DNSCrypt VS Plain DNS
What is DNS? DNS is a Domain Name Service, which is widely used by everyone today. If you don’t know if you are using DNS then this article is not for you.
DNS is used to resolve human-readable domain names to machine-readable addresses. Actually, for servers on the Internet it is not important if your side has a neat and short name or not, it even doesn’t mind to have ugly IP addresses like 19.5.81.65 and not the 1.1.1.1 – for example. By the way, 1.1.1.1 – is a really working DNS server address of CloudFlare and it supports all the protocols: DNS, DNSCrypt, DNS-Over-TLS, DNS-Over-HTTPS.
So, in order to know the IP address of some server on the Internet by domain name the DNS servers are used. Your browser asks DNS server the question like: “What is the IPv4 address of www.google.com” and the DNS server responds “The IPv4 address of www.google.com is 123.456.789.123”. Of course it is not a real IP, the real IP can’t contain numbers larger than 255 because it need to be exactly 1 byte. So, in this routine anyone who sniffs on your wired/wireless connection can see that you are visiting “google.com”. DNSCrypt protocol is here in order to encrypt this information and nobody beetween your PC and the destination resource will be able to sniff your domain requests.
The objective of this article
- Install your own DNSCrypt v2 forwarder (v1 is supported too) ( we will use dnsdist package)
- Install DNSCrypt client for Windows
- Install DNSCrypt client for Android
Note: the article was written in English. Switch to English to disable automatic translation.
Read the article further to see all the tutorial.
As you can see we are going to go through the installation process of client software too. That means that if you don’t want to install own server, just skip this step and go to client installation. There are tons of public DNSCrypt server that you can use and feel safe while browsing the internet.
Step 1. DNSCrypt Server installation
Requirements
- VPS server running Ubuntu 16.04 (note: any linux can be used, this is not a requirement to use Ubuntu, but in this tutorial I will use Ubuntu). If you are running Debian, the installation process are almost exactly the same. But if you are running CentOS (which is based on RPM packets) it will be different for you
- You must have root permissions on this server
- Any PC running Windows for client installation and test
- (optional) Any PC/Router/Device running any Linux OS (Ubuntu, Debian, CentOS, RedHat etc) with processors x64/x86/arm/mips and etc.
- (optional) Any Android phone with AdGuard app installed
Preparing VPS
I will use some cheap cloud server for installing DNSCrypt server on it. So, I’m connected via SSH and see root console
As you can see I’m using Putty to connect to Linux server from Windows machine. Disclaimer: I use windows here as a client machine because Windows is widely used and a lot of people are using it and I want to be as close to reality as it is. People who use Linux as their main OS don’t need to read that kind of manuals because they can do it by themselves 🙂
So, lets update packages and check the version of libsodium package in official repo:
apt-get update apt-get install nano apt-cache search libsodium
And we see list of packages
Let’s check version of libsodium18 package
apt-cache madison libsodium18
The package version I got is 1.0.8. That is not good for us because it doesn’t support encryption needed for DNSCrypt v2 (anyway v1 will work though we want to do it the way “comme il le faut”. We need at least version 1.0.9.
So, we will turn linux-mind-mode on and COMPILE IT FROM SOURCE!
Ok, a little note here: if you are running Ubuntu/Debian x64, you can download dpkg packages compiled by me right here: libsodium-1.0.9-dpkg
Let’s first enable sources to be available in APT: For this, open the file /etc/apt/sources.list and uncomment in sources universe the row with deb-src … universe OR just execute the following:
echo "deb-src http://mirror.yandex.ru/ubuntu $(lsb_release -cs) universe" > /etc/apt/sources.list.d/universe.list apt-get update
Let’s create a new folder inside /root and call it “build”. Then download sources for libsodium and try to build it without changes:
apt-get build-dep libsodium18 apt-get install git nano dpkg-dev devscripts fakeroot mkdir -p /root/build/libsodium cd /root/build/libsodium apt-get source libsodium18 cd libsodium-1.0.8/ fakeroot debian/rules binary
It will take some time… But the main point is that you should not have any errors while compilation and should see at the end the following:
So, *.deb packages were succesfully built. Now let’s update the version of this package to 1.0.9. We will use official github source.
uupdate -v 1.0.9 ../libsodium_1.0.8-5.debian.tar.xz cd ../libsodium-1.0.9 git init git remote add origin https://github.com/jedisct1/libsodium.git git fetch origin git checkout -b stable origin/stable git checkout c09b00cf20
Note: the latest command is not necessary to be executed. But this is the version that I used and it worked. So if you want to install newer version just do not execute latest command with “c09b00cf20” commit id. If you don’t know that is it, just follow the tutorial and this should work 🙂
Now, let’s update the package changelog and set a new number of version:
dch -n
This will open a text editor (nano) and you just need to save it by pressing Ctrl+O then exit by pressing Ctrl+X.
