DNSCrypt (简体中文)
DNSCrypt 可以加密和认证用户和 DNS 解析服务器之间的数据传输。IP 数据本身没有任何变化,DNScrypt 可以避免 DNS 查询欺骗,确保 DNS 相应来自选择的 DNS 服务器。[1]
Contents
安装
安装 软件包 dnscrypt-proxy。
Configuration
Startup
The service can be started in two mutually exclusive ways (i.e. only one of the two may be enabled):
- With the
.service
file.
listen_addresses
option must configured (e.g. listen_addresses = ['127.0.0.1:53', '[::1]:53']
) in the configuration file when using the .service
file.- Through the
.socket
activation.
listen_addresses
option must be set to empty (i.e. listen_addresses = [ ]
) in the configuration file, since systemd is taking care of the socket configuration.Select resolver
By leaving server_names
commented out in the configuration file /etc/dnscrypt-proxy/dnscrypt-proxy.toml
, dnscrypt-proxy will choose the fastest server from the sources already configured under [sources]
[2]. The lists will be downloaded, verified, and automatically updated. [3]. Thus, configuring a specific set of servers is optional.
To manually set which server is used, edit /etc/dnscrypt-proxy/dnscrypt-proxy.toml
and uncomment the server_names
variable, selecting one or more of the servers. For example, to use Cloudflare's servers:
server_names = ['cloudflare', 'cloudflare-ipv6']
A full list of resolvers is located at the upstream page or Github. If dnscrypt-proxy has run successfully on the system before, /var/cache/dnscrypt-proxy/public-resolvers.md
will also contain a list. Look at the description for servers note which validate DNSSEC, do not log, and are uncensored. These requirements can be configured globally with the require_dnssec
, require_nolog
, require_nofilter
options.
Disable any services bound to port 53
To see if any programs are using port 53, run
$ ss -lp 'sport = :domain'
If the output contains more than the first line of column names, you need to disable whatever service is using port 53. One common culprit is systemd-resolved.service
, but other network managers may have analogous components. You are ready to proceed once the above command outputs nothing more than the following line:
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
Modify resolv.conf
Modify the resolv.conf file and replace the current set of resolver addresses with the address for localhost and options [4]:
nameserver 127.0.0.1 options edns0 single-request-reopen
Other programs may overwrite this setting; see resolv.conf#Preserve DNS settings[broken link: invalid section] for details.
Start systemd service
Finally, start/enable the dnscrypt-proxy.service
unit or dnscrypt-proxy.socket
, depending on which method you chose above.
Tips and tricks
Local DNS cache configuration
cache = true
in your dnscrypt configuration fileIt is recommended to run DNSCrypt as a forwarder for a local DNS cache if not using dnscrypt's cache feature; otherwise, every single query will make a round-trip to the upstream resolver. Any local DNS caching program should work. In addition to setting up dnscrypt-proxy, you must setup your local DNS cache program.
Change port
In order to forward queries from a local DNS cache, dnscrypt-proxy should listen on a port different from the default 53
, since the DNS cache itself needs to listen on 53
and query dnscrypt-proxy on a different port. Port number 53000
is used as an example in this section. In this example, the port number is larger than 1024 so dnscrypt-proxy is not required to be run by root.
There are two methods for changing the default port:
Socket method
Edit dnscrypt-proxy.socket
with the following contents:
[Socket] ListenStream= ListenDatagram= ListenStream=127.0.0.1:53000 ListenDatagram=127.0.0.1:53000
When queries are forwarded from the local DNS cache to 53000
, dnscrypt-proxy.socket
will start dnscrypt-proxy.service
.
Service method
Edit the listen_addresses
option in /etc/dnscrypt-proxy/dnscrypt-proxy.toml
with the following:
listen_addresses = ['127.0.0.1:53000', '[::1]:53000']
Example local DNS cache configurations
The following configurations should work with dnscrypt-proxy and assume that it is listening on port 53000
.
Unbound
Configure Unbound to your liking (in particular, see Unbound#Local DNS server) and add the following lines to the end of the server
section in /etc/unbound/unbound.conf
:
do-not-query-localhost: no forward-zone: name: "." forward-addr: 127.0.0.1@53000
interface: 0.0.0.0@53
and access-control: your-network/subnet-mask allow
inside the server:
section so that the other computers can connect to the server. A client must be configured with nameserver address-of-your-server
in /etc/resolv.conf
.Restart unbound.service
to apply the changes.
dnsmasq
Configure dnsmasq as a local DNS cache[broken link: invalid section]. The basic configuration to work with DNSCrypt:
/etc/dnsmasq.conf
no-resolv server=127.0.0.1#53000 listen-address=127.0.0.1
If you configured DNSCrypt to use a resolver with enabled DNSSEC validation, make sure to enable it also in dnsmasq:
/etc/dnsmasq.conf
proxy-dnssec
Restart dnsmasq.service
to apply the changes.
