Debian 8 - DNSCrypt

DNSCrypt is a protocol that authenticates communications between a DNS client and a DNS resolver. It prevents DNS spoofing. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven’t been tampered with.

  1. Install libsodium

    • apt-get install libsodium-dev
  2. Download the latest version of DNSCrypt.

  3. Extract.

  4. ./configure

  5. make

  6. make install

  7. Edit your /etc/resolv.conf name servers to only contain nameserver 127.0.0.1. All queries going to localhost will be forwarded through DNSCrypt.

  8. Find a provider you’d like to use from this list: https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv.

  9. Create a systemd service file. Change the --resolver-name option to the name of the provider you have chosen. It’s best if you choose one near you so the response time is still good.

    • /etc/systemd/system/dnscrypt.service
    • 1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      Description=dnscrypt daemon
      After=network.target
      [Service]
      ExecStart=/usr/local/sbin/dnscrypt-proxy --resolver-name=cisco
      ExecReload=/bin/kill -s HUP $MAINPID
      ExecStop=/bin/kill -s TERM $MAINPID
      [Install]
      WantedBy=multi-user.target
  10. Enable and start it.

    • systemctl enable dnscrypt.service
    • systemctl start dnscrypt.service
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
● dnscrypt.service - dnscrypt daemon
Loaded: loaded (/etc/systemd/system/dnscrypt.service; disabled)
Active: active (running) since Fri 2016-12-09 02:51:55 UTC; 2s ago
Process: 23833 ExecStop=/bin/kill -s TERM $MAINPID (code=exited, status=0/SUCCESS)
Main PID: 23836 (dnscrypt-proxy)
CGroup: /system.slice/dnscrypt.service
└─23836 /usr/local/sbin/dnscrypt-proxy --resolver-name=cs-ussouth
Dec 09 02:51:55 dnscrypt-proxy[23836]: [INFO] - [cs-ussouth] does not support DNS Security Extensions
Dec 09 02:51:55 dnscrypt-proxy[23836]: [INFO] + Provider supposedly doesn't keep logs
Dec 09 02:51:55 dnscrypt-proxy[23836]: [NOTICE] Starting dnscrypt-proxy 1.7.0
Dec 09 02:51:55 dnscrypt-proxy[23836]: [INFO] Generating a new session key pair
Dec 09 02:51:55 dnscrypt-proxy[23836]: [INFO] Done
Dec 09 02:51:55 dnscrypt-proxy[23836]: [INFO] Server certificate with serial '0001' received
Dec 09 02:51:55 dnscrypt-proxy[23836]: [INFO] This certificate is valid
Dec 09 02:51:55 dnscrypt-proxy[23836]: [INFO] Chosen certificate #808464433 is valid from [2016-11-03] to [2026-11-01]
Dec 09 02:51:55 dnscrypt-proxy[23836]: [INFO] Server key fingerprint is BAB8:591D:F2F8:10AA:362E:6CF9:AB91:3573:1EA9:AD44:20D5:6A3F:492E:5083:C435:5236
Dec 09 02:51:55 dnscrypt-proxy[23836]: [NOTICE] Proxying from 127.0.0.1:53 to 70.32.38.67:443
1
udp 0 0 127.0.0.1:53 0.0.0.0:* 23836/dnscrypt-prox