User Tools

Site Tools


inbox:dnscrypt
This wiki is read only and for archival purposes only. >>>>>>>>>> Please use the new OpenWrt wiki at https://openwrt.org/ <<<<<<<<<<

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
inbox:dnscrypt [2016/11/02 09:01]
dartraiden [Custom build for ar71xx from black-roland]
inbox:dnscrypt [2018/01/17 18:10] (current)
dartraiden [Installation]
Line 1: Line 1:
 ===== DNSCrypt ===== ===== DNSCrypt =====
 DNSCrypt offers a way to protect clients against attacks related to the modification and manipulation of DNS traffic --- The main objective of DNSCrypt is authentication of the communication channel between the client (you) and a resolver supporting the protocol --- This will protect the client from [[google>​man in the middle attacks]]. In addition, encryption of DNS communication improves the client'​s privacy. DNSCrypt is the //​client-side//​ version of [[https://​github.com/​Cofyc/​dnscrypt-wrapper|dnscrypt-wrapper]]. DNSCrypt offers a way to protect clients against attacks related to the modification and manipulation of DNS traffic --- The main objective of DNSCrypt is authentication of the communication channel between the client (you) and a resolver supporting the protocol --- This will protect the client from [[google>​man in the middle attacks]]. In addition, encryption of DNS communication improves the client'​s privacy. DNSCrypt is the //​client-side//​ version of [[https://​github.com/​Cofyc/​dnscrypt-wrapper|dnscrypt-wrapper]].
- 
-|{{:​meta:​icons:​tango:​48px-emblem-important.svg.png?​nolink}} The [[https://​dnscrypt.org/​|dnscrypt-proxy]] client project is maintained by Frank Denis [[https://​github.com/​jedisct1/​dnscrypt-proxy|jedisct1]]| 
  
 DNSCrypt verifies that responses you get from a DNS provider have been actually sent by that provider, and haven'​t been tampered with. DNSCrypt verifies that responses you get from a DNS provider have been actually sent by that provider, and haven'​t been tampered with.
Line 12: Line 10:
 ===== Installation ===== ===== Installation =====
  
-dnscrypt-proxy and libsodium ​is in the official repository for Chaos Calmer 15.05 and up.+dnscrypt-proxy and libsodium ​are in the official repository for Chaos Calmer 15.05 and up.
  
   opkg update   opkg update
Line 19: Line 17:
   * If installed skip to configuration.   * If installed skip to configuration.
   * If somehow you can't install it that way, proceed with the following instructions.   * If somehow you can't install it that way, proceed with the following instructions.
 +
 +In addition, you can install the luci-app-dnscrypt-proxy package, which provides the ability to configure dnscrypt-proxy via the LuCi web interface.
   ​   ​
 ===== Custom build for ar71xx from black-roland ===== ===== Custom build for ar71xx from black-roland =====
Line 34: Line 34:
 Add third-party source to your opkg configuration file ''/​etc/​opkg.conf''​ according to your OpenWrt version. Add third-party source to your opkg configuration file ''/​etc/​opkg.conf''​ according to your OpenWrt version.
  
-Trunk:+**Trunk:**
  
-  cd /tmp +Already have newest dnscrypt-proxy version with possibility of launching multiple instances.
-  uclient-fetch '​http://​exopenwrt.roland.black/​exopenwrt.pub'​ +
-  opkg-key add exopenwrt.pub +
-  echo '/​etc/​opkg/​keys/​1a929a1dd62138c1'​ >> /​etc/​sysupgrade.conf +
-  echo '​src/​gz exopenwrt http://​exopenwrt.roland.black/​snapshots/​trunk/​ar71xx/​packages/​exopenwrt'​ >> /​etc/​opkg/​customfeeds.conf+
  
-Chaos Calmer:+  opkg update 
 +  opkg install dnscrypt-proxy 
 + 
 +**Chaos Calmer:**
  
   cd /tmp   cd /tmp
Line 50: Line 49:
   echo '​src/​gz exopenwrt http://​exopenwrt.roland.black/​chaos_calmer/​15.05.1/​ar71xx/​packages/​exopenwrt'​ >> /​etc/​opkg.conf   echo '​src/​gz exopenwrt http://​exopenwrt.roland.black/​chaos_calmer/​15.05.1/​ar71xx/​packages/​exopenwrt'​ >> /​etc/​opkg.conf
  
-Barrier Breaker:+**Barrier Breaker:**
  
-  http://​exopenwrt.roland.black/​barrier_breaker/​14.07/​ar71xx/​packages/​exopenwrt+  ​echo '​src/​gz exopenwrt ​http://​exopenwrt.roland.black/​barrier_breaker/​14.07/​ar71xx/​packages/​exopenwrt' >> /​etc/​opkg.conf
  
