DNSCrypt

OpenDNS, the free DNS provider, offers a way to protect clients against attacks related to the modification and manipulation of DNS traffic — DNSCrypt. The main objectives of DNSCrypt is full encryption of the communication channel between the client (you) and server (OpenDNS) — similar to how SSL is used to encrypt HTTP traffic. This will protect the client from man in the middle attacks. In addition, encryption of DNS communication improves the client's privacy. DNSCrypt is the client-side version of DNSCurve.

The dnscrypt-proxy client project is maintained by OpenDNS employee jedisct1

Installation on ar71xx platforms

The OpenWrt package for ar71xx is maintained by black-roland

This will install dnscrypt-proxy as well as any dependent libraries such as libsodium

Add third-party source to your opkg configuration file /etc/opkg.conf according to your OpenWRT version:

Barrier Breaker:

src/gz exopenwrt http://exopenwrt.and.in.net/barrier_breaker/ar71xx/packages/exOpenWrt

Attitude Adjustment:

src/gz exopenwrt http://exopenwrt.and.in.net/attitude_adjustment/ar71xx/packages

trunk:

src/gz exopenwrt http://exopenwrt.and.in.net/trunk/ar71xx/packages/exOpenWrt

And proceed with the installation itself:

$ opkg update
$ opkg install dnscrypt-proxy

Forum thread

Installation on x86 platforms

The OpenWrt package for x86 is maintained by damianorenfer

If not already done, install the CACert SSL certificates :

root@OpenWrt:~# mkdir -p /etc/ssl/certs/
root@OpenWrt:~# wget -P /etc/ssl/certs/ http://curl.haxx.se/ca/cacert.pem

As DNSCrypt depends on libsodium, install it :

root@OpenWrt:~# cd /tmp
root@OpenWrt:~# curl -OL --cacert /etc/ssl/certs/cacert.pem https://github.com/damianorenfer/libsodium-openwrt/raw/master/openwrt/bin/x86/libsodium_0.4.5-1_x86.ipk
root@OpenWrt:~# opkg install libsodium_0.4.5-1_x86.ipk
root@OpenWrt:~# rm -f libsodium*.ipk

Then get the dnscrypt-proxy package from GitHub :

root@OpenWrt:~# cd /tmp
root@OpenWrt:~# curl -OL --cacert /etc/ssl/certs/cacert.pem https://github.com/damianorenfer/dnscrypt-proxy-openwrt/raw/master/bin/x86/packages/dnscrypt-proxy_1.4.0-1_x86.ipk
root@OpenWrt:~# opkg install dnscrypt-proxy_1.4.0-1_x86.ipk
root@OpenWrt:~# rm -f dnscrypt-proxy*.ipk

You can then follow the configuration section below. But default port is 5353 and NOT 2053! Change it in /etc/config/dnscrypt-proxy if needed.

Note : this is only for x86 systems, but if you have some OpenWrt knowledge you can compile the packages for your platform. Procedure briefly described at https://github.com/damianorenfer/dnscrypt-proxy-openwrt

Configuration

DNSCrypt is listening on address and port: 127.0.0.1:2053. We need to set OpenWRT to send DNS request to that address.

Server configuration

dnscrypt-proxy

The config file /etc/config/dnscrypt-proxy is simple and will be rarely edited. If you are using OpenDNS then this is already the default resolver so you do not have to change anything.

config dnscrypt-proxy option address '127.0.0.1' option port '2053' # option resolver 'opendns' # option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'

Description:

Name Type Required Default Description
address string yes 127.0.0.1 The IP address of the proxy server.
port string yes 2053 Listening port for DNS queries.
resolver string no opendns DNS service for resolving queries
resolvers_list string no /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv Location of CSV file containing list of resolvers

If you need to specify other options, you will have to edit the /etc/init.d/dnscrypt-proxy script.

Now we will start DNSCrypt and enable auto boot for it:

/etc/init.d/dnscrypt-proxy enable
/etc/init.d/dnscrypt-proxy start

dnsmasq

Assuming you are using dnsmasq, edit the bold lines in /etc/config/dhcp

config dnsmasq option domainneeded 1 option boguspriv 1 option filterwin2k 0 option localise_queries 1 option rebind_protection 1 option rebind_localhost 1 option local '/lan/' option domain 'lan' option expandhosts 1 option nonegcache 0 option authoritative 1 option readethers 1 option leasefile '/tmp/dhcp.leases' # option resolvfile '/tmp/resolv.conf.auto' option noresolv 1 list server '127.0.0.1#2053' list server '/pool.ntp.org/208.67.222.222' # list server '208.67.222.222' # list server '208.67.220.220'
  • We have disabled /tmp/resolv.conf.auto file since it instruct dnsmasq to use your ISP's DNS.
  • noresolv option also disables /etc/resolv.conf file for similar reason.
  • 127.0.0.1#2053 is the DNSCrypt address.
  • /pool.ntp.org/208.67.222.222 adds an exception for pool.ntp.org, which will be resolved through the standard unencrypted DNS channel. DNSCrypt requires precise time, otherwise it will not resolve any domain, including pool.ntp.org. So if your device's time was incorrect, it could never update its time, and therefore DNSCrypt would never work. So we set this exception so that pool.ntp.org queries will always bypass DNSCrypt and resolve with the standard unencrypted OpenDNS method.

