💾 Archived View for hispagatos.org › post › dnscrypt-proxy-arch-tut › index.gmi captured on 2023-11-14 at 07:50:31. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-04-19)
-=-=-=-=-=-=-
Here is a quick tutorial about dnscrypt-proxy [1] and how to set it up :)
Welcome to a step-by-step dnscrypt-proxy tutorial brought to you by your local gatos y gatas. This was tested with Arch Linux meow and updated last on April 30, 2020. The majority of this will work with other Linux distros but we use Arch here.
The Arch wiki page [2] states it is "a DNS proxy with support for the encrypted DNS protocols DNS over HTTPS and DNSCrypt, which can be used to prevent man-in-the-middle attacks and eavesdropping. dnscrypt-proxy is also compatible with DNSSEC."
DNS is a service that everyone uses but it transmits everything in plain text. This enables DNS to be used securely with encryption that not even your ISP can see your DNS requests :) You can tunnel requests thru known DNSSEC servers too.
Not ONLY to you get DNS encryption, but if configured correctly with Anonymized-DNS [3] can prevent intermediaries from recording and tampering with DNS traffic as it "prevents servers from learning anything about client IP addresses, by using intermediate relays dedicated to forwarding encrypted DNS data." This will be discussed in this tutorial.
You can also setup filtering [4] via blacklist, IP blacklist, and whitelist, which will be briefly discussed in this tutorial.
This setup will use dnscrypt-proxy without IPv6 and without DNS-over-https, but feel free to change to your needs and I encourage you to experiment.
$ sudo pacman -S dnscrypt-proxy
$ sudo cp /etc/dnscrypt-proxy/dnscrypt-proxy.toml /etc/dnscrypt-proxy/dnscrypt-proxy.toml.ORIGIN $ sudo vim /etc/dnscrypt-proxy/dnscrypt-proxy.toml
server_names = ['dnscrypt.eu-dk', 'dnscrypt.eu-nl', 'dnscrypt.uk-ipv4', 'ffmuc.net', 'meganerd', 'publicarray-au', 'scaleway-ams', 'scaleway-fr', 'v.dnscrypt.uk-ipv4']
ipv4_servers = true ipv6_servers = false # I don't use ipv6 dnscrypt_servers = true doh_servers = false # I disable DoH as not using any servers with it require_dnssec = true require_nolog = true require_nofilter = true
blocked_query_response = 'refused'
use_syslog = true
dnscrypt_ephemeral_keys = true
fallback_resolvers = ['91.239.100.100:53'] netprobe_address = '91.239.100.100:53'
block_ipv6 = true
fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'quad9-dnscrypt-ip4-filter-alt', 'quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip4-nofilter-alt', 'quad9-dnscrypt-ip4-nofilter-pri', 'quad9-dnscrypt-ip6-filter-alt', 'quad9-dnscrypt-ip6-filter-pri', 'quad9-dnscrypt-ip6-nofilter-alt', 'quad9-dnscrypt-ip6-nofilter-pri', 'cleanbrowsing-adult', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-security']
routes = [ { server_name='dnscrypt.eu-dk', via=['anon-meganerd', 'anon-scaleway-ams'] }, { server_name='dnscrypt.eu-nl', via=['anon-meganerd', 'anon-scaleway-ams'] }, { server_name='dnscrypt.uk-ipv4', via=['anon-scaleway', 'anon-tiarap'] }, { server_name='ffmuc.net', via=['anon-ibksturm', 'anon-scaleway-ams'] }, { server_name='meganerd', via=['anon-scaleway', 'anon-tiarap'] }, { server_name='publicarray-au', via=['anon-ibksturm', 'anon-tiarap'] }, { server_name='scaleway-ams', via=['anon-scaleway', 'anon-meganerd'] }, { server_name='scaleway-fr', via=['anon-meganerd', 'anon-v.dnscrypt.uk-ipv4'] }, { server_name='v.dnscrypt.uk-ipv4', via=['anon-scaleway', 'anon-meganerd'] } ]
$ sudo vim /etc/dnscrypt-proxy/dnscrypt-proxy.toml
blacklist_file = 'blacklist.txt'
There are other blacklists out there too. If you know me, then reach out and ask for the extreme one I use :)
$ sudo vim /etc/dnscrypt-proxy/dnscrypt-proxy.toml
whitelist_file = 'whitelist.txt'
$ sudo vim /etc/resolv.conf nameserver 127.0.0.1 # make sure this is your nameserver
Run dnscrypt-proxy:
$ sudo systemctl start dnscrypt-proxy.service
Check to see if it is now running on port 53
$ ss -lp 'sport = :domain
Now test dnscrypt-proxy:
$ sudo pkill -STOP dnscrypt-proxy
Then attempt to access a website and if not able to then your DNS traffic is successfully going through the proxy, so we turn it back on:
$ sudo pkill -CONT dnscrypt-proxy
Optional test, go to dnsleaktest.com [14], click on extended test, and then verify that it is working as the results will not display your ISP DNS but only ones in our configuration file.
If you want, set it to load @ boot:
$ sudo systemctl enable dnscrypt-proxy.service
Q1: What if /etc/resolv.conf get's overwritten on reboot?
A1: Follow instructions above to change but also use the following command afterwards to make sure that resolv.conf does not get changed:
chattr +i /etc/resolv.conf
(1) dnscrypt-proxy source code [15]
(2) Arch Linux Wiki on dnscrypt-proxy [16]
(3) Installing dnscrypt-proxy on Linux [17] - from the creators
Change whatever you need to & enjoy :) If there is anything else I missed then let me know. As always -> RTFM, hack the system & enjoy life! - Killab33z
[1] dnscrypt-proxy (https://github.com/DNSCrypt/dnscrypt-proxy)
[2] Arch wiki page (https://wiki.archlinux.org/index.php/Dnscrypt-proxy)
[3] Anonymized-DNS (https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS)
[4] filtering (https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Filters)
[5] server_names (https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md)
[7] this "privacy DNS" list (https://waluszko.net/2018/04/10/pricacy-oriented-dns-providers-review/)
[8] more info here (https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS)
[11] use this reference (https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Public-blacklists)
[14] dnsleaktest.com (dnsleaktest.com)
[15] dnscrypt-proxy source code (https://github.com/DNSCrypt/dnscrypt-proxy)
[16] Arch Linux Wiki on dnscrypt-proxy (https://wiki.archlinux.org/index.php/Dnscrypt-proxy)
Hackea el sistema! Los grupos anarquistas de hacking: <no value>
Libertad del software es descentralizar el poder: <no value>
Hackernol Novedades: <no value>
---
→ Older: Help support Hispagatos by mining
█████ █████ █████ █████ █████ █████ █████ █████ ░░░░░ ░░░░░ ░░░░░ ░░░░░ ░░░░░ ░░░░░ ░░░░░ ░░░░░
Hispagatos is an Anarcho Hacker collective[1] that resolves around the Hacker ethic[2] of Steven levy and Libertarian Socialism ideas.
We work hard to preserve hacker culture, decentralization,security and privacy in cyberspace and also motivate towards an horizontal and non hierarchical techno-anarcho-communist society (TACS) where technology is made by people for the people not by corporate masters to control people. a(A)a
[donate using LiberaPay](https://liberapay.com/Hispagatos/donate)