 And proceed with the installation itself: And proceed with the installation itself:
Line 67: Line 66:
  
 === dnscrypt-proxy === === dnscrypt-proxy ===
-The config file ''/​etc/​config/​dnscrypt-proxy''​ is simple and should be edited according to your needs. Possible values for the '​resolver'​ option are the first column in the list of [[https://​github.com/​jedisct1/​dnscrypt-proxy/​blob/​master/​dnscrypt-resolvers.csv|public DNSCrypt resolvers]].+The config file ''/​etc/​config/​dnscrypt-proxy''​ is simple and should be edited according to your needs. Possible values for the '​resolver'​ option are the first column in the list of [[https://​github.com/​dyne/​dnscrypt-proxy/​blob/​master/​dnscrypt-resolvers.csv|public DNSCrypt resolvers]].
  
 |''​config dnscrypt-proxy |''​config dnscrypt-proxy
Line 83: Line 82:
 | ''​port''​ | string | yes | ''​5353''​ | Listening port for DNS queries. | | ''​port''​ | string | yes | ''​5353''​ | Listening port for DNS queries. |
 | ''​resolver''​ | string | no | ''​cisco''​ | DNS service for resolving queries. You can't add more than one resolver. | | ''​resolver''​ | string | no | ''​cisco''​ | DNS service for resolving queries. You can't add more than one resolver. |
-| ''​resolvers_list''​ | string | no | ''/​usr/​share/​dnscrypt-proxy/​dnscrypt-resolvers.csv''​ | Location of CSV file containing list of resolvers. When you use a custom DNSCrypt server and you later get problems when executing DNSCrypt, have a look in the resolver list (''/​usr/​share/​dnscrypt-proxy/​dnscrypt-resolvers.csv''​) and make sure the resolver you chose is listed there. If not you may need to manually add it or just update the resolver list with the [[https://​github.com/​jedisct1/​dnscrypt-proxy/​blob/​master/​dnscrypt-resolvers.csv|official one]]. Make sure to verify the integrity of the file before overwriting the local list! | +| ''​resolvers_list''​ | string | no | ''/​usr/​share/​dnscrypt-proxy/​dnscrypt-resolvers.csv''​ | Location of CSV file containing list of resolvers. When you use a custom DNSCrypt server and you later get problems when executing DNSCrypt, have a look in the resolver list (''/​usr/​share/​dnscrypt-proxy/​dnscrypt-resolvers.csv''​) and make sure the resolver you chose is listed there. If not you may need to manually add it or just update the resolver list with the [[https://​github.com/​dyne/​dnscrypt-proxy/​blob/​master/​dnscrypt-resolvers.csv|official one]]. Make sure to verify the integrity of the file before overwriting the local list! | 
-| ''​ephemeral_keys''​ | boolean | no | ''​0''​ | Improve privacy by using an ephemeral public key for each query. Note that you cannot yet use it with current ​versions ​of OpenWrt as the dnscrypt-proxy package is outdated and uses a version of DNSCrypt, which does not support ephemeral keys. Ephemeral keys option requires extra CPU cycles (especially on non-x86 platforms) and can cause huge system load. Disable it in case of performance problems. Also this option is useless with most DNSCrypt servers (all the servers using short TTLs for the certificates,​ which is done by default in the Docker image). |+| ''​ephemeral_keys''​ | boolean | no | ''​0''​ | Improve privacy by using an ephemeral public key for each query. Note that you cannot yet use it with current ​(Chaos Calmer) version ​of OpenWrt as the dnscrypt-proxy package is outdated and uses a version of DNSCrypt, which does not support ephemeral keys. Ephemeral keys option requires extra CPU cycles (especially on non-x86 platforms) and can cause huge system load. Disable it in case of performance problems. Also this option is useless with most DNSCrypt servers (all the servers using short TTLs for the certificates,​ which is done by default in the Docker image). | 
 + 
 +These options are only supported by Trunk: 
 + 
 +^ Name ^ Type ^ Required ^ Default ^ Description ^ 
 +| ''​client_key''​ | string | no | //none// | Use a client public key for identification. By default, the client uses a randomized key pair in order to make tracking more difficult. This option does the opposite and uses a static key pair, so that DNS providers can offer premium services to queries signed with a known set of public keys. A client cannot decrypt the received responses without also knowing the secret key. The value of this property is the path to a file containing the secret key. The corresponding public key is computed automatically | 
 +| ''​syslog''​ | boolean | no | ''​1''​ | Send logs to the syslog daemon | 
 +| ''​syslog_prefix''​ | string | no | ''​dnscrypt-proxy''​ | Log entries can optionally be prefixed with a string | 
 + 
 +These options are not supported (at this moment), because DNSCrypt compiled without plugins support: 
 + 
 +^ Name ^ Type ^ Required ^ Default ^ Description ^ 
 +| ''​query_log_file''​ | string | no | //none// | Log the received DNS queries to a file, so you can watch in real-time what is happening on the network. The value for this parameter is a full path to the log file. The file name can be prefixed with ltsv: in order to store logs using the LTSV format (ex: ltsv:/​tmp/​dns-queries.log) | 
 +| ''​local_cache''​ | boolean | no | ''​0''​ | Enable cache may speed up dnscrypt-proxy | 
 +| ''​block_ipv6''​ | boolean | no | ''​0''​ | Disable IPv6 may also speed up dnscrypt-proxy | 
 +| ''​list blacklist''​ | string | no | //none// | Blacklists allow you to block domains, ip, ... The value of this property is the blocklist type and path to file (ex: domains:/​path/​to/​domains-blacklist-file.txt or ips:/​path/​to/​ips-blacklist-file.txt). You can specify several blocklists by adding several ''​list blacklist''​ options. |
  
