France

sonia
Last edited by soniabu on Sat 10 Feb 2018, 15:51, edited 12 times in total.

matchpoint
Posts: 168
Joined: Fri 26 Jan 2018, 20:54

#14 Post by matchpoint »

soniabu, the original source looks depreciated.

Is your connection wired, wireless or possibly mobile? Other?

User avatar
soniabu
Posts: 162
Joined: Thu 01 Feb 2018, 21:24
Location: Paris

#15 Post by soniabu »

UP

matchpoint
Posts: 168
Joined: Fri 26 Jan 2018, 20:54

#16 Post by matchpoint »

Got it going Sonia? Good!

Updated project info here: https://github.com/dyne/dnscrypt-proxy/ ... E.markdown

The 12/2018 maintainer note I'm sure is a typo.

Current lists and "How do I benchmark performance of external DNS lookups?" should help you sort the rest.

labbe5
Posts: 2159
Joined: Wed 13 Nov 2013, 14:26
Location: Canada

DNSCrypt Proxy 2

#17 Post by labbe5 »

DNSCrypt Proxy 2 : a flexible DNS proxy with support for encrypted DNS protocols, like DNSCrypt v2 and DNS-over-HTTPS.

DNSCrypt is a network protocol which authenticates and encrypts Domain Name System (DNS) traffic between the user's computer and recursive name servers. It turns regular DNS traffic into encrypted DNS traffic that's protected from spying, spoofing, or man-in-the-middle attacks, thus improving the user's online security and privacy.

For information only : https://www.linuxuprising.com/2018/10/i ... prising%29

Tutorial is for Ubuntu 18.10 with NetworkManager, not compatible with Puppy or Dog.

As a commentary, if you use a VPN, it is possible that DNS is managed by your VPN and is encrypted using its own servers. Secondly, if you have setup your router for Cloudflare to manage your DNS, it is encrypted. Thirdly, as an easy solution, you may use an OS such as Kodachi which uses DNSCrypt.
Finally, Firefox comes with Enable DNS over HTTPS. Look for it in Network Settings. Default is not use it. Have it activated.

Post Reply