oxeo0/opsec-blogposts
1
0
Fork 0
mirror of http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/opsec-blogposts.git synced 2025-06-08 00:59:35 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

setup guide

Browse source
This commit is contained in:
cynthia 2025-06-03 22:03:23 +01:00
parent 248522aaf5
commit a676f2eccd
1 changed files with 124 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

124
dnscrypt/index.md
View file

@ -65,4 +65,128 @@ First of all, if we were to figure out which of these protocols protects us, we'
| Detectability | ❎The protocol has its own standard port (853/TCP) which makes it super easy to detect for a 3rd party | ✅ The protocol blends in with HTTPS traffic, which makes it much harder to detect | ✳️ Although DNSCrypt listens on port 443 (UDP/TCP, the same port as HTTPS) which makes surface-level detection much harder, the use of a custom protocol may allow for detection on DPIs that are written to distinguish DNSCrypt's protocol from TLS/SSL protocol | ✅ A 3rd party adversary would not be able to detect DNS usage from the Tor/VPN traffic | ✅ The traffic from the local DNS server appears just like any other DNS query |
| Anonymity | ✳️ The protocol does not offer built-in anonymity protection, but it can be used over Tor. | ✳️ The protocol does not offer built-in anonymity protection, but it can be used over Tor. | ✅ DNSCrypt has a feature called Anonymized DNS, where instead of connecting to a DNSCrypt server directly, a user can connect through a relay DNSCrypt server to relay data over to that server. | ✅ Tor offers anonymity protection (maybe same thing for VPN but a little different) | ❎️ Unencrypted authoritative DNS queries (done by the local DNS server) can allow the user to be deanonymized by a 3rd party adversary |
## How to set up
### DNS over TLS
For most Debian-like distributions, systemd-resolved may already be used and pre-installed.
1. Enable `systemd-resolved`, if not enabled already.
```bash
root@localhost:~# systemctl enable --now systemd-resolved
```
2. Edit `systemd-resolved`'s configuration file to use DNS-over-TLS and a DoT server of your choice.
```bash
root@localhost:~# vim /etc/systemd/resolved.conf
```
This example configuration will use Quad9's DoT server.
```ini
[Resolve]
DNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
DNSSEC=yes
DNSOverTLS=yes
Domains=~.
```
3. Restart `systemd-resolved` to use the new configuration.
```bash
root@localhost:~# systemctl restart systemd-resolved
```
### DNS over HTTPS and DNSCrypt
We'll be using `dnscrypt-proxy` for this section of the tutorial, which offers support for both DNS over HTTPS and DNSCrypt.
1. Create a directory for `dnscrypt-proxy`, This can be anywhere from your home directory to a directory in /opt.
We'll be creating `/opt/dnscrypt-proxy` in this tutorial.
```bash
root@localhost:~# mkdir -p /opt/dnscrypt-proxy
root@localhost:~# cd /opt/dnscrypt-proxy/
```
2. Download a prebuilt version of `dnscrypt-proxy`, You can pick which CPU architecture is in your system from [the list of dnscrypt-proxy binaries](https://github.com/jedisct1/dnscrypt-proxy/releases/latest)
We'll be downloading 2.1.12 for x86_64 in this tutorial.
Example:
```bash
root@localhost:/opt/dnscrypt-proxy# curl -L -O https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.1.12/dnscrypt-proxy-linux_x86_64-2.1.12.tar.gz
```
3. (Optional) Download and verify the minisign signature of the tar file
Install minisign and download the minisig file for the binary you downloaded
Example:
```bash
root@localhost:/opt/dnscrypt-proxy# apt install minisign
root@localhost:/opt/dnscrypt-proxy# curl -L -O https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.1.12/dnscrypt-proxy-linux_x86_64-2.1.12.tar.gz.minisig
```
Verify the minisig file with the official `dnscrypt-proxy` public key
```bash
root@localhost:/opt/dnscrypt-proxy# minisign -Vm dnscrypt-proxy-*.tar.gz -P RWTk1xXqcTODeYttYMCMLo0YJHaFEHn7a3akqHlb/7QvIQXHVPxKbjB5
```
If everything is fine, it should say: `Signature and comment signature verified`
4. Extract the tar file. All the files should be in a sub-directory in the tar file, so files have to be moved back to the current directory.
Example:
```bash
root@localhost:/opt/dnscrypt-proxy# tar -xvf dnscrypt-proxy-linux_x86_64-2.1.12.tar.gz
root@localhost:/opt/dnscrypt-proxy# mv linux-x86_64/* .
root@localhost:/opt/dnscrypt-proxy# rmdir linux-x86_64
```
5. Disable any other DNS resolvers running. You can check with `ss -lp 'sport = :domain'`.
Our example machine is currently running `systemd-resolved`, so we will disable and stop that.
```bash
root@localhost:/opt/dnscrypt-proxy# systemctl stop systemd-resolved
root@localhost:/opt/dnscrypt-proxy# systemctl disable systemd-resolved
```
6. Copy the example configuration file, and start `dnscrypt-proxy` to see if it works.
```bash
root@localhost:/opt/dnscrypt-proxy# cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml
root@localhost:/opt/dnscrypt-proxy# ./dnscrypt-proxy
```
7. While `dnscrypt-proxy` is running, back up `/etc/resolv.conf` and create a new one using `dnscrypt-proxy`'s DNS port
```bash
root@localhost:/opt/dnscrypt-proxy# mv /etc/resolv.conf /etc/resolv.conf.bak
root@localhost:/opt/dnscrypt-proxy# vim /etc/resolv.conf
```
The contents of `/etc/resolv.conf` should be written like this:
```
nameserver 127.0.0.1
options edns0
```
Afterwards, test if `dnscrypt-proxy` is working by resolving `example.com` with it.
```bash
root@localhost:/opt/dnscrypt-proxy# ./dnscrypt-proxy -resolve example.com
```
If it was able to resolve `example.com`, congratulations, `dnscrypt-proxy` is now working.
8. Close the running `dnscrypt-proxy`, install it as a service and start it up!
```bash
root@localhost:/opt/dnscrypt-proxy# ./dnscrypt-proxy -service install
root@localhost:/opt/dnscrypt-proxy# ./dnscrypt-proxy -service start
```
Now we are onto configuring `dnscrypt-proxy` to use DoH and/or DNSCrypt.