dataswamp.org/1/~solene/article-dnscrypt

  URI:

       Title: Port of the week: dnscrypt-proxy
       Author: Solène
       Date: 19 October 2016
       Tags: unix security portoftheweek
       Description: 
       
       ### 2020 Update
       
       Now, unwind on OpenBSD and unbound can support DNS over TLS or DNS
       over HTTPS, dnscrypt lost a bit of relevance but it's still usable
       and a good alternative.
       
       
       ### Dnscrypt
       
       Today I will talk about net/dnscrypt-proxy. This let you encrypt your
       DNS traffic between your resolver and the remote DNS recursive
       server. More and more countries and internet provider use DNS to block
       some websites, and now they tend to do "man in the middle" with DNS
       answers, so you can't just use a remote DNS you find on the
       internet. While a remote dnscrypt DNS server can still be affected by
       such "man in the middle" hijack, there is a very little chance DNS
       traffic is altered in datacenters / dedicated server hosting.
       
       The article also deal with unbound as a dns cache because dnscrypt is
       a bit slow and asking multiple time the same domain in a few minutes
       is a waste of cpu/network/time for everyone. So I recommend setting up
       a DNS cache on your side (which can also permit to use it on a LAN).
       
       At the time I write this article, their is a very good explanation
       about "how to install it" is named dnscrypt-proxy-1.9.5p3 in the
       folder /usr/local/share/doc/pkg-readmes/. The following article is
       made from this file. (Article updated at the time of OpenBSD 6.3)
       
       While I write for OpenBSD this can be easily adapted to anthing else
       Unix-like.
       
       
       ### Install dnscrypt ###
       
           # pkg_add dnscrypt-proxy
       
       
       ### Resolv.conf ###
       
       Modify your resolv.conf file to this
       
       **/etc/resolv.conf** :
       
           nameserver 127.0.0.1
               lookup file bind
               options edns0
       
       
       ### When using dhcp client ###
       
       If you use dhcp to get an address, you can use the following line to
       force having 127.0.0.1 as nameserver by modifying dhclient config
       file. Beware, if you use it, when upgrading the system from bsd.rd,
       you will get 127.0.0.1 as your DNS server but no service running.
       
       **/etc/dhclient.conf** :
       
           supersede domain-name-servers 127.0.0.1;
       
       
       ### Unbound ###
       
       Now, we need to modify unbound config to tell him to ask DNS at
       127.0.0.1 port 40. Please adapt your config, I will just add what is
       mandatory. Unbound configuration file isn't in /etc because it's
       chrooted
       
       **/var/unbound/etc/unbound.conf**:
       
           server:
                   # this line is MANDATORY
                   do-not-query-localhost: no
dataswamp.org:70 /~solene/article-dnscrypt:79: port field too long