Now, rebuild the version 1.0.9
fakeroot debian/rules binary cd ../ ls -lah
And see the list of files we have: we should have libsodium18_1.0.9-0ubuntu1_amd64.deb libsodium-dbg_1.0.9-0ubuntu1_amd64.deb libsodium-dev_1.0.9-0ubuntu1_amd64.deb
Now, install them all:
dpkg -i libsodium18_1.0.9-0ubuntu1_amd64.deb libsodium-dbg_1.0.9-0ubuntu1_amd64.deb libsodium-dev_1.0.9-0ubuntu1_amd64.deb
That’s it. The main requirement package is installed. Now, let’s compile dnsdist package from sources using official repo on GitHub.
apt-get install ragel virtualenv zip libsystemd-dev protobuf-compiler libssl-dev libprotobuf-dev dh-systemd libboost-dev libboost1.58-dev libbsd-dev libedit-dev liblua5.2-0 liblua5.2-dev libreadline-dev libreadline6-dev libtinfo-dev cd /root/build git clone -b "dnsdist-1.3.3" https://github.com/PowerDNS/pdns cd pdns/pdns/dnsdistdist autoreconf -i ./configure --prefix="" --exec-prefix=/usr --sysconfdir="/etc/dnsdist" --with-systemd="/lib/systemd/system" --enable-dns-over-tls --enable-dnscrypt --with-protobuf
Check if there is no errors here and compile
make make install
And wait it to compile… This will take a while depending on your VPS. Then check the version:
dnsdist -V
For me it is:
dnsdist 0.0.0.HEAD.gg27dd1e3 (Lua 5.2.4) Enabled features: dns-over-tls(openssl) dnscrypt ebpf libsodium protobuf recvmmsg/sendmmsg systemd
Ok, let’s add some quick configs and see how it works
mkdir /etc/dnsdist cd /etc/dnsdist wget -O "/tmp/dnsdist.zip" "https://blog.jazinbaz.in/download/2571/" unzip /tmp/dnsdist.zip systemctl daemon-reload service dnsdist restart service dnsdist status
Or just manually download config file from here and copy its contents dnsdist.conf.zip
We should see that service is running. Now, lets generate the keys that will be needed for encryption.
mkdir -p /var/lib/dnsdist
dnsdist -c
generateDNSCryptProviderKeys("/var/lib/dnsdist/providerPublic.key", "/var/lib/dnsdist/providerPrivate.key")
sinceDate=os.time(os.date("!*t"))
expireDate=os.time({year=2100, month=0, day=1, hour=00, minute=00})
generateDNSCryptCertificate("/var/lib/dnsdist/providerPrivate.key", "/var/lib/dnsdist/resolver.cert", "/var/lib/dnsdist/resolver.key", 1, sinceDate, expireDate, VERSION1)
generateDNSCryptCertificate("/var/lib/dnsdist/providerPrivate.key", "/var/lib/dnsdist/resolver2.cert", "/var/lib/dnsdist/resolver2.key", 1, sinceDate, expireDate, VERSION2)
Then, by pressing Ctrl+C exit from dnsdist console and open its config to enable actual DNSCrypt binds. First, let’s find out our public ip address. We are cool Linux masters so we will use comand line for this
wget -4 -qO- ifconfig.co wget -6 -qO- ifconfig.co
We will get 2 IP addresses: for v4 and v6. Of course, you can skip v6 and work only on ipv4, it is enough for us.
In my case, I got the IP address 85.143.172.89. You also can get the same ip by running ifconfig. If you are under NAT, you must assign it to ip like 192.168.10.135 – for example. And then forward desired ports (8443, 5353)
Now, lets open the config file /etc/dnsdist/dnsdist.conf and find the line with “ipv4addr” and change the address here.
Then go to addDNSCryptBind… part at the end of the file and uncomment the ones with ipv4 in it so it will look like this
We’ve just removed ‘–‘ from the start of the strings to uncomment them. Also, change provider names in this config: these are “1.dnscrypt.mydomain.com” and same for other. You can leave it as is, that is not bad at all and it doesn’t have to be a real domain name though it is better to be in a a real domain name. We will leave it as is for this example. Now, save the file Ctrl+O and exit Ctrl+X and stop the service and run it manually to see logs
service dnsdist stop dnsdist -v --disable-syslog
We see that it is ok and it is listening on our ports.
Ok, the first half of job is done. Leave the dnsdist running in console, do not close it and do not cut internet off. Now, lets find out public key of the provider. In order to do it, write the following right at the console with running dnsdist
printDNSCryptProviderFingerprint("/var/lib/dnsdist/providerPublic.key")
And this will display fingerpring for public key
Now, lets take that fingerprint and copy it to the clipboard and open a new console window with ssh connection to your VPS (because we don’t want to stop dnsdist running process). In new console, right the following
fingerprint="DF76:2D34:2E3A:DFCE:6A68:B520:AF34:7D58:A203:0967:184D:2C95:F341:4204:77DC:4450"
fingerprint="${fingerprint//:}"; echo "${fingerprint,,}"
Of course, replace fingerpring with your value. This will give us normalized lowercased value. Copy this to the clipboard. For me it is “df762d342e3adfce6a68b520af347d58a2030967184d2c95f341420477dc4450”. As you can guess, we removed “:” character and lowercased the string, that’s it.
