dnscrypt-wrapper On Chimaera 2021 2021-12-01
Someone recently asked me which [of my] instructions would be best to follow if they were going to try setting up a DNSCrypt server. My answer was this post from over two years ago. Well, even I am no longer using Debian Stretch, so I figured it was time to do an updated version of those instructions (on a distribution that doesn't use systemd thankfully). Here's a somewhat chopped up version of the notes I took as I went along.
- fresh chimaera (standard system utilities only)
- log in to console
# apt-get install ssh --no-install-recommends
- ssh to box as user and "su -" to root
# apt-get install build-essential automake libsodium-dev libevent-dev resolvconf dnsutils unbound unzip
Note: as of 2021-12-01 the repositories have Unbound v1.13.1. If you are really intent on having Unbound v1.13.2 you could build it from scratch. The changelog shows a lot of changes but I think the repo version would be fine.
# nano /etc/unbound/unbound.conf.d/myconfig.conf
...paste in this content
server:
interface: "127.0.0.1"
do-daemonize: "yes"
username: "unbound"
logfile: "/var/log/unbound.log"
hide-identity: "yes"
hide-version: "yes"
harden-glue: "yes"
harden-dnssec-stripped: "yes"
access-control: "127.0.0.1 allow"
root-hints: "/etc/unbound/named.root"
# wget -O /etc/unbound/named.root https://www.internic.net/domain/named.root
# service unbound restart
# nslookup snork.ca 127.0.0.1
Confirm Unbound name resolution works. The above nslookup command should give you my IP address eh. If that worked, then it looks like your upstream DNS lookups (recursive) are working and you can move on to the dnscrypt-wrapper.
# mkdir ~/src && cd ~/src
# wget -O dnscrypt-wrapper-master.zip https://github.com/cofyc/dnscrypt-wrapper/archive/master.zip
# unzip dnscrypt-wrapper-master.zip
# cd dnscrypt-wrapper-master
# make configure
# ./configure
# make install
# mkdir /etc/dnscrypt && cd /etc/dnscrypt
# dnscrypt-wrapper --gen-provider-keypair --dnssec --nolog --nofilter --provider-name=2.dnscrypt-cert.CHANGE-ME --ext-address=CHANGE-ME:443
- provider-name = name of your choosing that MUST begin with "2.dnscrypt-cert"
- ext-address = public IP address of server
- copy the sdns stamp this command provides for later use
# wget -O keyrotate.sh https://snork.ca/posts/2019-07-12-howto-stretch-dnscrypt-wrapper-unbound-dnssec-key-rotation/keyrotate.sh.txt
# chmod +x keyrotate.sh
# nano keyrotate.sh
- change keydir, bindto, and providername variables for your system
- change extresolver if you are not using Unbound as described above
- change wrapperbin if you have the dnscrypt-wrapper installed somewhere else
- change logfile if you want it somewhere else
- change grepfor if you have some very nonstandard IP addressing
# ./keyrotate.sh
If the key rotation script barfed up something like this:
Generate crypt key pair... ok.
Secret key stored in 1.key
[9023] 01 Dec 13:50:06.962 [notice] [main.c:742] Generating pre-signed certificate (expire in 86400 seconds).
[9023] 01 Dec 13:50:06.962 [notice] [main.c:749] TXT record for signed-certificate:
* Record for nsd:
2.dnscrypt-cert 86400 IN TXT "DNSC\000\002\000\000\021/\151\235Q\143hSx#{\158\018\142\236;\169\215\195\192q\184\024'\174\241\139'e;Vh/\172\166\241\168`\174S\212\013M\227\222|r\205\034\003T\158\197Z\182+k.kLs\027\026\011\214\185\224\255]\129\174\129\161\145\236\013^\234\150\182\128\180?\016\205\009\025\192\127\153<!\248\235\146f\215\185\224\255]\129\174\129a\167\195\222a\167\195\222a\169\021^"
* Record for tinydns:
'2.dnscrypt-cert:DNSC\000\002\000\000\025/\227\353Q\217hSx#{\236\022\216\354;\251\327\303\300q\270\030'\256\361\213'e;Vh/\254\246\361\250`\256S\324\015M\343\336|r\315"\003T\236\305Z\266+k.kLs\033\032\013\326\271\340\377]\201\256\201\241\221\354\015^\352\226\266\200\264?\020\315\011\031\300\177\231\074!\370\353\222f\327\271\340\377]\201\256\201a\247\303\336a\247\303\336a\251\025^:86400
... then your dnscrypt-wrapper should be running. Now you need to get a client to connect to it to confirm that the server is listening and is able to resolve queries. Download the dnscrypt-proxy client, unarchive it, and modify the dnscrypt-proxy.toml file. Near the top you'll want to tell it to only connect to your test server with something like this:
server_names = ['my-test-server']
Then at the bottom of the file you can add in your test server in the static section. You'll of course need to paste in the sdns stamp that you copied and set aside earlier (remember I mentioned that?).
[static.'my-test-server']
stamp = 'sdns://abcdefg123456789hijklmn'
Now run the proxy client and it should connect to your fancy new server.
- $ sudo ./dnscrypt-proxy
Go on... now try doing some queries from your client!
- $ nslookup snork.ca 127.0.0.1