Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How to safety use DNScrypt?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
cliffdover88
n00b
n00b


Joined: 15 Feb 2013
Posts: 9

PostPosted: Sat Mar 23, 2013 11:42 pm    Post subject: How to safety use DNScrypt? Reply with quote

Hello all,

I want to use DNScrypt to improve my Gentoo security and i want to know the safest way to use it:

I have added the gentoo-zh overlay and emerged the dnscrypt pkg, but I'm not sure if start it using root privileges (as almost every guide) or create a new user with no privileges and no groups as recommended here:

https://github.com/opendns/dnscrypt-proxy

Do you use dnscrypt? how?

Thanks in advance
Back to top
View user's profile Send private message
gerdesj
Guru
Guru


Joined: 29 Sep 2005
Posts: 558
Location: Yeovil, Somerset, UK

PostPosted: Sun Mar 24, 2013 1:44 am    Post subject: Re: How to safety use DNScrypt? Reply with quote

If the OpenDNS method works then by default that will almost certainly be more secure.

Cheers
Jon

cliffdover88 wrote:
Hello all,

I want to use DNScrypt to improve my Gentoo security and i want to know the safest way to use it:

I have added the gentoo-zh overlay and emerged the dnscrypt pkg, but I'm not sure if start it using root privileges (as almost every guide) or create a new user with no privileges and no groups as recommended here:

https://github.com/opendns/dnscrypt-proxy

Do you use dnscrypt? how?

Thanks in advance
Back to top
View user's profile Send private message
khayyam
Advocate
Advocate


Joined: 07 Jun 2012
Posts: 2247

PostPosted: Fri Apr 05, 2013 6:00 am    Post subject: Reply with quote

cliffdover88 ...

dnscrypt-proxy is a proxy between a client and a dnscrypt enabled DNS server (by default opendns) so all it does is sit on 127.0.0.x and proxies requests. You could chroot it, but as its only responding to requests on the loopback there is little need to.

I'm currently running 1.3.0 (built with libsodium) and using net-dns/unbound as a cache. Unbound recieves the DNS request, forwards it to dncrypt, and returns the result to the client. My setup looks like the following:

/etc/conf.d/dnscrypt
Code:
DNSCRYPT_LOCALIP=127.0.0.2:53

... and the section for fowarding in unbound.conf
Code:
do-not-query-localhost: no
 forward-zone:
   name: "."
   forward-addr: 127.0.0.2@53

/etc/conf.d/net
Code:
dns_servers_wlan0="127.0.0.1"
dns_options_wlan0='edns0'

Ubound is running on 127.0.0.1:53 and dnscrypt-proxy is running on 127.0.0.2:53. Note that because dnscrypt-proxy doesn't cache you will need some caching dns server otherwise each request will be forwarded, and this will be slower,

Code:
# dig gentoo.org |grep "time"
;; Query time: 47 msec
# dig gentoo.org |grep "time"
;; Query time: 0 msec

... the second lookup is instantanious as its cached.

I haven't had much time to tweek either dnscrypt-proxy or unbound, but even with forwarding there is no noticable delay ... infact it seems to have improved from pdnsd which I was using previously.

Also, like pdnsd you can use unbound to change A records, and so block adservers via this method ... if you so wish.

best ... khay
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum