View previous topic :: View next topic |
Author |
Message |
cliffdover88 n00b
Joined: 15 Feb 2013 Posts: 9
|
Posted: Sat Mar 23, 2013 11:42 pm Post subject: How to safety use DNScrypt? |
|
|
Hello all,
I want to use DNScrypt to improve my Gentoo security and i want to know the safest way to use it:
I have added the gentoo-zh overlay and emerged the dnscrypt pkg, but I'm not sure if start it using root privileges (as almost every guide) or create a new user with no privileges and no groups as recommended here:
https://github.com/opendns/dnscrypt-proxy
Do you use dnscrypt? how?
Thanks in advance |
|
Back to top |
|
|
gerdesj l33t
Joined: 29 Sep 2005 Posts: 621 Location: Yeovil, Somerset, UK
|
Posted: Sun Mar 24, 2013 1:44 am Post subject: Re: How to safety use DNScrypt? |
|
|
If the OpenDNS method works then by default that will almost certainly be more secure.
Cheers
Jon
cliffdover88 wrote: | Hello all,
I want to use DNScrypt to improve my Gentoo security and i want to know the safest way to use it:
I have added the gentoo-zh overlay and emerged the dnscrypt pkg, but I'm not sure if start it using root privileges (as almost every guide) or create a new user with no privileges and no groups as recommended here:
https://github.com/opendns/dnscrypt-proxy
Do you use dnscrypt? how?
Thanks in advance |
|
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Fri Apr 05, 2013 6:00 am Post subject: |
|
|
cliffdover88 ...
dnscrypt-proxy is a proxy between a client and a dnscrypt enabled DNS server (by default opendns) so all it does is sit on 127.0.0.x and proxies requests. You could chroot it, but as its only responding to requests on the loopback there is little need to.
I'm currently running 1.3.0 (built with libsodium) and using net-dns/unbound as a cache. Unbound recieves the DNS request, forwards it to dncrypt, and returns the result to the client. My setup looks like the following:
/etc/conf.d/dnscrypt
Code: | DNSCRYPT_LOCALIP=127.0.0.2:53 |
... and the section for fowarding in unbound.conf
Code: | do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.2@53 |
/etc/conf.d/net
Code: | dns_servers_wlan0="127.0.0.1"
dns_options_wlan0='edns0' |
Ubound is running on 127.0.0.1:53 and dnscrypt-proxy is running on 127.0.0.2:53. Note that because dnscrypt-proxy doesn't cache you will need some caching dns server otherwise each request will be forwarded, and this will be slower,
Code: | # dig gentoo.org |grep "time"
;; Query time: 47 msec
# dig gentoo.org |grep "time"
;; Query time: 0 msec |
... the second lookup is instantanious as its cached.
I haven't had much time to tweek either dnscrypt-proxy or unbound, but even with forwarding there is no noticable delay ... infact it seems to have improved from pdnsd which I was using previously.
Also, like pdnsd you can use unbound to change A records, and so block adservers via this method ... if you so wish.
best ... khay |
|
Back to top |
|
|
kernelOfTruth Watchman
Joined: 20 Dec 2005 Posts: 6111 Location: Vienna, Austria; Germany; hello world :)
|
|
Back to top |
|
|
|