Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Fri 18 Aug 2017, 21:55
All times are UTC - 4
 Forum index » Advanced Topics » Additional Software (PETs, n' stuff) » Security/Privacy
DNSCrypt
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [7 Posts]  
Author Message
labbe5

Joined: 13 Nov 2013
Posts: 858
Location: Canada

PostPosted: Sun 21 May 2017, 16:22    Post subject:  DNSCrypt
Subject description: encrypting DNS queries
 

First, you should read this to have an understanding of what DNSCrypt-proxy offers you in terms of privacy and security. It is a good start :
https://lifehacker.com/how-to-boost-your-internet-security-with-dnscrypt-510386189

http://www.webupd8.org/2014/08/encrypt-dns-traffic-in-ubuntu-with.html

DNSCrypt is a protocol for securing communications between a client and a DNS resolver, preventing spying, spoofing or man-in-the-middle attacks.

For installing on Mintpup and other Dog-based OS.

You need PPA enabled.

Here's the installation steps :

$sudo add-apt-repository ppa:anton+/dnscrypt

Then apt update and apt install dnscrypt-proxy

.deb file available here for Xenial (16.04 - version 1.6.1 which is not the latest) :
https://ubuntu.pkgs.org/16.04/ubuntu-universe-i386/dnscrypt-proxy_1.6.1-1_i386.deb.html

After installing DNSCrypt, you need to set your network connection DNS server to 127.0.0.2.

If you have Frisbee, instead of NetworkManager, you open resolv.conf with :
geany /etc/resolv.conf
and replace whatever nameserver with 127.0.0.2
save and close

To check if dnscrypt is working as it should be, visit this site and click standard test.
Result would look like this :
176.56.237.171 resolver1.dnscrypt.eu RouteLabel V.O.F. Netherlands

Now you have an extra security layer when browsing, and your ISP should never know what websites you visit, preventing your ISP from having logs on all your website visits, and helping keep you secure regarding other security threats.

There is a script for downloading and installing dnscrypt, but it failed to install on Mintpup.

You may have better chance than me with this script, but use a fresh install to be on the safe side. It installs dnscrypt from source, with all needed packages for compiling.

At the end resolv.conf has nameserver 127.0.0.2 just as above, but it fails to connect to the Web. I was logged in as root user. You may try it as non-root user.

What the developer says :
This script will automatically and securely set up DNSCrypt as a background service that runs at system startup using DNSCrypt-proxy, the libsodium cryptography library, and the DNSCrypt service provider of your choice. The script also has options that allow you to change the service provider at any time, turn off DNSCrypt to use regular unencrypted DNS, as well as uninstall DNSCrypt.

Here's how to get dnscrypt with wget :
https://github.com/simonclausen/dnscrypt-autoinstall

1.wget https://raw.githubusercontent.com/simonclausen/dnscrypt-autoinstall/master/dnscrypt-autoinstall
2.chmod +x dnscrypt-autoinstall
3.su -c ./dnscrypt-autoinstall

To force uninstallation :
./dnscrypt-autoinstall.sh forcedel

Note 1:
I installed DNSCrypt-proxy on a Fedora-based OS with above autoinstall. I didn't have to change any settings. To see if DNSCrypt-proxy is working well just do : dig google.com in terminal. If you see SERVER 127.0.0.1#53 it is installed and working, launching at boot time. It should work on Ubuntu >=16.04. <16.04 is legacy and may be the reason why autoinstall didn't work on Mintpup. To use dig : install dnsutils.

Note 2:
To secure your resolv.conf file, make it immutable with chattr :
$ chattr +i /etc/resolv.conf
To make it writable again :
chattr -i /etc/resolv.conf

DNS resolvers for DNSCrypt :
https://download.dnscrypt.org/dnscrypt-proxy/

Download file or view dnscrypt-resolvers.csv with LibreOffice calc to find best resolver with dnssec & no logs and make change accordingly. Suggested dnscrypt-compatible resolver : https://www.dnscrypt.eu/ This is a free DNSSEC enabled, non-logged and uncensored DNSCrypt service. With autoinstall script, you need to choose a resolver toward the end of installation, typing a number from a list of resolvers.

Final note :
You may take a look at this Arch wiki about DNSCrypt-proxy. Arch man pages are a useful and comprehensive source of information. Then you may have to adapt this information :
https://wiki.archlinux.org/index.php/DNSCrypt

Security is the name of the game.

Last edited by labbe5 on Thu 25 May 2017, 13:34; edited 5 times in total
Back to top
View user's profile Send private message 
labbe5

Joined: 13 Nov 2013
Posts: 858
Location: Canada

PostPosted: Tue 23 May 2017, 13:16    Post subject: DNS hijacking risk
Subject description: Yandex web browser with built-in support for the DNSCrypt protocol.
 

https://yandex.com/support/browser/security/dnscrypt.xml

The DNS-server request and response are transmitted openly, without encryption.

The lack of encryption means that:

The internet provider or network administrator can find out which sites a user is visiting.
Attackers can tamper with the response from the DNS server and redirect the user to a malicious site. For example, instead of going to a bank's website, a user might end up on a fake site that steals passwords.


