Saturday 8 June 2013

Setting up dnscrypt on Fedora

DNSCrypt is a free service by OpenDNS that provides encrypted DNS lookups. If you are concerned about man-in-the-middle attacks, data collection/spying by various entities or ad injections by unscrupulous ISPs, encrypting your DNS lookups is a good starting point. Bear in mind that just encrypting your DNS lookups will not make you secure online. It has to be used in conjunction with a lot of other tools and services if you really want to safeguard your privacy.

  1. Download the DNSCrypt tarball from http://download.dnscrypt.org/dnscrypt-proxy/ . At the time of writing, the latest version was dnscrypt-proxy-1.3.0.tar.gz
  2. tar xvf dnscrypt-proxy-1.3.0.tar.gz && cd dnscrypt-proxy-1.3.0
    ./configure
    make -j4
    sudo make install
    
  3. Create a new system user to run the service:
    sudo adduser -m -N  -r -s /bin/false dnscrypt
  4. Now start the service in the foreground to make sure everything is working:
    sudo dnscrypt-proxy -u dnscrypt
  5. Change your system DNS server to 127.0.0.1. There are many ways to do this. The adventurous can edit the appropriate script in /etc/sysconfig/network-scripts/. If you don't have NetworkManager installed, editing /etc/resolv.conf would work too. Gnome users: click on the network icon, click 'Network Settings', select the connection and click 'Options'. Then in the 'IPv4 Settings' tab, set the 'Method' to 'Automatic (DHCP) Addresses Only' and type in 127.0.0.1 in the 'DNS Servers' text box.
  6. Restart network service for the DNS server changes to take effect.
    sudo systemctl restart network.service
  7. Now you can verify that the changes have taken effect by running dig google.com and checking the output for the line: SERVER: 127.0.0.1#53(127.0.0.1). Alternatively, navigate to http://www.opendns.com/welcome/ using a web browser. The screen will tell you whether you are using OpenDNS or not.
To run the dnscrypt-proxy service on system startup, create a systemd service as follows:
  1. As root, create the file /etc/systemd/system/dnscrypt.service with the following content:
  2. Refresh the system daemon:
    sudo systemctl daemon-reload
  3. Now the dnscrpyt service will start automatically on every boot. You can manually start or stop the service by issuing the usual systemctl commands as well.
    sudo systemctl start dnscrypt.service