Dnscrypt-proxy encrypts dns communication to opendns.
This software will prevent dns posioning or something like that.
In this article I use ubuntu14.04 server distro.
*Related information links.(you can google for finding more information)
https://dnsleaktest.com/results.html
http://www.zdnet.com/article/how-opendns-powerdns-and-maradns-remained-unaffected-by-the-dns-cache-poisoning-vulnerability/
I use udp port 443.So firewall should be open. Such as:
#opendns udp 443
ODIP2="208.67.220.220"
/sbin/iptables -A OUTPUT -d $ODIP2 -p udp --dport 443 -j ACCEPT
/sbin/iptables -A INPUT -s $ODIP2 -p udp --sport 443 -j ACCEPT
#So,so...
You need to install gcc make before compling dnscrypt-proxy.
root@firewall-home:~/compile/dnscrypt-proxy-1.4.3# apt-get install gcc
root@firewall-home:~/compile/libsodium-1.0.2# apt-get install make
#Downloading dnscrypt-proxy
root@firewall-home:~# wget http://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-proxy-1.4.3.tar.gz
--2015-04-18 17:18:20-- http://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-proxy-1.4.3.tar.gz
Resolving download.dnscrypt.org (download.dnscrypt.org)... 91.121.49.42
Connecting to download.dnscrypt.org (download.dnscrypt.org)|91.121.49.42|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1560345 (1.5M) [application/binary]
Saving to: 'dnscrypt-proxy-1.4.3.tar.gz'
100%[======================================>] 1,560,345 38.8KB/s in 74s
2015-04-18 17:19:35 (20.6 KB/s) - 'dnscrypt-proxy-1.4.3.tar.gz' saved [1560345/1560345]
#Downloading libsodium lib source file.
root@firewall-home:~# wget https://download.libsodium.org/libsodium/releases/libsodium-1.0.2.tar.gz
--2015-04-18 17:20:18-- https://download.libsodium.org/libsodium/releases/libsodium-1.0.2.tar.gz
Resolving download.libsodium.org (download.libsodium.org)... 91.121.49.42
Connecting to download.libsodium.org (download.libsodium.org)|91.121.49.42|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1673394 (1.6M) [application/binary]
Saving to: 'libsodium-1.0.2.tar.gz'
100%[======================================>] 1,673,394 29.3KB/s in 63s
2015-04-18 17:21:25 (25.8 KB/s) - 'libsodium-1.0.2.tar.gz' saved [1673394/1673394]
root@firewall-home:~# mv dnscrypt-proxy-1.4.3.tar.gz libsodium-1.0.2.tar.gz compile/
root@firewall-home:~# cd compile/
root@firewall-home:~/compile# ls
dnscrypt-proxy-1.4.3.tar.gz libsodium-1.0.2.tar.gz
root@firewall-home:~/compile#
root@firewall-home:~/compile# for i in $(ls *.tar.gz); do tar xvzf $i; done
root@firewall-home:~/compile# ls
dnscrypt-proxy-1.4.3 libsodium-1.0.2
dnscrypt-proxy-1.4.3.tar.gz libsodium-1.0.2.tar.gz
root@firewall-home:~/compile# cd libsodium-1.0.2/
#configuring libsodium
root@firewall-home:~/compile/libsodium-1.0.2# ./configure --prefix=/usr
#make
root@firewall-home:~/compile/libsodium-1.0.2# make
#make install
root@firewall-home:~/compile/libsodium-1.0.2# make install
#verifying of installation on libsodium library.
root@firewall-home:~/compile/libsodium-1.0.2# ls -l /usr/lib/libsodium.
libsodium.a libsodium.la libsodium.so libsodium.so.13 libsodium.so.13.1.0
root@firewall-home:~/compile/libsodium-1.0.2# ls -l /usr/lib/libsodium.so.13
lrwxrwxrwx 1 root root 19 Apr 18 17:32 /usr/lib/libsodium.so.13 -> libsodium.so.13.1.0
root@firewall-home:~/compile/dnscrypt-proxy-1.4.3# cd ../dnscrypt-proxy-1.4.3/
root@firewall-home:~/compile/dnscrypt-proxy-1.4.3# ./configure --prefix=/usr
#There should be no errors.
root@firewall-home:~/compile/dnscrypt-proxy-1.4.3# ./configure --prefix=/usr
root@firewall-home:~/compile/dnscrypt-proxy-1.4.3# make
root@firewall-home:~/compile/dnscrypt-proxy-1.4.3# make install
omitting....
make[1]: Entering directory `/root/compile/dnscrypt-proxy-1.4.3'
make[2]: Entering directory `/root/compile/dnscrypt-proxy-1.4.3'
make[2]: Nothing to be done for `install-exec-am'.