pdnsd
Install pdnsd. A basic configuration to work with DNSCrypt is:
/etc/pdnsd.conf
global { perm_cache = 1024; cache_dir = "/var/cache/pdnsd"; run_as = "pdnsd"; server_ip = 127.0.0.1; status_ctl = on; query_method = udp_tcp; min_ttl = 15m; # Retain cached entries at least 15 minutes. max_ttl = 1w; # One week. timeout = 10; # Global timeout option (10 seconds). neg_domain_pol = on; udpbufsize = 1024; # Upper limit on the size of UDP messages. } server { label = "dnscrypt-proxy"; ip = 127.0.0.1; port = 53000; timeout = 4; proxy_only = on; } source { owner = localhost; file = "/etc/hosts"; }
Restart pdnsd.service
to apply the changes.
Sandboxing
Edit dnscrypt-proxy.service
to include the following lines:
[Service] CapabilityBoundingSet=CAP_IPC_LOCK CAP_SETGID CAP_SETUID CAP_NET_BIND_SERVICE ProtectSystem=strict ProtectHome=true ProtectKernelTunables=true ProtectKernelModules=true ProtectControlGroups=true PrivateTmp=true PrivateDevices=true MemoryDenyWriteExecute=true NoNewPrivileges=true RestrictRealtime=true RestrictAddressFamilies=AF_INET AF_INET6 SystemCallArchitectures=native SystemCallFilter=~@clock @cpu-emulation @debug @keyring @ipc @module @mount @obsolete @raw-io
See systemd.exec(5) and Systemd#Sandboxing application environments for more information. Additionally see upstream comments[dead link 2018-01-08].
Enable EDNS0
Extension Mechanisms for DNS that, among other things, allows a client to specify how large a reply over UDP can be.
Add the following line to your /etc/resolv.conf
:
options edns0
You may also wish to append the following to /etc/dnscrypt-proxy.conf
:
EDNSPayloadSize <bytes>
Where <bytes> is a number, the default size being 1252, with values up to 4096 bytes being purportedly safe. A value below or equal to 512 bytes will disable this mechanism, unless a client sends a packet with an OPT section providing a payload size.
Test EDNS0
Make use of the DNS Reply Size Test Server, use the drill command line tool to issue a TXT query for the name rs.dns-oarc.net:
$ drill rs.dns-oarc.net TXT
With EDNS0 supported, the "answer section" of the output should look similar to this:
rst.x3827.rs.dns-oarc.net. rst.x4049.x3827.rs.dns-oarc.net. rst.x4055.x4049.x3827.rs.dns-oarc.net. "2a00:d880:3:1::a6c1:2e89 DNS reply size limit is at least 4055 bytes" "2a00:d880:3:1::a6c1:2e89 sent EDNS buffer size 4096"
Redundant DNSCrypt providers
To use several different dnscrypt providers, you may simply copy the original dnscrypt-proxy.service
and dnscrypt-proxy.socket
. Then in your new copy of the service change the command line parameters, either pointing to a new configuration file or naming a different resolver directly. From there change the port in the new copy of the socket. Lastly, update your local DNS cache program to point to new service's port. For example, with unbound the configuration file would look like if using ports 53000
for the original socket and 53001
for the new socket.
/etc/unbound/unbound.conf
do-not-query-localhost: no forward-zone: name: "." forward-addr: 127.0.0.1@53000 forward-addr: 127.0.0.1@53001
Create instanced systemd service
An alternative option to copying the systemd service is to used an instanced service.
Create systemd file
First, create /etc/systemd/system/dnscrypt-proxy@.service
containing:
[Unit] Description=DNSCrypt client proxy Documentation=man:dnscrypt-proxy(8) Requires=dnscrypt-proxy@%i.socket [Service] Type=notify NonBlocking=true ExecStart=/usr/bin/dnscrypt-proxy \ --resolver-name=%i Restart=always
This specifies an instanced systemd service that starts a dnscrypt-proxy using the service name specified after the @ symbol of a corresponding .socket file.
Add dnscrypt-sockets
To create multiple dnscrypt-proxy sockets, copy /usr/lib/systemd/system/dnscrypt-proxy.socket
to a new file, /etc/systemd/system/dnscrypt-proxy@short-name.here.socket
, replacing the socket instance name with one of the short names listed in dnscrypt-resolvers.csv
and change the port. Use a different port for each instance (53000, 53001, and so forth).
Apply new systemd configuration
Now we need to reload the systemd configuration.
# systemctl daemon-reload
Since we are replacing the default service with a different name, we need to explicitly stop and disable dnscrypt-proxy.service
and dnscrypt-proxy.socket
.
Now start/enable the new service(s), e.g., dnscrypt-proxy@dnscrypt.eu-nl
, etc.
Finally restart unbound.service
.