| View previous topic :: View next topic |
| Author |
Message |
cliffdover88
n00b
Joined: 15 Feb 2013
Posts: 9
|
 Posted: Sat Mar 23, 2013 11:42 pm Post subject: How to safety use DNScrypt? |
 |
|
Hello all,
I want to use DNScrypt to improve my Gentoo security and i want to know the safest way to use it:
I have added the gentoo-zh overlay and emerged the dnscrypt pkg, but I'm not sure if start it using root privileges (as almost every guide) or create a new user with no privileges and no groups as recommended here:
https://github.com/opendns/dnscrypt-proxy
Do you use dnscrypt? how?
Thanks in advance |
|
| Back to top |
|
 |
gerdesj
l33t
Joined: 29 Sep 2005
Posts: 621
Location: Yeovil, Somerset, UK
|
| Posted: Sun Mar 24, 2013 1:44 am Post subject: Re: How to safety use DNScrypt? |
|
|
If the OpenDNS method works then by default that will almost certainly be more secure.
Cheers
Jon
| cliffdover88 wrote: | Hello all,
I want to use DNScrypt to improve my Gentoo security and i want to know the safest way to use it:
I have added the gentoo-zh overlay and emerged the dnscrypt pkg, but I'm not sure if start it using root privileges (as almost every guide) or create a new user with no privileges and no groups as recommended here:
https://github.com/opendns/dnscrypt-proxy
Do you use dnscrypt? how?
Thanks in advance |
|
|
| Back to top |
|
|
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Fri Apr 05, 2013 6:00 am Post subject: |
|
|
cliffdover88 ...
dnscrypt-proxy is a proxy between a client and a dnscrypt enabled DNS server (by default opendns) so all it does is sit on 127.0.0.x and proxies requests. You could chroot it, but as its only responding to requests on the loopback there is little need to.
I'm currently running 1.3.0 (built with libsodium) and using net-dns/unbound as a cache. Unbound recieves the DNS request, forwards it to dncrypt, and returns the result to the client. My setup looks like the following:
/etc/conf.d/dnscrypt
| Code: | | DNSCRYPT_LOCALIP=127.0.0.2:53 |
... and the section for fowarding in unbound.conf
| Code: | do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.2@53 |
/etc/conf.d/net
| Code: | dns_servers_wlan0="127.0.0.1"
dns_options_wlan0='edns0' |
Ubound is running on 127.0.0.1:53 and dnscrypt-proxy is running on 127.0.0.2:53. Note that because dnscrypt-proxy doesn't cache you will need some caching dns server otherwise each request will be forwarded, and this will be slower,
| Code: | # dig gentoo.org |grep "time"
;; Query time: 47 msec
# dig gentoo.org |grep "time"
;; Query time: 0 msec |
... the second lookup is instantanious as its cached.
I haven't had much time to tweek either dnscrypt-proxy or unbound, but even with forwarding there is no noticable delay ... infact it seems to have improved from pdnsd which I was using previously.
Also, like pdnsd you can use unbound to change A records, and so block adservers via this method ... if you so wish.
best ... khay |
|
| Back to top |
|
|
kernelOfTruth
Watchman
Joined: 20 Dec 2005
Posts: 6111
Location: Vienna, Austria; Germany; hello world :)
|
|
| Back to top |
|
|
|
Networking & Security