/bin/mkdir -p '/usr/share/dnscrypt-proxy'
/usr/bin/install -c -m 644 dnscrypt-resolvers.csv '/usr/share/dnscrypt-proxy'
make[2]: Leaving directory `/root/compile/dnscrypt-proxy-1.4.3'
make[1]: Leaving directory `/root/compile/dnscrypt-proxy-1.4.3
#You need local dns forwarder. I use dnsmasq. If you use another forwarder such as pdns,unbound refer to https://wiki.archlinux.org/index.php/DNSCrypt
root@firewall-home:~/compile/dnscrypt-proxy-1.4.3# apt-get install dnsmasq
#Add 127.0.0.2 as localhost to /etc/hosts file
root@firewall-home:~/compile/dnscrypt-proxy-1.4.3# vi /etc/hosts
127.0.0.1 localhost
127.0.0.1 firewall-home
127.0.0.2 localhost
#Edit /etc/dnsmasq.conf file.
root@firewall-home:~/compile/dnscrypt-proxy-1.4.3# vi /etc/dnsmasq.conf
#from 99 line to 101 line is the edit portion you have to add.
90 # If you want dnsmasq to listen for DHCP and DNS requests only on
91 # specified interfaces (and the loopback) give the name of the
92 # interface (eg eth0) here.
93 # Repeat the line for more than one interface.
94 #interface=
95 # Or you can specify which interface _not_ to listen on
96 #except-interface=
97 # Or which to listen on by address (remember to include 127.0.0.1 if
98 # you use this.)
99 no-resolv
100 server=127.0.0.2#2053
101 listen-address=127.0.0.1
#Creating start script.
#If you can make more sutle script, let me know ^^;
root@firewall-home:~/compile/dnscrypt-proxy-1.4.3# vi /etc/init.d/dnscrypt
#!/bin/sh
#Created by wnapdlf05@gmail.com
#A protocol for securing communications between a client and a DNS resolver.
### BEGIN INIT INFO
# Provides: dnscrypt
# Required-Start: $network $remote_fs $syslog
# Required-Stop: $network $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
### END INIT INFO
NAME="dnscrypt"
DESC="dnscrypt DNS encryption to opendns"
DAEMON="/usr/sbin/dnscrypt-proxy"
PID="/run/dnscrypt-proxy.pid"
MH="127.0.0.2"
MP="2053"
#edns payload size
EPS="--edns-payload-size=4096"
RSV="opendns"
. /lib/lsb/init-functions
PATH=/sbin:/bin:/usr/sbin:/usr/bin
status_check(){
start-stop-daemon -T --pidfile $PID
if [ $? -eq 0 ]
then
echo "$NAME is running at pid $(cat $PID)"
else
echo "Service $NAME is not running"
exit 1
fi
}
start_dnscrypt(){
log_daemon_msg "starting $NAME" "$DAEMON"
set +e
$DAEMON -a $MH:$MP $EPS --pidfile=$PID -R $RSV --daemonize
set -e
log_end_msg $?
}
stop_dnscrypt(){
log_daemon_msg "stopping $NAME" "$DAEMON"
set +e
start-stop-daemon --stop --pidfile $PID --retry 5
rm -f /run/dnscrypt-proxy.pid
set -e
log_end_msg $?
}
case "$1" in
start)
start_dnscrypt
;;
stop)
stop_dnscrypt
;;
restart)
stop_dnscrypt
start_dnscrypt
;;
status)
status_check
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
exit 1
;;
esac
exit 0;
root@firewall-home:~# chmod 755 /etc/init.d/dnscrypt
root@firewall-home:~# service dnscrypt start
root@firewall-home:~# ps -ef | grep dnsc
root 14347 1 0 17:48 ? 00:00:00 /usr/local/sbin/dnscrypt-proxy -a 127.0.0.2:2053 --edns-payload-size=4096 --pidfile=/run/dnscrypt-proxy.pid -R opendns --daemonize
#Test
#On another tty or terminal and then use tcpdump. You should see the resolver2.opendns.com lines.
