oxeo0/opsec-blogposts
1
0
Fork 0
mirror of http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/opsec-blogposts.git synced 2025-06-08 03:09:32 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

local dns

Browse source
This commit is contained in:
cynthia 2025-06-04 18:18:23 +01:00
parent 8bf1477176
commit b5c57df944
1 changed files with 56 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

64
dnscrypt/index.md
View file

@ -65,6 +65,12 @@ First of all, if we were to figure out which of these protocols protects us, we'
| Detectability | ❎The protocol has its own standard port (853/TCP) which makes it super easy to detect for a 3rd party | ✅ The protocol blends in with HTTPS traffic, which makes it much harder to detect | ✳️ Although DNSCrypt listens on port 443 (UDP/TCP, the same port as HTTPS) which makes surface-level detection much harder, the use of a custom protocol may allow for detection on DPIs that are written to distinguish DNSCrypt's protocol from TLS/SSL protocol | ✅ A 3rd party adversary would not be able to detect DNS usage from the Tor/VPN traffic | ✅ The traffic from the local DNS server appears just like any other DNS query |
| Anonymity | ✳️ The protocol does not offer built-in anonymity protection, but it can be used over Tor. | ✳️ The protocol does not offer built-in anonymity protection, but it can be used over Tor. | ✅ DNSCrypt has a feature called Anonymized DNS, where instead of connecting to a DNSCrypt server directly, a user can connect through a relay DNSCrypt server to relay data over to that server. | ✅ Tor offers anonymity protection (maybe same thing for VPN but a little different) | ❎️ Unencrypted authoritative DNS queries (done by the local DNS server) can allow the user to be deanonymized by a 3rd party adversary |
In conclusion:
* If you want speed and privacy, use DNSCrypt
* If you want to be 100% undetectable, use DNS-over-HTTPS
* If you want anonymity, use DNS over Tor or Anonymized DNS in DNSCrypt
## How to set up
### DNS over TLS
@ -301,7 +307,7 @@ routes = [
root@localhost:~# vim /etc/tor/torrc
```
Add this to the file:
Add this at the end of the file:
```
DNSPort 53
@ -328,24 +334,66 @@ routes = [
5. Start up Tor.
```bash
root@localhost:~# systemctl start tor
root@localhost:~# systemctl enable --now tor
```
6. Now try pinging a site to test out if the Tor DNS works.
```bash
root@localhost:~# ping example.com
```
If you get something like:
```
PING example.com (23.192.228.80) 56(84) bytes of data.
64 bytes from a23-192-228-80.deploy.static.akamaitechnologies.com (23.192.228.80): icmp_seq=1 ttl=255 time=190 ms
64 bytes from 23.192.228.80 (23.192.228.80): icmp_seq=2 ttl=255 time=190 ms
```
Then, congratulations, Tor's DNS is now working.
If you get something like the above, then congratulations, Tor's DNS is now working.
If it doesn't work or says something like `ping: example.com: Temporary failure in name resolution`, try restarting Tor and try again.
### Local DNS
We'll be using `unbound` as our DNS resolver server.
1. Install `unbound`
```bash
root@localhost:~# apt install unbound
```
2. Disable any other DNS resolvers currently running. You can check with `ss -lp 'sport = :domain'`.
Our example machine is currently running `systemd-resolved`, so we will disable and stop that.
```bash
root@localhost:~# systemctl stop systemd-resolved
root@localhost:~# systemctl disable systemd-resolved
```
3. Backup the existing `resolv.conf`, and make a new one configuring the system to resolve DNS queries through Tor
```bash
root@localhost:~# mv /etc/resolv.conf /etc/resolv.conf.bak
root@localhost:~# vim /etc/resolv.conf
```
The contents of `/etc/resolv.conf` should be written like this:
```
nameserver 127.0.0.1
```
4. Start up unbound.
```bash
root@localhost:~# systemctl enable --now unbound
```
5. Now try pinging a site to test out if the local DNS works.
```bash
root@localhost:~# ping example.com
PING example.com (96.7.128.175) 56(84) bytes of data.
64 bytes from a96-7-128-175.deploy.static.akamaitechnologies.com (96.7.128.175): icmp_seq=1 ttl=255 time=198 ms
64 bytes from a96-7-128-175.deploy.static.akamaitechnologies.com (96.7.128.175): icmp_seq=2 ttl=255 time=197 ms
```
If you get something like the above, then congratulations, unbound is now working.
If it doesn't work or says something like `ping: example.com: Temporary failure in name resolution`, try restarting unbound and try again.