Sunday, February 19, 2012

Encrypt DNS Traffic In Linux With DNSCrypt (Via OpenDNS)


DNSCrypt, as its name suggests, encrypts DNS traffic between your computer and OpenDNS, in the same way SSL turns HTTP traffic into HTTPS encrypted traffic.

Initially, DNSCrypt was announced as being available for Mac only for now, but according to an OpenDNS article posted yesterday, the source code for DNSCrypt was published on GitHub when they've released the Mac preview and even though there's no user interface yet, Linux users can already install DNSCrypt.


Why use DNSCrypt?


DNSCrypt encrypts all DNS traffic between your computer and the OpenDNS servers (so you'll be using OpenDNS) and can protect you from man-in-the-middle attacks, spying, resolver impersonation, can prevent Internet service providers from blocking various websites and more.

This is the first tool that encrypts DNS traffic - for instance, TOR encrypts DNS requests, but they are decrypted at the exit node.

It doesn’t require any changes to domain names or how they work, it simply provides a method for securely encrypting communication between our customers and our DNS servers in our data centers.

You can read more about DNSCrypt @ OpenSND DNSCrypt page and on GitHub.


How to use DNSCrypt in Linux


Download DNSCrypt, install it and then run the following command in a terminal:
sudo /usr/sbin/dnscrypt-proxy --daemonize


Then set your DNS server to "127.0.0.1" - to do this under GNOME, go to your Network Connections and select "Edit" and enter "127.0.0.1" under "DNS servers". If you are using DHCP, just select "Automatic (DHCP) addresses only, so you can enter a DNS server. Then, restart your network connection.

You can then check if you're using OpenDNS by visiting THIS link.

To get DNSCrypt to start automatically, you must create an init script. For Ubuntu, see below.

Arch Linux users can install DNSCrypt-proxy via AUR (it includes an rc.d script).


DNSCrypt in Ubuntu


To make DNSCrypt start automatically in Ubuntu, I've created an Upstart script which you can use if you want - download it.

Update: Because in Ubuntu 12.04 there is a local DNS cache running on 127.0.0.1 (dnsmasq), I've updated the script to make DNSCrypt use 127.0.0.2, so you should add "127.0.0.2" as your DNS and not "127.0.0.1" if you're using this script (for any Ubuntu version). Thanks to zzecool!

To install the script, use the commands below (firstly extract the downloaded archive):
sudo cp dnscrypt.conf /etc/init/
sudo ln -s /lib/init/upstart-job /etc/init.d/dnscrypt

And finally, start it with:
sudo start dnscrypt

DNSCrypt should now start automatically when you boot. To stop it, you can use:
sudo stop dnscrypt


Download DNSCrypt (.deb, .rpm and source code available)

No comments:

Post a Comment