 If you need to specify other options, you will have to edit the ''/​etc/​init.d/​dnscrypt-proxy''​ script. If you need to specify other options, you will have to edit the ''/​etc/​init.d/​dnscrypt-proxy''​ script.
Line 123: Line 137:
 ''​| ''​|
  
-  * We have disabled ''/​tmp/​resolv.conf.auto''​ file since it instruct ​''​dnsmasq''​ to use your ISP's DNS.+  * We have disabled ''/​tmp/​resolv.conf.auto''​ file since it instructs ​''​dnsmasq''​ to use your ISP's DNS.
   * ''​noresolv''​ option also disables ''/​etc/​resolv.conf''​ file for similar reason.   * ''​noresolv''​ option also disables ''/​etc/​resolv.conf''​ file for similar reason.
   * ''​127.0.0.1#​5353''​ is the DNSCrypt address.   * ''​127.0.0.1#​5353''​ is the DNSCrypt address.
Line 134: Line 148:
 |{{:​meta:​icons:​tango:​48px-emblem-important.svg.png?​nolink}} This option is not available in Chaos Calmer and earlier| |{{:​meta:​icons:​tango:​48px-emblem-important.svg.png?​nolink}} This option is not available in Chaos Calmer and earlier|
  
-Multiple DNSCrypt instances ​is helpful to provide dnsmasq with a fallback nameserver without losing the privacy benefits of DNSCrypt ([[https://​wuffleton.com/​hacks/​dnscrypt-openwrt/​|source]]).+Multiple DNSCrypt instances ​are helpful to provide dnsmasq with a fallback nameserver without losing the privacy benefits of DNSCrypt ([[https://​wuffleton.com/​hacks/​dnscrypt-openwrt/​|source]]).
  
 Add more resolver entries to your ''/​etc/​config/​dnscrypt-proxy''​ configuration (note that each resolver must be on a different port): Add more resolver entries to your ''/​etc/​config/​dnscrypt-proxy''​ configuration (note that each resolver must be on a different port):
Line 199: Line 213:
  
 ==== How to check if dnscrypt-proxy is set up and running ==== ==== How to check if dnscrypt-proxy is set up and running ====
-The easy way is to look in the log.+The easy way is to look at the log.
   - Check if ''​dnsmasq''​ is using only dnscrypt. Only the last block of logged nameservers is relevant.   - Check if ''​dnsmasq''​ is using only dnscrypt. Only the last block of logged nameservers is relevant.
     * <​code>​logread | grep -n "using nameserver"</​code>​     * <​code>​logread | grep -n "using nameserver"</​code>​
Line 208: Line 222:
     * <​code>​Jul 1 12:00:00 openwrt daemon.info dnscrypt-proxy[1831]:​ Proxying from 127.0.0.1:​5353 to 208.67.220.220:​443</​code>​     * <​code>​Jul 1 12:00:00 openwrt daemon.info dnscrypt-proxy[1831]:​ Proxying from 127.0.0.1:​5353 to 208.67.220.220:​443</​code>​
  
 +If you have problems, check port conflict (for example, between the mDNS ZeroConf Daemon (avahi) and the default port for dnscrypt-proxy).
 ==== Suspicious certificate received ==== ==== Suspicious certificate received ====
 A "​suspicious"​ certificate can be reported: A "​suspicious"​ certificate can be reported:
inbox/dnscrypt.1478073672.txt.bz2 · Last modified: 2016/11/02 09:01 by dartraiden