the itjerk

my adventures with technology

Tag Archives: dns

dnscrypt-proxy

Time to setup dnscrypt-proxy on my new Ubuntu 22.04 LTS box. I found the best way to do this was to also install resolvconf and use that to ensure that /etc/resolv.conf always get the dnscrypt port of 127.0.2.1. Previously I’ve used a bunch of different methods, but for this distro, I’m happy with my results.

sudo apt udpate
sudo apt install dnscrypt-proxy resolvconf
sudo nano /etc/dnscrypt-proxy/dnscrypt-proxy.toml

Here you can change the settings for dnscrypt, by altering the server_names line (e.g. [‘cisco’], [‘cloudflare’]). Also ensure that the listen_addresses is empty. Restart the service if you make changes.

sudo systemctl restart dnscrypt-proxy

Next, open your Network Manager and go to the IPv4 settings. Turn off Automatic DHCP and set the address to 127.0.2.1. Restart the NetworkManager service.

sudo systemctl restart NetworkManager

Finally, edit the following resolvconf file to use the dnscrypt’s address in /etc/resolv.conf by adding the following line: nameserver 127.0.2.1

sudo nano /etc/resolvconf/resolv.conf.d/head

Now restart your computer.

You can test a number of ways. If you used [‘cisco’] you can do the following. Note in the ANSWER section “dnscrypt enabled”.

dig txt debug.opendns.com
; <<>> DiG 9.18.1-1ubuntu1-Ubuntu <<>> txt debug.opendns.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28688
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debug.opendns.com.		IN	TXT

;; ANSWER SECTION:
debug.opendns.com.	59	IN	TXT	"server m45.chi"
debug.opendns.com.	59	IN	TXT	"flags 20040022 0 50 180000000000000000003950000000000000000"
debug.opendns.com.	59	IN	TXT	"originid 585506578"
debug.opendns.com.	59	IN	TXT	"actype 2"
debug.opendns.com.	59	IN	TXT	"bundle 13458843"
debug.opendns.com.	59	IN	TXT	"source 76.229.202.213:57968"
debug.opendns.com.	59	IN	TXT	"dnscrypt enabled (7158645166363443)"

;; Query time: 4 msec
;; SERVER: 127.0.2.1#53(127.0.2.1) (UDP)
;; WHEN: Fri May 06 10:48:39 CDT 2022
;; MSG SIZE  rcvd: 313

Another way of checking is to visit https://www.dnsleaktest.com/ which will tell you your DNS resolver.

The only thing I don’t get is this: Why does this use the old address? For another day.

dnscrypt-proxy -resolve google.com -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml 
Resolving [google.com] using 127.0.0.1 port 53

Unable to resolve: [read udp 127.0.0.1:35375->127.0.0.1:53: read: connection refused]

dnscrypt2

Spurred on by some recent articles, I decided to switch to dnscrypt2. It’s an improved version, supports a whole slew of things and more resovers.

This was a bit of work, because, stupidly, I disabled dns! Anyway, long story short, I followed the instructions here, and everything worked out okay. I did to issue the following on resolv.conf to get it to ‘stick’:
chattr +i /etc/resolv.conf

desktop:~$ nslookup -type=txt debug.opendns.com
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
debug.opendns.com text = "server m33.chi"
debug.opendns.com text = "flags 20 0 70 7950800000000000000"
debug.opendns.com text = "originid 0"
debug.opendns.com text = "actype 0"
debug.opendns.com text = "source 23.122.56.207:33649"
debug.opendns.com text = "dnscrypt enabled (714E7A696D657555)"

One the web:
DNScrypt

dnscrypt

Domain Name Service (DNS) is the mechanism by where numeric IP addresses become readable domain names; it’s far easier for me to tell you to visit strawberrybricks.com than a bunch of numbers. When you browse the internet, then, the addresses you type or click on go through a DNS search. Typically, your ISP provides this service, or whomever you get your network connection from – however there is an implicit level of trust involved. Who’s to say that yahoo.com for example, is really yahoo.com? What is the DNS server spoofed the reply? Further, any DNS server can collect a wealth of information by recording your DNS requests. Finally, the speed of your browsing is dependent on how quickly these requests are filled.

Both Google (8.8.8.8) and OpenDNS (208.67.222.222) provide free DNS services that are fast and secure, and supposedly do not track your requests. A third service, Quad9 (9.9.9.9) was very recently launched. Your ISP has a lot of information about you. Switching your DNS to one of these providers is simple (just type them in your router, or network connection), and gives some degree of privacy. Every little bit helps?

DNSCrypt goes one further by encrypting all your DNS requests. It’s an easy enough program to install, available for PC, Mac and Linux, and for routers using DD-WRT. On my Ubuntu box, I needed to install libsodium-dev first, and then was most successful installing DNSCrypt-proxy from source by using the old “configure, make, make install” method with version 1.9.5. Then, you can run it with systemd automatically.

On the web:
DNSCrypt

dns, search engines and browsing

Secure browsing is much more than clearing your browser’s cache when done surfing. While Tor Browser isn’t for everyone, two quick and easy things I recommend are using DuckDuckGo as your default search engine and switching to either GoogleDNS or OpenDNS for your web browsing. And use a modern, up to date browser!

DuckDuckGo bills itself as “the search engine that doesn’t track you”, which is reason enough to switch. The search engine results are very good, but even better, the use of bangs (!) allows searches directly to thousands of sites, including encrypted to Google (g!). Plus, it’s easy to install as the default engine on your browser.

DNS servers help resolve domain names and their numeric ip addresses. Most ISP’s DNS is notorious for being spotty, and of course, not very private. Using either Google or OpenDNS’s can speed up your browsing, protect from DNS hijacking, and offer protection from phishing. There’s a lot more to using these services than I’ll write, but just entering them into your router is the place to start.

Remember, however, that browsing security also ends with one’s exit on the web. Subject for another time…

One the web:
DuckDuckGo
Google Public DNS
OpenDNS

dynamic dns

Most internet providers, heck, most internet connections are dynamic. Your device gets assigned an IP address when it asks for one. Sometimes it’s the same, but more often than not it might be different. DNS works by resolving a hostname like wordpress.com with an ip address, so everytime you type in wordpress.com you go to the same place.

For home computers, this can be problematic. Enter Dynamic DNS services. Every time your IP address changes, the Dynamic DNS service updates the “a record” with the new number so it can continue to resolve. Routers usually have sections to do this, which is good, because they’ll get notified first. It can also be done with other applications, or even with something like cron.

I’ve used DynDns for many years, but they’ve gone from a free service, to a paid service. Even though $5/mo might not seem like a lot, it’s a lot when you have free options. Enter DuckDNS. Although not that extensible, it’s a free service and provides exactly what I need, for free.

On the web:
http://www.duckdns.org/