Update (2018-02-03): DNSCrypt has been discontinued (and their site is already own :/ ). But it seems that this DNSCrypt 2 project will continue development. Also this DNS Privacy Project contains interesting information (not needed to just use DNScrypt, though).
DNScrypt is a tool that allows you to send your DNS queries to something else than your ISP’s DNS servers, while also encrypting those DNS requests to prevent snooping. I’m not sure how useful it is if you’re using a VPN, but I’m more of an SSH tunnel guy and as far as I saw, about every program except Firefox (when configured properly) will still perform its DNS requests in the wild instead of via the SSH tunnel, which is kind of retarded as it defeats the purpose of the tunnel… So that’s where DNScrypt comes in handy.
I found it quite trivial to use on Windows (except that setting a custom DNS server doesn’t seem to work – on a side note, this test page is great to check whether or not you are currently using OpenDNS as your DNS server), but on OpenSUSE it’s quite tougher to set up, as you’ll have to compile it yourself. Still, with the instructions it should be easy enough (plus in the end it works better than on Windows ;))
First, install some required stuff (may be more or less depending on what is already installed on your system – if more is required, the output on ./configure should
be most helpful in finding out the missing dependency):
zypper in gcc zypper in -t pattern devel_C_C++
Then, download and install latest libsodium (it’s a dependency for which OpenSUSE doesn’t provide packages either):
wget http://download.dnscrypt.org/libsodium/releases/libsodium-0.4.5.tar.gz tar xf libsodium-0.4.5.tar.gz ./configure make && make install
Then you need to run ldconfig (just type ldconfig
in the console). I have no idea of what it does, but if you don’t do it the ./configure for dnscrypt-proxy will most likely fail with a message like:
configure: error: cannot run C compiled programs. If you meant to cross compile, use `--host'. See `config.log' for more details configure: error: ./configure failed for src/libevent-modified
Finally, download and install the latest dnscrypt-proxy:
wget http://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-proxy-1.3.3.tar.bz2 tar xf dnscrypt-proxy-1.3.3.tar.bz2 ./configure make && make install
That’s it, you can already run it in console using:
dnscrypt-proxy
However, by default, it will use OpenDNS servers. And OpenDNS is actually all but open, so you may want to switch to a more neutral provider. At list of providers can be found on http://dnscrypt.org/. To use a specific provider you’ll simply have to add some more parameters to the call, like:
dnscrypt-proxy --resolver-address=178.216.201.222:2053 --provider-name=2.dnscrypt-cert.soltysiak.com --provider-key=25C4:E188:2915:4697:8F9C:2BBD:B6A7:AFA4:01ED:A051:0508:5D53:03E7:1928:C066:8F21
Last but not least, you must now configure your connection to use 127.0.0.1 as DNS resolver. In OpenSUSE, this is done via network connection management: for each connection, click “Edit”, then in the IPv4 Address tab, configure method to “Automatic (DHCP) addresses only“, and then set DNS servers to 127.0.0.1. You may want to set DNS servers to ::1 in the IPv6 Address tab, but I didn’t try that since my ISP doesn’t support IPv6 yet.
And now that’s really it: you should be using DNScrypt. To make sure you are, you can stop dnscrypt-proxy and see that when it’s stopped you can’t access websites (NB: try this on websites that you didn’t visit very recently, otherwise their DNS records may be cached by your browser or by the system).
Of course, this isn’t a very convenient setup so far, and you may want to look up how to configure this as a daemon automatically launched at boot time. I give here brief instructions, if you need more details see http://perseosblog.com/security-encrypt-traffic-dnscrypt/.
nano /etc/init.d/after.local
at the end, add:
exec /usr/local/sbin/dnscrypt-proxy --daemonize --pidfile=/run/dnscrypt-proxy.pid --resolver-address=178.216.201.222:2053 --provider-name=2.dnscrypt-cert.soltysiak.com --provider-key=25C4:E188:2915:4697:8F9C:2BBD:B6A7:AFA4:01ED:A051:0508:5D53:03E7:1928:C066:8F21
I’m not sure how necessary the PID file is, but I preferred not to try to mess up with it. Now your setup is complete: your DNS requests are encrypted, sent via DNScrypt to a DNS server different from OpenDNS (or not), and that setup is automatically loaded at start-up. Enjoy 🙂
0 Responses
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.