[TUT]enable DNS encryption by using dnscrypt-proxy

[kurotsugi]

in the age of enhancing security over the network, DNS is among the last piece which relies on old unsafe technology. as with HTTPS technology, DNS encryption would add security layer to ensure that no one can snoop your DNS queries. I won't go deep into what and how the technology works. this tutorial only cover on how to enable DNS encryption on your DNS queries by using dnscrypt-proxy.

why should I choose dnscrypt-proxy?, you might ask. well, dnscrypt-proxy is:
- simple. install it and leave it. well...sort of
- feature rich. of course, it support dnscrypt protocol but it also support DNS over HTTPS (DoH) and DNS over TLS (DoT) protocol. it also has more features and offer tons of customization
- our repo has it.

please don't get confused by it's name. in this case we only use dnscrypt as a client. which protocol would be used should depends on the DNS server. now, let's get started :3

1. Installing dnscrypt-proxy
simply do,

Code: Select all

sudo apt-get install dnscypt-proxy

it will install dnscrypt-proxy and the dependencies. at this point dnscrypt-proxy is ready to roll.

2. configure dhcp
by default your dns queries will sent through localhost (127.0.0.1) in debian, dnscrypt-proxy is using 127.0.2.1 so we'll have to manually adjust our system. there are two ways to do it. .
a. using network manager setting
- right click on network manager icon (wifi/network picture). click edit connection.
- choose the connection. click customize (gear picture in the bottom left)
- click ipv4 setting. choose "automatic (dhcp) adresses only". insert 127.0.2.1 in your dns address setting
this method is easy. though, you need to edit all your connection in order to use dnscrypt-proxy. my prefered way is....
b. using dhcp setting
- open /etc/dhcp/dhclient.conf
- search this line

Code: Select all

prepend domain-name-servers

- uncomment that line and insert our address. it should be something like this

Code: Select all

prepend domain-name-servers 127.0.2.1, 1.1.1.1;

the second address is a backup address, which is a cloudflare's dns. with this method everytime you connected to the internet you'll use these addresses. the last method is....manually edit /etc/resolv.conf

Code: Select all

nameserver 127.0.2.1
nameserver 1.1.1.1 

the problem with this method is that /etc/resolv.conf is rewritten every time you connect to network.

3. test the connection
at this point your system is protected with dns encryption. you can check your connection with "dig" command. you'll have to install dnsutils to get this command. for an example, this command

Code: Select all

dig solydxk.com

will give you this result

Code: Select all

dig solydxk.com

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> solydxk.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59085
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
; PAD: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ("....................................................................")
;; QUESTION SECTION:
;solydxk.com.			IN	A

;; ANSWER SECTION: 
solydxk.com.		1778	IN	A	81.169.195.233

;; Query time: 0 msec
;; SERVER: 127.0.2.1#53(127.0.2.1)
;; WHEN: Fri Jul 05 14:10:07 WIB 2019
;; MSG SIZE  rcvd: 128

if your setup is correct you'll see this line

Code: Select all

;; SERVER: 127.0.2.1#53(127.0.2.1)

NOTES
1. the default resolver would be cloudflare's dns. I think I should mention it since some of you might hate corporates like cloudflare. of course, you can change the resolver to google's or other server. you can check the available server from here https://download.dnscrypt.info/resolver ... solvers.md

2. firefox is using it's own resolver. you should disable it by changing this value

Code: Select all

trr = 1 

to 5 or 0 to make it work.

references:
https://wiki.archlinux.org/index.php/Dnscrypt-proxy

[kurotsugi]

================================
========= Q&A SECTION ==========
================================
Q: I've enabled DNS encryption. is that mean I'm totally safe now
A: I'm afraid not.
dns encryption is protecting you from dns spoofing, yes. but it doesn't protect you from other kind of attack/risk. to get a better result it actually recommended to further secure your system with DNSSEC or other technology related to DNS.

Q: OK, how can I do that?
A: open /etc/dnscrypt-proxy/dnscrypt-proxy.toml and add this line

Code: Select all

require_dnssec = true

you can also change the default resolver from there.

Q: what is dnssec? how does it works?
A: in layman term, it ensure that all dns answer comes from a valid dns server. hence, protect you from a bogus dns server.

Q: That's sounds good. anyway, with DoH or whatever we use here, my privacy is now fully protected. right?
A: Unfortunately, no. there's still "trust" issue between you and the dns server. even when a dns provider saying that it doesn't keep whatever information they have about you, with the current "legal" situation on US you never could 100% trust the dns provider. to further protect your privacy, you should enable local cache dns to limit the dns queries over network

Q: OK, how can I do that?
A: you use unbound, dnsmasq, or pdnsd to create a local dns resolver

Q: please....I'm just a noob here
A: fortunately, dnscrypt-proxy support local cache dns simply add this line to your configuration

Code: Select all

cache = true

it will create a cache of your dns queries, so that it won't ask the dns server for the same address.

Q: done, btw why should we use 127.0.2.1 instead of the common 127.0.0.1? dnscrypt-proxy should works OOTB if we use 127.0.0.1 without modifying dhcp setting. right?
A: you seems quite knowledgeable for a noob
dns encryption is a new technology so one or two things might not works. personally I have no issue with it but the developer decided to being carefull with it.

Q: where can I change this configuration?
A: the configuration is stored in /etc/systemd/system/sockets.target.wants/dnscrypt-proxy.socket

Code: Select all

[Unit]
Description=dnscrypt-proxy listening socket
Documentation=https://github.com/jedisct1/dnscrypt-proxy/wiki
Before=nss-lookup.target
Wants=nss-lookup.target
Wants=dnscrypt-proxy-resolvconf.service

[Socket]
ListenStream=127.0.2.1:53
ListenDatagram=127.0.2.1:53
NoDelay=true
DeferAcceptSec=1

[Install]
WantedBy=sockets.target

you can change the ListenStream and ListenDatagram value to your own liking. if the setting is 127.0.0.1:53, dnscrypt-proxy should works OOTB on every system without further modification

[Arjen Balfoort]

I have deleted our previous posts so that the Q&A directly follows the tutorial.

[kurotsugi]

thanks :3