issue137:tutoriel1
Différences
Ci-dessous, les différences entre deux révisions de la page.
Prochaine révision | Révision précédente | ||
issue137:tutoriel1 [2018/10/01 18:25] – créée auntiee | issue137:tutoriel1 [2018/10/12 15:07] (Version actuelle) – auntiee | ||
---|---|---|---|
Ligne 1: | Ligne 1: | ||
- | Version: dnscrypt-proxy 1.9.5 | + | **Version: dnscrypt-proxy 1.9.5 |
Web: version 2.0.15 has been released, but Ubuntu 18.04 still uses 1.9.5 | Web: version 2.0.15 has been released, but Ubuntu 18.04 still uses 1.9.5 | ||
Ligne 7: | Ligne 7: | ||
I am a private person, I do not like my privacy invaded. This is one of the main reasons I use Linux. | I am a private person, I do not like my privacy invaded. This is one of the main reasons I use Linux. | ||
- | Today I am going to show you how to set up DNScrypt on Ubuntu 18.04. Take that, Mr ISP, and anyone else trying to map your internet usage! | + | Today I am going to show you how to set up DNScrypt on Ubuntu 18.04. Take that, Mr ISP, and anyone else trying to map your internet usage!** |
+ | |||
+ | Version : dnscrypt-proxy 1.9.5 | ||
+ | |||
+ | Web : la version 2.0.15 est sortie, mais Ubuntu 18.04 utilise encore la 1.9.5 | ||
+ | |||
+ | Chat : l' | ||
+ | |||
+ | Je suis une personne privée, et je n'aime pas que ma vie privée soit envahie. C'est une des principales raisons pour lesquelles j' | ||
+ | |||
+ | Aujourd' | ||
- | Whether you like it or not, you are a commodity, you are being bought and sold all over the world. | + | **Whether you like it or not, you are a commodity, you are being bought and sold all over the world. |
Let’s improve your security and privacy by following this guide. | Let’s improve your security and privacy by following this guide. | ||
DNSCrypt turns regular DNS traffic into encrypted DNS traffic that secures you from eavesdropping and man-in-the-middle attacks. Just like HTTPS now secures your internet traffic, DNScrypt secures your DNS traffic. (That said, it is not a complete solution.) | DNSCrypt turns regular DNS traffic into encrypted DNS traffic that secures you from eavesdropping and man-in-the-middle attacks. Just like HTTPS now secures your internet traffic, DNScrypt secures your DNS traffic. (That said, it is not a complete solution.) | ||
- | Let me tell you more about the protocol. Those of you who have no interest in this can skip to the next section. I promise to keep this section short. DNSCrypt is a protocol that authenticates communications between a DNS client and a DNS resolver. | + | Let me tell you more about the protocol. Those of you who have no interest in this can skip to the next section. I promise to keep this section short. DNSCrypt is a protocol that authenticates communications between a DNS client and a DNS resolver.** |
+ | |||
+ | Que vous aimiez ça ou non, vous êtes une marchandise ; vous êtes achetés et vendus partout dans le monde. Améliorez votre sécurité et le respect de votre vie privée en suivant ce guide. | ||
+ | |||
+ | DNSCrypt transforme le trafic DNS normal en trafic DNS chiffré, ce qui vous protège contre les attaques par écoute clandestine (eavesdropping) et « homme-au-milieu » (man-in-the-middle). De la même façon que HTTPS protège maintenant votre trafic sur Internet, DNSCrypt sécurise votre trafic DNS. (Cela dit, ce n'est pas une solution complète). | ||
+ | |||
+ | Laissez-moi vous en dire plus sur le protocole. Ceux d' | ||
- | The DNScrypt protocol works on both TCP connections and UDP connections. The default HTTPS port is 443, and this is what DNScrypt uses also. This will let it pass through most firewalls unhindered. For those of you interested, you can find a list of ports here: http:// | + | **The DNScrypt protocol works on both TCP connections and UDP connections. The default HTTPS port is 443, and this is what DNScrypt uses also. This will let it pass through most firewalls unhindered. For those of you interested, you can find a list of ports here: http:// |
Both the client and the resolver initially generate a temporary key pair for each supported encryption system. Each certificate includes a validity period, a serial number, a version that defines a key exchange mechanism, an authenticated encryption algorithm and its parameters, as well as a short-term public key, known as the resolver public key. | Both the client and the resolver initially generate a temporary key pair for each supported encryption system. Each certificate includes a validity period, a serial number, a version that defines a key exchange mechanism, an authenticated encryption algorithm and its parameters, as well as a short-term public key, known as the resolver public key. | ||
