Today I will talk about net/dnscrypt-proxy. This let you encrypt your DNS traffic between your resolver and the remote DNS recursive server. More and more countries and internet provider use DNS to block some websites, and now they tend to do “man in the middle” with DNS answers, so you can’t just use a remote DNS you find on the internet. While a remote dnscrypt DNS server can still be affected by such “man in the middle” hijack, there is a very little chance DNS traffic is altered in datacenters / dedicated server hosting.
The article also deal with unbound as a dns cache because dnscrypt is a bit slow and asking multiple time the same domain in a few minutes is a waste of cpu/network/time for everyone. So I recommend setting up a DNS cache on your side (which can also permit to use it on a LAN).
At the time I write this article, their is a very good explanation about “how to install it” is named dnscrypt-proxy–1.7.0p1 in the folder /usr/local/share/doc/pkg-readmes/. The following article is made from this file. The file on OpenBSD 6.0 don’t speak about unbound (while in -current, next 6.1, this is explained).
While I write for OpenBSD this can be easily adapted to anthing else Unix-like.
Modify your resolv.conf file to this
nameserver 127.0.0.1 lookup file bind options edns0
If you use dhcp, you can use the following line to force having 127.0.0.1 as nameserver by modifying dhclient config file
supersede domain-name-servers 127.0.0.1;
Now, we need to modify unbound config to tell him to ask DNS at 127.0.0.1 port 40. Please adapt your config, I will just add what is mandatory. Unbound configuration file isn’t in /etc because it’s chrooted
server: # ↓ this line is MANDATORY ↓ do-not-query-localhost: no forward-zone: name: "." forward-addr: 127.0.0.1@40 # ↑ address dnscrypt listen on
If you want to allow other to resolv through your unbound daemon, please see parameters interface and access-control. You will need to tell unbound to bind on external interfaces and allow requests on it.
Now we need to configure dnscrypt, pick a server in the following LIST /usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv, the name is the first column.
As root type the following (or use doas/sudo), in the example we choose dnscrypt.eu-nl as a DNS provider
rcctl enable dnscrypt_proxy rcctl set dnscrypt_proxy flags -E -m1 -R dnscrypt.eu-nl -a 127.0.0.1:40 rcctl start dnscrypt_proxy
You should be able to resolv address through dnscrypt now. You can use tcpdump on your external interface to see if you see something on udp port 53, you should not see traffic there.
If you want to use
dig hostname -p 40 @127.0.0.1 to make DNS request
to dnscrypt without unbound, you will need net/isc-bind which will
provide /usr/local/bin/dig. OpenBSD base dig can’t use a port
different than 53.