diff --git a/dnscrypt/index.md b/dnscrypt/index.md index c458fef..181f1a0 100644 --- a/dnscrypt/index.md +++ b/dnscrypt/index.md @@ -65,4 +65,128 @@ First of all, if we were to figure out which of these protocols protects us, we' | Detectability | ❎️The protocol has its own standard port (853/TCP) which makes it super easy to detect for a 3rd party | ✅ The protocol blends in with HTTPS traffic, which makes it much harder to detect | ✳️ Although DNSCrypt listens on port 443 (UDP/TCP, the same port as HTTPS) which makes surface-level detection much harder, the use of a custom protocol may allow for detection on DPIs that are written to distinguish DNSCrypt's protocol from TLS/SSL protocol | ✅ A 3rd party adversary would not be able to detect DNS usage from the Tor/VPN traffic | ✅ The traffic from the local DNS server appears just like any other DNS query | | Anonymity | ✳️ The protocol does not offer built-in anonymity protection, but it can be used over Tor. | ✳️ The protocol does not offer built-in anonymity protection, but it can be used over Tor. | ✅ DNSCrypt has a feature called Anonymized DNS, where instead of connecting to a DNSCrypt server directly, a user can connect through a relay DNSCrypt server to relay data over to that server. | ✅ Tor offers anonymity protection (maybe same thing for VPN but a little different) | ❎️ Unencrypted authoritative DNS queries (done by the local DNS server) can allow the user to be deanonymized by a 3rd party adversary | +## How to set up +### DNS over TLS + +For most Debian-like distributions, systemd-resolved may already be used and pre-installed. + +1. Enable `systemd-resolved`, if not enabled already. + + ```bash + root@localhost:~# systemctl enable --now systemd-resolved + ``` + +2. Edit `systemd-resolved`'s configuration file to use DNS-over-TLS and a DoT server of your choice. + + ```bash + root@localhost:~# vim /etc/systemd/resolved.conf + ``` + + This example configuration will use Quad9's DoT server. + + ```ini + [Resolve] + DNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net + DNSSEC=yes + DNSOverTLS=yes + Domains=~. + ``` + +3. Restart `systemd-resolved` to use the new configuration. + + ```bash + root@localhost:~# systemctl restart systemd-resolved + ``` + +### DNS over HTTPS and DNSCrypt + +We'll be using `dnscrypt-proxy` for this section of the tutorial, which offers support for both DNS over HTTPS and DNSCrypt. + +1. Create a directory for `dnscrypt-proxy`, This can be anywhere from your home directory to a directory in /opt. + We'll be creating `/opt/dnscrypt-proxy` in this tutorial. + + ```bash + root@localhost:~# mkdir -p /opt/dnscrypt-proxy + root@localhost:~# cd /opt/dnscrypt-proxy/ + ``` + +2. Download a prebuilt version of `dnscrypt-proxy`, You can pick which CPU architecture is in your system from [the list of dnscrypt-proxy binaries](https://github.com/jedisct1/dnscrypt-proxy/releases/latest) + We'll be downloading 2.1.12 for x86_64 in this tutorial. + + Example: + + ```bash + root@localhost:/opt/dnscrypt-proxy# curl -L -O https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.1.12/dnscrypt-proxy-linux_x86_64-2.1.12.tar.gz + ``` +3. (Optional) Download and verify the minisign signature of the tar file + + Install minisign and download the minisig file for the binary you downloaded + + Example: + + ```bash + root@localhost:/opt/dnscrypt-proxy# apt install minisign + root@localhost:/opt/dnscrypt-proxy# curl -L -O https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.1.12/dnscrypt-proxy-linux_x86_64-2.1.12.tar.gz.minisig + ``` + + Verify the minisig file with the official `dnscrypt-proxy` public key + + ```bash + root@localhost:/opt/dnscrypt-proxy# minisign -Vm dnscrypt-proxy-*.tar.gz -P RWTk1xXqcTODeYttYMCMLo0YJHaFEHn7a3akqHlb/7QvIQXHVPxKbjB5 + ``` + + If everything is fine, it should say: `Signature and comment signature verified` + +4. Extract the tar file. All the files should be in a sub-directory in the tar file, so files have to be moved back to the current directory. + + Example: + ```bash + root@localhost:/opt/dnscrypt-proxy# tar -xvf dnscrypt-proxy-linux_x86_64-2.1.12.tar.gz + root@localhost:/opt/dnscrypt-proxy# mv linux-x86_64/* . + root@localhost:/opt/dnscrypt-proxy# rmdir linux-x86_64 + ``` +5. Disable any other DNS resolvers running. You can check with `ss -lp 'sport = :domain'`. + Our example machine is currently running `systemd-resolved`, so we will disable and stop that. + + ```bash + root@localhost:/opt/dnscrypt-proxy# systemctl stop systemd-resolved + root@localhost:/opt/dnscrypt-proxy# systemctl disable systemd-resolved + ``` + +6. Copy the example configuration file, and start `dnscrypt-proxy` to see if it works. + + ```bash + root@localhost:/opt/dnscrypt-proxy# cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml + root@localhost:/opt/dnscrypt-proxy# ./dnscrypt-proxy + ``` + +7. While `dnscrypt-proxy` is running, back up `/etc/resolv.conf` and create a new one using `dnscrypt-proxy`'s DNS port + + ```bash + root@localhost:/opt/dnscrypt-proxy# mv /etc/resolv.conf /etc/resolv.conf.bak + root@localhost:/opt/dnscrypt-proxy# vim /etc/resolv.conf + ``` + + The contents of `/etc/resolv.conf` should be written like this: + + ``` + nameserver 127.0.0.1 + options edns0 + ``` + Afterwards, test if `dnscrypt-proxy` is working by resolving `example.com` with it. + + ```bash + root@localhost:/opt/dnscrypt-proxy# ./dnscrypt-proxy -resolve example.com + ``` + + If it was able to resolve `example.com`, congratulations, `dnscrypt-proxy` is now working. + +8. Close the running `dnscrypt-proxy`, install it as a service and start it up! + + ```bash + root@localhost:/opt/dnscrypt-proxy# ./dnscrypt-proxy -service install + root@localhost:/opt/dnscrypt-proxy# ./dnscrypt-proxy -service start + ``` + +Now we are onto configuring `dnscrypt-proxy` to use DoH and/or DNSCrypt.