I use dnscrypt-proxy to proxy all my DNS queries through an encrypted tunnel to a DNS server. There is no reason my ISP should be able to see my DNS queries. I have been doing this for quite a while and created a dnscrypt-proxy v1 installer (now a dnscrypt-proxy v2 installer). Actually, I have a number of installers. Now it is time to update dnscrypt-proxy.
Dnscrypt-proxy works two ways now: using DNSCrypt, the encrypted DNS protocol, or using DNS over HTTPS (DoH). There is a new DNS service, 184.108.40.206, that speaks DNS over HTTPS. 220.127.116.11 is tooling from APNIC and Cloudflare. To make use of this service, I needed to use a newer version of the DNSCrypt I had been using.
Version 1.x has been having issues getting updated. While it works, it is getting progressively harder to find DNS servers that do not log or collect your data. One solution is to switch to DoH and then use 18.104.22.168 or Cloudflare’s DNS server. To do this, I first need to switch out my version 1.x for 2.x. This task was simpler than expected. Much simpler.
These are the steps I followed:
- Download the new DNSCrypt-Proxy v2 code (now written in Go)
- Unpack the code and place into /opt/dnscrypt-proxy
- cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml
- Modify the listen_address to be [‘0.0.0.0:53’], which implies to listen on all addresses
- Modify the server_names to be [‘cloudflare’,’cloudflare-ipv6′], which represents 22.214.171.124
- Modify the fallback_resolver to be ‘126.96.36.199:53’, which is the 188.8.131.52 alternative; in the latest dnscrypt proxy, the port is very important
- Disable DNSCrypt-Proxy v1
- Disable dnsmasq
- Modify /etc/resolv.conf to point to 127.0.0.1
- Start DNSCrypt-Proxy v2
All these steps are now in my dnscrypt-proxy v2 installer on GitHub, which will automatically pick up the latest version of DNSCrypt. How do you use this installer to install your own DoH implementation of DNS?
# download aac-base.install then run $ ./aac-base.install -u $ tz=`timedatectl | grep 'Time zone' | cut -d: -f2 | cut -d' ' -f2` $ sudo ./aac-base.install -i dnscrypt --home $HOME --user $USER $tz
In the above short script, you must run it as a normal user with sudo capabilities. Why sudo capabilities? The installer needs to install things and run as the superuser currently. The setting of the tz variable is to ensure the script does not override your time zone setting. The base installers all do pre- and post-install instructions in the following order:
- Determine the OS in use (Debian, CentOS, Fedora, Ubuntu, or RHEL)
- Install wget
- Set the time zone
- Install the EPEL packages as apropriate
- Install SELinux packages
- Install THE package dependencies
- DNSCrypt only: undo v1 proxy setup
- Install THE package
- Remove any build dependencies for THE package
- Set up any services for THE package
- Set up any SELinux bits for THE package
- Reset SELinux bits to default
As you can see, the installers are based on a framework to maintain security while allowing specific software to be installed and updated as necessary. Installers must also be updaters in this framework, so as new versions come out, visit the GitHub repo for more information.
Now I am able to resolve addresses using DoH, and away we go. Now DNSCrypt-proxy v2 is resolving my DNS requests via 184.108.40.206 via DNS over HTTPS. If you are unsure, review the logs and see what protocols are in use. There are a number of DoH and DNSCrypt providers for DNS. They are listed within the public-resolvers.md file. There are several familyguard items from Cisco and OpenDNS, yet these resolvers also record and log your queries.
220.127.116.11 promises to not log your queries. The value of DNS for internet service providers is in where you are going and what you are resolving. As such, logging that data leaves behind a gold mine of information. That information could be used to target marketing and other advertisements. It can also be used to track your behavior and use of the Internet.
Hence the need for encrypted DNS to resolve domains and HTTPS Anywhere style tools for your browser.
Edward L. Haletky, aka Texiwill, is an author, analyst, developer, technologist, and business owner. Edward owns AstroArch Consulting, Inc., providing virtualization, security, network consulting and development and TVP Strategy where he is also an Analyst. Edward is the Moderator and Host of the Virtualization Security Podcast as well as a guru and moderator for the VMware Communities Forums, providing answers to security and configuration questions. Edward is working on new books on Virtualization.