tit@firewall-home:~$ wget google.com
# 192.168.200.253 is my home firewall private ip
root@firewall-home:~# tcpdump -i p5p1 -p udp port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on p5p1, link-type EN10MB (Ethernet), capture size 65535 bytes
18:02:44.939817 IP 192.168.200.253.50479 > resolver2.opendns.com.https: UDP, length 512
18:02:45.031513 IP 192.168.200.253.50479 > resolver2.opendns.com.https: UDP, length 512
18:02:45.172529 IP resolver2.opendns.com.https > 192.168.200.253.50479: UDP, length 176
18:02:45.256895 IP resolver2.opendns.com.https > 192.168.200.253.50479: UDP, length 176
18:02:45.257488 IP 192.168.200.253.50479 > resolver2.opendns.com.https: UDP, length 512
18:02:45.480493 IP resolver2.opendns.com.https > 192.168.200.253.50479: UDP, length 304
18:02:46.336622 IP 192.168.200.253.50479 > resolver2.opendns.com.https: UDP, length 512
18:02:46.564710 IP resolver2.opendns.com.https > 192.168.200.253.50479: UDP, length 176
tit@firewall-home:~$ dig -t txt debug.opendns.com @127.0.0.2
; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> -t txt debug.opendns.com @127.0.0.2
;; global options: +cmd
;; connection timed out; no servers could be reached
tit@firewall-home:~$ dig -t txt debug.opendns.com @127.0.0.1
; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> -t txt debug.opendns.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65019
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debug.opendns.com. IN TXT
;; ANSWER SECTION:
debug.opendns.com. 0 IN TXT "server 9.sea"
debug.opendns.com. 0 IN TXT "flags 20 0 70 5950800000000000000"
debug.opendns.com. 0 IN TXT "originid 0"
debug.opendns.com. 0 IN TXT "actype 0"
debug.opendns.com. 0 IN TXT "source 203.90.42.85:50479"
debug.opendns.com. 0 IN TXT "dnscrypt enabled (71447764594D3377)"
;; Query time: 224 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 18 18:09:03 KST 2015
;; MSG SIZE rcvd: 247
*Referable site to dns leak test.
https://dnsleaktest.com/
#Service enable when boot.
root@firewall-home:/etc/rc6.d# update-rc.d dnscrypt defaults
Adding system startup for /etc/init.d/dnscrypt ...
/etc/rc0.d/K20dnscrypt -> ../init.d/dnscrypt
/etc/rc1.d/K20dnscrypt -> ../init.d/dnscrypt
/etc/rc6.d/K20dnscrypt -> ../init.d/dnscrypt
/etc/rc2.d/S20dnscrypt -> ../init.d/dnscrypt
/etc/rc3.d/S20dnscrypt -> ../init.d/dnscrypt
/etc/rc4.d/S20dnscrypt -> ../init.d/dnscrypt
/etc/rc5.d/S20dnscrypt -> ../init.d/dnscrypt
#For error check, by using tail or editor, see /var/log/syslog.
#When successful, you should see something like below messages.
Apr 18 17:46:56 firewall-home dnscrypt-proxy[14323]: Starting dnscrypt-proxy 1.4.3
Apr 18 17:46:56 firewall-home dnscrypt-proxy[14323]: Initializing libsodium for optimal performance
Apr 18 17:46:56 firewall-home dnscrypt-proxy[14323]: Generating a new key pair
Apr 18 17:46:56 firewall-home dnscrypt-proxy[14323]: Done
Apr 18 17:47:37 firewall-home dnscrypt-proxy[14333]: Starting dnscrypt-proxy 1.4.3
Apr 18 17:47:37 firewall-home dnscrypt-proxy[14333]: Initializing libsodium for optimal performance
Apr 18 17:47:37 firewall-home dnscrypt-proxy[14333]: Generating a new key pair
Apr 18 17:47:37 firewall-home dnscrypt-proxy[14333]: Done
Apr 18 17:47:37 firewall-home dnscrypt-proxy[14333]: Server certificate #1408041567 received
Apr 18 17:47:37 firewall-home dnscrypt-proxy[14333]: This certificate looks valid
Apr 18 17:47:37 firewall-home dnscrypt-proxy[14333]: Chosen certificate #1408041567 is valid from [2014-08-15] to [2015-08-15]
Apr 18 17:47:37 firewall-home dnscrypt-proxy[14333]: Server key fingerprint is 8201:4577:3D75:3934:FC25:B83C:8369:72DC:98A2:1368:AA0A:2C18:6C17:D7B4:30E8:CD63
Apr 18 17:47:37 firewall-home dnscrypt-proxy[14333]: Proxying from 127.0.0.2:2053 to 208.67.220.220:443
#You could use ppa, but I prefer compiling latest soure way.
#https://launchpad.net/~shnatsel/+archive/ubuntu/dnscrypt
sudo add-apt-repository ppa:anton+/dnscrypt
sudo apt-get update
sudo apt-get install dnscrypt-proxy
No comments:
Post a Comment