DNS is one of the old timers that keep the internet working. Back when it has been designed privacy wasn’t that much of an issue. Nowadays DNS can leak critical information about the activity of a user. Even tools that should protect the privacy of the user (e.g. VPNs, TOR, … ) can leak DNS queries if not configured correctly. Currently the IEFT works on draft for DNS over Datagram TLS, but if you want to take back your privacy right now, DNSCrypt is at your service.
DNSCrypt is a protocol which protects DNS traffic of the client to the resolver. The the resolver uses normal DNS or alternatives ways to resolve the request for the client. It doesn’t provide end-to-end protection, but can prevent passive and active attacks on the client (e.g. eavesdropping, spoofing, tampering …).
But the implementation of DNSCrypt has many features. Some are built in and some are based on plugins like the logging and blacklist plugin. The functionality can of DNSCrypt can easily extended by writing your own plugin.
As base installation we use a vanilla Debian 9 and our goal is to install DNSCrypt. Also we want to use some of the cool features. To get started we need to install the software first with the command:
sudo apt install dnscrypt-proxy
The most important settings are the IP and port to listen on and which resolver to use. There are some resolver preinstalled with the package, but you can also run your own if you want. The following configuration uses the blacklist ipv6 plugins and the query logging plugin.
sudo vim /etc/dnscrypt-proxy/dnscrypt-proxy.conf
Now we need to change our system to use the resolver. Therefore we set the nameserver to 127.0.2.1 and start and enable DNSCrypt per systemd. Be aware to use the socket and not the service.
echo ‘nameserver 127.0.2.1’ | sudo tee /etc/resolv.conf
sudo systemctl enable dnscrypt-proxy.socket
sudo systemctl start dnscrypt-proxy.socket
Verification of the installation
Here we test if DNS still works with this domain.
The test has been successful, but are we really using DNSCrypt. This can be verified by looking at whats realy going over the wire with Wireshark.
And we see only QUIC traffic and DNSCrypt is working.
This tutorial showed how to install and configure DNSCrypt. Stay tune for more privacy related posts :).