Reboot router or restart dnsmasq for the changes to take effect.

/etc/init.d/dnsmasq restart

Client configuration

Note: you may need admin privileges to run the commands below.

Linux

sudo /etc/init.d/nscd restart
or
sudo /etc/init.d/networking restart

Windows

ipconfig /flushdns

Mac OS X

  • Mac OSX 10.4 (Tiger)
    • lookupd -flushcache
  • Mac OSX 10.5/10.6 (Leopard/Snow Leopard)
    • dscacheutil -flushcache

Troubleshooting

How to check if you are using OpenDNS servers

  1. The OpenDNS welcome page should display Welcome to OpenDNS!,
  2. The OpenDNS demonstration phishing test page should block you.
  3. The OpenDNS typo test page should resolve to the real Craigslist site.
  4. The DNS randomness test will show the actual IP of your DNS. You can check here if the IP is associated with OpenDNS (put the IP in the search field).

How to check if your DNS queries are using dnscrypt with OpenDNS

In Windows:

nslookup -type=txt debug.opendns.com.

In Linux:

dig debug.opendns.com txt

One of the entries should be "dnscrypt enabled (<number>)". More info

How to check if dnscrypt-proxy is set up and running

The easy way is to look in the log.

  1. Check if dnsmasq is using only dnscrypt. Only the last block of logged nameservers is relevant.
    • logread | grep -n "using nameserver"
    • 132:Jan  1 01:01:00 openwrt daemon.info dnsmasq[1883]: using nameserver 208.67.222.222#53 for domain pool.ntp.org
      133:Jan  1 01:01:00 openwrt daemon.info dnsmasq[1883]: using nameserver 127.0.0.1#2053
  2. Check that dnscrypt-proxy is working.
    • logread | grep "Proxying from"
    • Jul 1 12:00:00 openwrt daemon.info dnscrypt-proxy[1831]: Proxying from 127.0.0.1:2053 to 208.67.220.220:443

Suspicious certificate received [brcm-2.4]

If dnscrypt-proxy is compiled for brcm-2.4 with a standard OpenWrt toolchain, then reception of "suspicious" certificate is reported.

root@OpenWrtRouter:/tmp# ./dnscrypt-proxy -a 127.0.0.1:2053 [INFO] Generating a new key pair [INFO] Done [ERROR] Suspicious certificate received [ERROR] No useable certificates found [INFO] Refetching server certificates [ERROR] Suspicious certificate received [ERROR] No useable certificates found

This kind of behavior is caused by a possible optimization bug in gcc-3.4.6 when the following CFLAGS are used

-Os -pipe -mips32 -mtune=mips32 -funit-at-a-time

It seems that crypto_hash_sha512() in dnscrypt-proxy/src/libnacl is wrongly optimized by gcc-3.4.6 because the dnscrypt-proxy/src/libnacl/tests/hash3.c test fails.

root@OpenWrtRouter:/tmp# ./hash3.exe > hash3.txt root@OpenWrtRouter:/tmp# cat hash3.txt 2b05e11a68d27841f23040799b036d1849bbc9d2b8dbd18b86073207e93e3ae5b74446174314163e67254466d89cb05cf995582f08547324f6b9aa45646d6c28 root@OpenWrtRouter:/tmp# cat hash3.out 24f950aac7b9ea9b3cb728228a0c82b67c39e96b4b344798870d5daee93e3ae5931baae8c7cacfea4b629452c38026a81d138bc7aad1af3ef7bfd5ec646d6c28

To fix the problem, one can compile dnscrypt-proxy with -O2 optimization flag. Run

make menuconfig
and put

-O2 -pipe -mips32 -mtune=mips32 -funit-at-a-time

in Advanced configuration options (for developers) → Target Options. Then

make package/dnscrypt-proxy/compile V=99

produces correct dnscrypt-proxy package.

With -O2 optimization crypto_hash_sha512() in dnscrypt-proxy/src/libnacl is now correctly optimized

root@OpenWrtRouter:/tmp# ./hash3.exe > hash3.txt root@OpenWrtRouter:/tmp# cat hash3.txt 24f950aac7b9ea9b3cb728228a0c82b67c39e96b4b344798870d5daee93e3ae5931baae8c7cacfea4b629452c38026a81d138bc7aad1af3ef7bfd5ec646d6c28 root@OpenWrtRouter:/tmp# cat hash3.out 24f950aac7b9ea9b3cb728228a0c82b67c39e96b4b344798870d5daee93e3ae5931baae8c7cacfea4b629452c38026a81d138bc7aad1af3ef7bfd5ec646d6c28

and dnscrypt-proxy works flawlessly

root@OpenWrtRouter:/tmp# ./dnscrypt-proxy -a 127.0.0.1:2053 [INFO] Generating a new key pair [INFO] Done [INFO] Server certificate #1346958918 received [INFO] This certificate looks valid [INFO] Server key fingerprint is 6228:62A6:CA4D:F1E8:37A7:C486:4F66:E692:0B5E:34F8:B110:597D:5BA0:BAB6:AF03:FA75 [INFO] Proxying from 127.0.0.1:2053 to 208.67.220.220:443

Notes

Back to top

inbox/dnscrypt.txt · Last modified: 2014/10/01 11:30 by dartraiden