snork.ca: Welcome to the brown age of computing! Cloudy, -1.7°C [W: -5°C] - No precip

dnscrypt-wrapper On Chimaera 2021 2021-12-01


Someone recently asked me which [of my] instructions would be best to follow if they were going to try setting up a DNSCrypt server. My answer was this post from over two years ago. Well, even I am no longer using Debian Stretch, so I figured it was time to do an updated version of those instructions (on a distribution that doesn't use systemd thankfully). Here's a somewhat chopped up version of the notes I took as I went along.

# apt-get install ssh --no-install-recommends

# apt-get install build-essential automake libsodium-dev libevent-dev resolvconf dnsutils unbound unzip

Note: as of 2021-12-01 the repositories have Unbound v1.13.1. If you are really intent on having Unbound v1.13.2 you could build it from scratch. The changelog shows a lot of changes but I think the repo version would be fine.

# nano /etc/unbound/unbound.conf.d/myconfig.conf

...paste in this content

server:
  interface: "127.0.0.1"
  do-daemonize: "yes"
  username: "unbound"
  logfile: "/var/log/unbound.log"
  hide-identity: "yes"
  hide-version: "yes"
  harden-glue: "yes"
  harden-dnssec-stripped: "yes"
  access-control: "127.0.0.1 allow"
  root-hints: "/etc/unbound/named.root"

# wget -O /etc/unbound/named.root https://www.internic.net/domain/named.root
# service unbound restart
# nslookup snork.ca 127.0.0.1

Confirm Unbound name resolution works. The above nslookup command should give you my IP address eh. If that worked, then it looks like your upstream DNS lookups (recursive) are working and you can move on to the dnscrypt-wrapper.

# mkdir ~/src && cd ~/src
# wget -O dnscrypt-wrapper-master.zip https://github.com/cofyc/dnscrypt-wrapper/archive/master.zip
# unzip dnscrypt-wrapper-master.zip
# cd dnscrypt-wrapper-master
# make configure
# ./configure
# make install

# mkdir /etc/dnscrypt && cd /etc/dnscrypt
# dnscrypt-wrapper --gen-provider-keypair --dnssec --nolog --nofilter --provider-name=2.dnscrypt-cert.CHANGE-ME --ext-address=CHANGE-ME:443

# wget -O keyrotate.sh https://snork.ca/posts/2019-07-12-howto-stretch-dnscrypt-wrapper-unbound-dnssec-key-rotation/keyrotate.sh.txt
# chmod +x keyrotate.sh
# nano keyrotate.sh

# ./keyrotate.sh

If the key rotation script barfed up something like this:

Generate crypt key pair... ok.
Secret key stored in 1.key
[9023] 01 Dec 13:50:06.962 [notice] [main.c:742] Generating pre-signed certificate (expire in 86400 seconds).
[9023] 01 Dec 13:50:06.962 [notice] [main.c:749] TXT record for signed-certificate:
* Record for nsd:
2.dnscrypt-cert 86400 IN TXT "DNSC\000\002\000\000\021/\151\235Q\143hSx#{\158\018\142\236;\169\215\195\192q\184\024'\174\241\139'e;Vh/\172\166\241\168`\174S\212\013M\227\222|r\205\034\003T\158\197Z\182+k.kLs\027\026\011\214\185\224\255]\129\174\129\161\145\236\013^\234\150\182\128\180?\016\205\009\025\192\127\153<!\248\235\146f\215\185\224\255]\129\174\129a\167\195\222a\167\195\222a\169\021^"

* Record for tinydns:
'2.dnscrypt-cert:DNSC\000\002\000\000\025/\227\353Q\217hSx#{\236\022\216\354;\251\327\303\300q\270\030'\256\361\213'e;Vh/\254\246\361\250`\256S\324\015M\343\336|r\315"\003T\236\305Z\266+k.kLs\033\032\013\326\271\340\377]\201\256\201\241\221\354\015^\352\226\266\200\264?\020\315\011\031\300\177\231\074!\370\353\222f\327\271\340\377]\201\256\201a\247\303\336a\247\303\336a\251\025^:86400

... then your dnscrypt-wrapper should be running. Now you need to get a client to connect to it to confirm that the server is listening and is able to resolve queries. Download the dnscrypt-proxy client, unarchive it, and modify the dnscrypt-proxy.toml file. Near the top you'll want to tell it to only connect to your test server with something like this:

server_names = ['my-test-server']

Then at the bottom of the file you can add in your test server in the static section. You'll of course need to paste in the sdns stamp that you copied and set aside earlier (remember I mentioned that?).

[static.'my-test-server']
stamp = 'sdns://abcdefg123456789hijklmn'

Now run the proxy client and it should connect to your fancy new server.

paulharrell Paul Harrel: comedic genius.

Go on... now try doing some queries from your client!

Made with Notepad++ and FastStone, hosted on Devuan with nginx, without javascript, google bullshit, CDN crap, or cookies, and powered by NK shrooms.