setup guide

dnscrypt/index.md

@@ -65,4 +65,128 @@ First of all, if we were to figure out which of these protocols protects us, we'
 | Detectability | ❎️The protocol has its own standard port (853/TCP) which makes it super easy to detect for a 3rd party | ✅ The protocol blends in with HTTPS traffic, which makes it much harder to detect | ✳️ Although DNSCrypt listens on port 443 (UDP/TCP, the same port as HTTPS) which makes surface-level detection much harder, the use of a custom protocol may allow for detection on DPIs that are written to distinguish DNSCrypt's protocol from TLS/SSL protocol | ✅ A 3rd party adversary would not be able to detect DNS usage from the Tor/VPN traffic | ✅ The traffic from the local DNS server appears just like any other DNS query |
 | Anonymity     | ✳️ The protocol does not offer built-in anonymity protection, but it can be used over Tor. | ✳️ The protocol does not offer built-in anonymity protection, but it can be used over Tor. | ✅ DNSCrypt has a feature called Anonymized DNS, where instead of connecting to a DNSCrypt server directly, a user can connect through a relay DNSCrypt server to relay data over to that server. | ✅ Tor offers anonymity protection (maybe same thing for VPN but a little different) | ❎️ Unencrypted authoritative DNS queries (done by the local DNS server) can allow the user to be deanonymized by a 3rd party adversary |
 
+## How to set up
 
+### DNS over TLS
+
+For most Debian-like distributions, systemd-resolved may already be used and pre-installed.
+
+1. Enable `systemd-resolved`, if not enabled already.
+
+    ```bash
+    root@localhost:~# systemctl enable --now systemd-resolved
+    ```
+
+2. Edit `systemd-resolved`'s configuration file to use DNS-over-TLS and a DoT server of your choice.
+
+    ```bash
+    root@localhost:~# vim /etc/systemd/resolved.conf
+    ```
+
+    This example configuration will use Quad9's DoT server.
+
+    ```ini
+    [Resolve]
+    DNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
+    DNSSEC=yes
+    DNSOverTLS=yes
+    Domains=~.
+    ```
+
+3. Restart `systemd-resolved` to use the new configuration.
+
+    ```bash
+    root@localhost:~# systemctl restart systemd-resolved
+    ```
+
+### DNS over HTTPS and DNSCrypt
+
+We'll be using `dnscrypt-proxy` for this section of the tutorial, which offers support for both DNS over HTTPS and DNSCrypt.
+
+1. Create a directory for `dnscrypt-proxy`, This can be anywhere from your home directory to a directory in /opt.
+    We'll be creating `/opt/dnscrypt-proxy` in this tutorial.
+
+    ```bash
+    root@localhost:~# mkdir -p /opt/dnscrypt-proxy
+    root@localhost:~# cd /opt/dnscrypt-proxy/
+    ```
+
+2. Download a prebuilt version of `dnscrypt-proxy`, You can pick which CPU architecture is in your system from [the list of dnscrypt-proxy binaries](https://github.com/jedisct1/dnscrypt-proxy/releases/latest)
+    We'll be downloading 2.1.12 for x86_64 in this tutorial.
+
+    Example:
+
+    ```bash
+    root@localhost:/opt/dnscrypt-proxy# curl -L -O https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.1.12/dnscrypt-proxy-linux_x86_64-2.1.12.tar.gz
+    ```
+3. (Optional) Download and verify the minisign signature of the tar file
+
+    Install minisign and download the minisig file for the binary you downloaded
+
+    Example:
+
+    ```bash 
+    root@localhost:/opt/dnscrypt-proxy# apt install minisign
+    root@localhost:/opt/dnscrypt-proxy# curl -L -O https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.1.12/dnscrypt-proxy-linux_x86_64-2.1.12.tar.gz.minisig
+    ```
+
+    Verify the minisig file with the official `dnscrypt-proxy` public key
+
+    ```bash
+    root@localhost:/opt/dnscrypt-proxy# minisign -Vm dnscrypt-proxy-*.tar.gz -P RWTk1xXqcTODeYttYMCMLo0YJHaFEHn7a3akqHlb/7QvIQXHVPxKbjB5
+    ```
+
+    If everything is fine, it should say: `Signature and comment signature verified`
+
+4. Extract the tar file. All the files should be in a sub-directory in the tar file, so files have to be moved back to the current directory.
+
+    Example:
+    ```bash
+    root@localhost:/opt/dnscrypt-proxy# tar -xvf dnscrypt-proxy-linux_x86_64-2.1.12.tar.gz
+    root@localhost:/opt/dnscrypt-proxy# mv linux-x86_64/* .
+    root@localhost:/opt/dnscrypt-proxy# rmdir linux-x86_64
+    ```
+5. Disable any other DNS resolvers running. You can check with `ss -lp 'sport = :domain'`.
+    Our example machine is currently running `systemd-resolved`, so we will disable and stop that.
+
+    ```bash
+    root@localhost:/opt/dnscrypt-proxy# systemctl stop systemd-resolved
+    root@localhost:/opt/dnscrypt-proxy# systemctl disable systemd-resolved
+    ```
+
+6. Copy the example configuration file, and start `dnscrypt-proxy` to see if it works.
+
+    ```bash
+    root@localhost:/opt/dnscrypt-proxy# cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml
+    root@localhost:/opt/dnscrypt-proxy# ./dnscrypt-proxy 
+    ```
+
+7. While `dnscrypt-proxy` is running, back up `/etc/resolv.conf` and create a new one using `dnscrypt-proxy`'s DNS port
+
+    ```bash
+    root@localhost:/opt/dnscrypt-proxy# mv /etc/resolv.conf /etc/resolv.conf.bak
+    root@localhost:/opt/dnscrypt-proxy# vim /etc/resolv.conf
+    ```
+
+    The contents of `/etc/resolv.conf` should be written like this:
+
+    ```
+    nameserver 127.0.0.1
+    options edns0
+    ```
+    Afterwards, test if `dnscrypt-proxy` is working by resolving `example.com` with it.
+
+    ```bash
+    root@localhost:/opt/dnscrypt-proxy# ./dnscrypt-proxy -resolve example.com
+    ```
+
+    If it was able to resolve `example.com`, congratulations, `dnscrypt-proxy` is now working.
+
+8. Close the running `dnscrypt-proxy`, install it as a service and start it up!
+
+    ```bash
+    root@localhost:/opt/dnscrypt-proxy# ./dnscrypt-proxy -service install
+    root@localhost:/opt/dnscrypt-proxy# ./dnscrypt-proxy -service start
+    ```
+
+Now we are onto configuring `dnscrypt-proxy` to use DoH and/or DNSCrypt.