Installing and using Yandex web browser can be another way to have dnscrypt enabled.
How to install Yandex (for Dog-based OS) :
https://www.linuxhelp.com/install-yandex-browser-ubuntu-2/

To enable encryption of DNS requests:
https://yandex.com/support/browser/security/dnscrypt.xml#off

Click → Settings.
In the lower half of the Settings page, click Show advanced settings.
In the Network section, select Use a DNS server with DNSCrypt encryption.
Choose a DNS server from the drop-down list.
Note. We recommend selecting the Yandex DNS server.

Last edited by labbe5 on Tue 23 May 2017, 13:36; edited 2 times in total
Back to top
View user's profile Send private message 
labbe5

Joined: 13 Nov 2013
Posts: 858
Location: Canada

PostPosted: Tue 23 May 2017, 13:31    Post subject: DNSCrypt-Loader
Subject description: alternative dnscrypt client
 

https://github.com/gortcodex/dnscrypt-loader

DNSCrypt-loader is a flexible and customizable bash script to manage DNSCrypt-proxy using command line or Whiptail GUI. If you are system adminitrator or common user this script is a handy way to setup DNSCrypt-proxy on your system.

Source code :
https://github.com/GortCodex/DNSCrypt-Loader/releases

Run DNSCrypt-loader installer as root.

On Ubuntu and Debian-based distros :
sudo ./install-loader-debian
Back to top
View user's profile Send private message 
labbe5

Joined: 13 Nov 2013
Posts: 858
Location: Canada

PostPosted: Tue 23 May 2017, 14:20    Post subject: Unbound
Subject description: caching and speeding up DNS queries with Unbound
 

https://www.ab9il.net/crypto/dnscrypt.html

You can speed up DNS queries with Unbound.

Installing and configuring the Unbound caching server (link above).

Unbound can be optionally installed alongside DNSCrypt-proxy to speed up DNS queries.

Note :

As a rule, you should try installing and configuring Unbound (or any new app) on a fresh install of Dob-based OS, only then you install it on a save file (or folder) if all went well. In case something goes wrong, you reboot to a fresh install, and you have not broken your system.
Back to top
View user's profile Send private message 
labbe5

Joined: 13 Nov 2013
Posts: 858
Location: Canada

PostPosted: Fri 26 May 2017, 11:06    Post subject: dhcpcd config
Subject description: how to permanently change settings
 

dhcpcd, if let alone, rewrites resolv.conf, so every time you change values, it gets erased, and replaced with original values.

There is a few ways to bypass this :

1- open resolv.conf.head :
geany /etc/resolv.conf.head
write your DNS values and save file (for dnscrypt-proxy, it is 127.0.0.1) It can be any public DNS server. Doing so will append your values to resolv.conf permanently.

2- open dhcpcd.conf :
geany /etc/dhcpcd.conf
Add : nohook resolv.conf and save file.
Doing so will prevent dhcp daemon to overwrite your values.
Alternatively you can add, instead of nohook :
static domain_name_servers=8.8.4.4 8.8.8.8 (or any public DNS servers)

If confronted with long hostname lookout, you can reduced time before changing to another alternative nameserver by doing this :
geany /etc/resolv.conf and add :
options timeout:1

All above information will be useful if you try installing DNSCrypt-proxy in a Dog-based OS.
Back to top
View user's profile Send private message 
labbe5

Joined: 13 Nov 2013
Posts: 858
Location: Canada

PostPosted: Fri 26 May 2017, 16:41    Post subject: ps aux | grep dns
Subject description: a command line to see if dnscrypt-proxy is properly configured
 

In terminal :

ps aux | grep dns

output :

dnscrypt 1232 0.0 0.1 3724 2276 ? SLs 16:19 0:00 /usr/local/sbin/dnscrypt-proxy --user=dnscrypt --ephemeral-keys --resolver-name=dnscrypt.eu-dk --local-address=127.0.0.2:53
dnscrypt 1236 0.1 0.1 3724 2156 ? SLs 16:19 0:00 /usr/local/sbin/dnscrypt-proxy --user=dnscrypt --ephemeral-keys --resolver-name=dnscrypt.eu-dk --local-address=127.0.0.1:53
maccorm+ 3405 0.0 0.0 5196 892 pts/0 S+ 16:23 0:00 grep --color=auto dns

Your output should be similar.
--user=dnscrypt (unprivileged user)

My best result has been with a Fedora-based distro with NetworkManager. I think the script dnscrypt-autoinstall is configured with NetworkManager in mind. Xenialdog using Frisbee, it is not properly configured out-of-the-box.
Back to top
View user's profile Send private message 
labbe5

Joined: 13 Nov 2013
Posts: 858
Location: Canada

PostPosted: Tue 11 Jul 2017, 10:29    Post subject: VPN not working with DNSCrypt-proxy  

If you successfully installed DNSCrypt-proxy, and wanted to use a virtual private network at the same time, you are faced with a dilemma : you only can use one or the other, not both at the same time.

This is the way DNSCrypt-proxy is configured at present, preventing the use of a VPN, such as VPNBook.

There is one option for having both at the same time : use vpn.ac. DNS requests are encrypted using vpn.ac :
https://vpn.ac/features

All DNS queries are encrypted (AES 128-bit) to protect customers against 3rd party DNS monitoring and hijacking

This team has done it right.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [7 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Advanced Topics » Additional Software (PETs, n' stuff) » Security/Privacy
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0419s ][ Queries: 13 (0.0050s) ][ GZIP on ]