August 4, 2013

DNSCrypt on Ubuntu


After setting up a shared wireless connection, I started to be worried about the "plainness" of the transmissions, that everything which would go through the air and the router could be simply read by another received and use that information to another purpose. Of course, there is the always reliable TOR network, but due to a quite high latency already increased, then I decided to skip it. Nonetheless, I still wanted something running on every request and that would increase a little the privacy, then I found DNSCryopt. In other words:
DNSCrypt encrypts all DNS traffic between your computer and the OpenDNS servers (so you'll be using OpenDNS) and can protect you from man-in-the-middle attacks, spying, resolver impersonation, can prevent Internet service providers from blocking various websites and more.

But theory is boring, let's go practice, first Download the package from internet, at the time of writing the lastest version was 1.3.2, but better check them here, also it depends on Libsodium 0.42

 # wget http://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-proxy-1.3.2.tar.gz 
 # wget http://download.libsodium.org/libsodium/releases/libsodium-0.4.2.tar.gz
 # sudo apt-get update & sudo apt-get upgrade
 # tar -xvzf libsodium-0.4.2.tar.gz
 # cd libsodium-0.4.2/ && ./configure && make && make install
 # sudo ldconfig
 # cd..
 # tar -xvzf dnscrypt-proxy-1.3.2.tar.gz
 # cd dnscrypt-proxy-1.3.2/ && ./configure && make && make install

With all the commands before, DNSCryot should be installed and ready to run in the folder /usr/local/sbin/dnscrypt-proxy by default. Then it is time to configure it. First we edit the the DNS file:

 # cd /etc/resolvconf/resolv.conf.d
 # sudo cp -p head head.orig  # "backup copy, always do this"
 # sudo nano head
Add this to the end of the file: nameserver 127.0.0.2
 # sudo resolvconf -u

This should append this new direction at which we will forward all request. Then, to profit out of the convenience methods used by the "service" command, here was an script created in the WebUp8 Blog that I modified in order to help us call the command and initiate the application when the server restarts:

 description "dnscrypt startup script"

start on (local-filesystems and started dbus and stopped udevtrigger)
stop on runlevel [016]

script
        exec dnscrypt-proxy -a 127.0.0.2 --daemonize --pidfile=/run/dnscrypt-proxy.pid --edns-payload-size=4096
end script

And with the file saved, then everything is moved to the right place:

 # sudo cp dnscrypt.conf /etc/init/
 # sudo ln -s /lib/init/upstart-job /etc/init.d/dnscrypt
 # sudo service start dnscrypt

If everything worked as expected, then at the end you will be able to visit the webpage of OpenDNS and see this screen:


At the end, you can follow these instructions to see how the packages are encrypted: How to check if DNS is encrypted?

Sources:

No comments:

Post a Comment