How to Encrypt Your DNS for More Secure Browsing

DNSCrypt is a protocol that authenticates communications between a DNS client and a DNS resolver. It prevents DNS spoofing. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered with.
Implementations are available for most operating systems, including Linux, OSX, Android, iOS, BSD and Windows.
DNSCrypt is not affiliated with any company or organization, is a documented protocol using highly secure, non-NIST cryptography, and its reference implementations are open source and released under a very liberal license.
Please note that DNSCrypt is not a replacement for a VPN, as it only authenticates DNS traffic, and doesn't prevent "DNS leaks", or third-party DNS resolvers from logging your activity.

We will use DNSCrypt to make our DNS requests encrypted, and Unbound to have a local DNS cache. This will allow us to avoid using our VPS provider DNS servers, and will also be useful to your future VPN clients which will be able to use your VPN server as their DNS server too, if they wish too (e.g mobile phones). Both dnscrypt and unbound will listen on the localhost only, not to the outside. They will be reachable nonetheless later to your VPN clients trough the VPN tunnel, using a firewall redirection.
$ export PKG_PATH=http://ftp.fr.openbsd.org/pub/OpenBSD/5.9/packages/amd64/
$ sudo pkg_add dnscrypt-proxy
$ sudo vi /etc/rc.local
# DNSCrypt
/usr/local/sbin/dnscrypt-proxy -a 127.0.0.1:40 -u _dnscrypt-proxy -d -l /dev/null -R dnscrypt.eu-dk

You can choose your dnscrypt enabled DNS server at the following list (choose a logless DNSSEC enabled one). $ sudo /usr/local/sbin/dnscrypt-proxy -a 127.0.0.1:40 -u _dnscrypt-proxy -d -l /dev/null -R dnscrypt.eu-dk 
We now configure and enable unbound, already included in the base system. Unbound will drop privileges and will be chrooted in /var/unbound:
$ sudo vi /var/unbound/etc/unbound.conf server:
username: _unbound 
directory: /var/unbound 
chroot: /var/unbound 
do-not-query-localhost: no 
interface: 127.0.0.1 
access-control: 0.0.0.0/0 refuse 
access-control: 127.0.0.0/8 allow 
access-control: 10.8.0.0/24 allow 
hide-identity: yes 
hide-version: yes 
auto-trust-anchor-file: "/var/unbound/db/root.key" 
forward-zone: 
name: "." # use for ALL queries 
forward-addr: [email protected] # dnscrypt-proxy 

Do not forget to modify your /etc/resolv.conf:
$ sudo vi /etc/resolv.conf nameserver 127.0.0.1 # unbound is listening there at port 53
Run Unbound, and enable it to launch at startup:
$ sudo /etc/rc.d/unbound start  $ sudo vi /etc/rc.conf.local # Unbound
unbound_flags="-c /var/unbound/etc/unbound.conf"

Test that your DNS chain is working:
$ host openbsd.org
openbsd.org has address 129.128.5.194
openbsd.org mail is handled by 6 shear.ucar.edu.
openbsd.org mail is handled by 10 cvs.openbsd.org.

Unbound is listening on locahost port 53, and when contacted is forwarding to dnscrypt listening on locahost port 40, itself contacting an external dnscrypt enabled DNS server.

via networkfilter

Post a Comment

أحدث أقدم