Now, let’s create a DNS Stamp for this server. Go to the super great utility page here https://dnscrypt.info/stamps/
And fill the values from your configuration. For me it will be looking like this
And now save the snds://… server info stamp.
For me it is: sdns://AQYAAAAAAAAAEjg1LjE0My4xNzIuODk6ODQ0MyDfdi00LjrfzmpotSCvNH1YogMJZxhNLJXzQUIEd9xEUBcxLmRuc2NyeXB0Lm15ZG9tYWluLmNvbQ
That was a config for DNSCrypt V1 protocol. Actually, that is enough, but we are compiled dnsdist from sources especially to use protocol of version 2. Now, do the same for DNSCrypt v2 (on port 5353 in this case)
Stamp for DNSCrypt v2: sdns://AQYAAAAAAAAAEjg1LjE0My4xNzIuODk6NTM1MyDfdi00LjrfzmpotSCvNH1YogMJZxhNLJXzQUIEd9xEUBcyLmRuc2NyeXB0Lm15ZG9tYWluLmNvbQ
This is actually the final result we need. This DNS Stamp is encrypted info about our particular dns server, we will add this on the client side to connect to our server. It is not encrypted for safety but just for make things easier, same as QR code, but for DNS server. Ok, the DNSCrypt server configuration is finished. Let’s test our DNSCrypt server in some client software.
As soon at you have tested your server with some client below, it is not need to run it in console. Go back to your VPS and stop the process by pressing Ctrl+C. Then, enable this service permanently
systemctl enable dnsdist systemctl restart dnsdist systemctl status dnsdist
It will be running in background, so you can close your SSH connection and close Putty window.
Advanced configuration
- Coming soon: Setting up domain TXT records
- Coming soon: Enabling ipv6
Installing DNSCrypt client for Windows
We will use the overall leader software for DNSCrypt which is widely used on Linux too: DNSCrypt Proxy. It is already compiled for win32 and win64 so it is not a problem to install it and it is not difficult at all. We will install it to use all the public resolvers. For using our custom DNS server, check configuation of dnscrypt proxy for Linux.
Let’s start. Download the desired version for your system (x64 or x32) of latest release from the official GitHub page. If you are not sure if your system is x64 or x32, download x32 version. I will do the same right now though I have x64 system. I will download the file called dnscrypt-proxy-win32-2.0.22.zip (you can download it from here too). Let’s now find the downloaded file.
And here is what I have. Extract this file. But first, download 7Zip and install it to have the same menus as I have. Why not WinRar? Ok, no problem, but it is not free though 7zip is free and does pretty much the same. I will use 7zip as it is free for all.
Ok, now we have extracted the folders. So we have a folder named dnscrypt-proxy-blabla
Rename it to be neat and nice: dnscrypt-proxy
Now, go to My computer->Disc C and create a folder named Tools. We will have to have Administrator rights for this. Move our dnscrypt-proxy folder into this Tools folder so it will be “Tools->dnscrypt-proxy”
Now, rename the file “example-dnscrypt-proxy.toml” to “dnscrypt-proxy.toml” and open it in text editor, I recommend you to install Notepad++. This is the best replacement for notepad in windows and maybe one day Microsoft will include it instead of this stupud notepad from windows (sorry, Microsoft).
Normally, it is not needed to do anything here. Make some changes if you want, save it and just take a look what this file looks like and close it. Now, lets install dnscrypt proxy service. There is a file named “service-install.bat”. You have to run it as Administrator.
There will be a new console window opened. Check if there is no errors and close.
So, now run the second file “service-restart.bat” also As Administrator.
There is a warning that service can’t be stopped but it is ok. Service must be installed and running as it should. Press Start button and open command line by searching for “cmd”
Type “control” and press Enter
The control panel will open. Find the Internet and Networks category
Now choose “Change adapter parameters”
And select in the list your main network adapter (which is connected to the internet). If you have WiFi, it will be a WiFi adapter so select
And open options. Choose from the list “ipv version 4” and press “Options”
Now save all the points here and exit. Close all the windows and try opening some pages in your browser. If it works as usual, the setup has been done and you have now secured your dns requests.
For ipv6 set your DNS server under the “IP Version 6” to “::1”. If you don’t use it, that is not needed.
Installing DNSCrypt client for Android (AdGuard)
Download AdGuard and install on your mobile device. Go to Settings->DNS Filtering and Enable this feature. The down below there is “Select DNS server”. Tap on it and scroll to the bottom to see buttons for adding a DNS Server. Here are some pictures to see what we are doing:
Now, let’s take stamp for V2 of protocol and test it.
Choose “Add custom DNS Server” and paste the sdns://… stuff here. We will see this kind picture:
Press “Save and enable” and then check logs on server side:
So, as we see, protocol of version 2 is working great.
Installing DNSCrypt client on Linux
Coming soon
Installing DNSCrypt client on Apple Mac OS X
Coming soon
Installing DNSCrypt client on Apple iOS
Coming soon
