| Both sides previous revision
Previous revision
Next revision
|
Previous revision
|
userdoc:tt_dnscrypt_proxy [2018/04/07 15:53]
abelbeck [DNSCrypt Proxy Server] |
userdoc:tt_dnscrypt_proxy [2023/10/29 10:22] (current)
abelbeck [DNSCrypt Proxy Configuration] |
| ====== DNSCrypt Proxy Server ====== | ====== DNSCrypt Proxy Server ====== |
| | |
| | !!DNSCrypt is deprecated in favor of DNS-TLS!!\\ |
| | Go to: **[[userdoc:tt_dns_tls_proxy|DNS-TLS Proxy Server]]** |
| |
| AstLinux now supports the [[https://github.com/dyne/dnscrypt-proxy/blob/master/README.markdown|DNSCrypt]] (dnscrypt-proxy) package, a tool for securing communications between a client and a DNS resolver. | AstLinux now supports the [[https://github.com/dyne/dnscrypt-proxy/blob/master/README.markdown|DNSCrypt]] (dnscrypt-proxy) package, a tool for securing communications between a client and a DNS resolver. |
| !!Note: AstLinux 1.3.3 or later is required for Import sdns: Stamp support!! | !!Note: AstLinux 1.3.3 or later is required for Import sdns: Stamp support!! |
| |
| ==== DNSCrypt Proxy Configuration ==== | ===== DNSCrypt Proxy Configuration ===== |
| |
| Configuring DNSCrypt is as simple as it gets. | Configuring DNSCrypt is as simple as it gets. |
| {{:userdoc:dnscrypt-default-config1.jpg?nolink|DNSCrypt Default Configuration}} | {{:userdoc:dnscrypt-default-config1.jpg?nolink|DNSCrypt Default Configuration}} |
| |
| As the dialog's "Note" states, the default configuration is to use [[https://www.opendns.com/|OpenDNS]] as the DNSCrypt provider, which is a good choice for most users. | As the dialog's "Note" states, the default configuration is to use [[https://www.opendns.com/|OpenDNS]] as the DNSCrypt provider. |
| |
| {{:userdoc:dnscrypt-default-config2.jpg?nolink|DNSCrypt Secondary Configuration}} | {{:userdoc:dnscrypt-default-config2.jpg?nolink|DNSCrypt Secondary Configuration}} |
| using the OpenDNS defaults for the remaining fields. | using the OpenDNS defaults for the remaining fields. |
| |
| ==== DNSCrypt Proxy server list ==== | ===== DNSCrypt Proxy server list ===== |
| |
| Alternatively, there is a growing number of DNSCrypt providers around the world, some of which may be closer to you. View a table of | Alternatively, there is a growing number of DNSCrypt providers around the world, some of which may be closer to you. |
| |
| [[https://github.com/dyne/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv|Public DNS resolvers supporting DNSCrypt]] | Quad9 current list, using ''sdns:'' stamps\\ |
| | [[https://quad9.net/dnscrypt/quad9-resolvers.md|Quad9 DNS resolvers supporting DNSCrypt]] |
| |
| and optionally define the three Server/Provider fields using the table columns titled **Resolver address**, **Provider name** and **Provider public key** (=> scroll to the right edge). | Public, current list, using ''sdns:'' stamps\\ |
| | [[https://download.dnscrypt.info/dnscrypt-resolvers/v2/public-resolvers.md|Public DNS resolvers supporting DNSCrypt]] |
| | |
| | Using !!AstLinux 1.3.3 or later!! your can directly import an ''sdns:'' stamp to automatically fill in the three fields. |
| | |
| | Optionally define the three Server/Provider fields using the table columns titled **Resolver address**, **Provider name** and **Provider public key** (=> scroll to the right edge). |
| |
| For example the OpenDNS values automatically used are: | For example the OpenDNS values automatically used are: |
| |
| !!Tip ->!! Some of you //(you know who you are)// may even want to be your own DNSCrypt provider. [[https://github.com/Cofyc/dnscrypt-wrapper/|DNSCrypt-Wrapper]] is a server-side DNSCrypt proxy that works with any name resolver. | !!Tip ->!! Some of you //(you know who you are)// may even want to be your own DNSCrypt provider. [[https://github.com/Cofyc/dnscrypt-wrapper/|DNSCrypt-Wrapper]] is a server-side DNSCrypt proxy that works with any name resolver. |
| ==== Display DNSCrypt Status ==== | |
| | ===== Display DNSCrypt Status ===== |
| |
| A quick glance of the Status tab's **DNS** entry will show if DNSCrypt is enabled. | A quick glance of the Status tab's **DNS** entry will show if DNSCrypt is enabled. |
| or | or |
| dig debug.opendns.com txt +short | dig debug.opendns.com txt +short |
| ==== Restricting DNS ==== | |
| | ===== Restricting DNS ===== |
| |
| By default, no changes to the Firewall settings are necessary for DNSCrypt to function. | By default, no changes to the Firewall settings are necessary for DNSCrypt to function. |
| The ''SRC='' entry will identify which LAN device is misconfigured. | The ''SRC='' entry will identify which LAN device is misconfigured. |
| |
| ==== Possible Startup Issues ==== | ===== Possible Startup Issues ===== |
| |
| In order to validate the DNSCrypt provider's certificate, the DNSCrypt client's system must have it's clock set to a reasonable time. Fortunately most AstLinux boards have a real time clock with battery backup so this is not a common problem, but if your board's CMOS battery is dead or such, and the system time is not reasonable at startup, this can be a problem when enabling DNSCrypt. Regardless, one of the first things AstLinux does at startup is to accurately set the system clock using the NTP protocol. If the specified NTP server is a numeric IP address or a locally resolved DNS name (via local ''/etc/hosts''), no problem. But, if the specified NTP server was, say "us.pool.ntp.org", we have the classic chicken-egg problem. | In order to validate the DNSCrypt provider's certificate, the DNSCrypt client's system must have it's clock set to a reasonable time. Fortunately most AstLinux boards have a real time clock with battery backup so this is not a common problem, but if your board's CMOS battery is dead or such, and the system time is not reasonable at startup, this can be a problem when enabling DNSCrypt. Regardless, one of the first things AstLinux does at startup is to accurately set the system clock using the NTP protocol. If the specified NTP server is a numeric IP address or a locally resolved DNS name (via local ''/etc/hosts''), no problem. But, if the specified NTP server was, say "us.pool.ntp.org", we have the classic chicken-egg problem. |