- | So… From your computer or laptop (client), a DNSCrypt session begins with the client sending a non-authenticated DNS query to a DNSCrypt-enabled resolver, such as OpenDNS. | + | So… From your computer or laptop (client), a DNSCrypt session begins with the client sending a non-authenticated DNS query to a DNSCrypt-enabled resolver, such as OpenDNS.** |
+ | |||
+ | Le protocole DNSCrypt fonctionne avec les connexions TCP et UDP. Le port HTTPS par défaut est 443, et DNSCrypt l' | ||
+ | |||
+ | Le client comme le resolver génèrent initialement une paire de clés temporaires pour chaque système de chiffrage pris en charge. Chaque certificat comprend une période de validité, un numéro de série, une version qui définit un mécanisme d' | ||
+ | |||
+ | Voilà... Depuis votre ordinateur ou portable (client), une session DNSCrypt commence quand le client envoie une requête DNS non authentifiée à un resolver activé pour DNSCrypt, tel que OpenDNS. | ||
- | This DNS query encodes the certificate versions supported by the client, as well as a public identifier of the provider requested by the client. | + | **This DNS query encodes the certificate versions supported by the client, as well as a public identifier of the provider requested by the client. |
The server (resolver) responds with a public set of signed certificates, | The server (resolver) responds with a public set of signed certificates, | ||
Ligne 28: | Ligne 50: | ||
Each certificate includes a “magic number” that the client must prefix all of its queries with, for the resolver to know what certificate was chosen by the client before it does anything. | Each certificate includes a “magic number” that the client must prefix all of its queries with, for the resolver to know what certificate was chosen by the client before it does anything. | ||
- | The encryption algorithm, resolver public key and client magic number from the chosen certificate are then used by the client to send encrypted queries. These queries include the client public key. | + | The encryption algorithm, resolver public key and client magic number from the chosen certificate are then used by the client to send encrypted queries. These queries include the client public key.** |
+ | |||
+ | Cette requête DNS encode les versions de certificats prises en charge par le client, ainsi qu'un identifiant public du fournisseur demandé par le client. | ||
+ | |||
+ | Le serveur (resolver) répond avec un jeu de certificats publics signés, qui doivent être vérifiés par le client en utilisant une clé publique du fournisseur. | ||
+ | |||
+ | Chaque certificat comprend un « nombre magique » que le client doit préfixer sur toutes ses requêtes, pour que, avant de faire quoi que ce soit, le resolver sache quel certificat a été choisi par le client. | ||
+ | |||
+ | L' | ||
- | Using this client public key, and knowing which certificate was chosen by the client as well as the relevant secret key, the resolver verifies and decrypts the query, and encrypts the response the same way. | + | **Using this client public key, and knowing which certificate was chosen by the client as well as the relevant secret key, the resolver verifies and decrypts the query, and encrypts the response the same way. |
DNScrypt is not to be confused with DoH, (not the arkanoid one) which is DNS over HTTPS. This is a project by the Mozilla foundation. | DNScrypt is not to be confused with DoH, (not the arkanoid one) which is DNS over HTTPS. This is a project by the Mozilla foundation. | ||
Ligne 44: | Ligne 74: | ||
Then: | Then: | ||
- | sudo sed -i ' | + | sudo sed -i ' |
- | + | ||
- | Explanation: | + | En utilisant cette clé publique du client et en sachant quel est le certificat choisi par le client ainsi que la clé secrète correspondante, le resolver vérifie et déchiffre la requête et chiffre la réponse de la même façon. |
+ | |||
+ | DNSCrypt ne doit pas être confondu avec DoH (pas celui d' | ||
+ | |||
+ | Si vous ne maîtrisez pas la ligne de commande à 100 %, merci de sauvegarder les fichiers que vous voulez modifier, AVANT de les modifier ! | ||
+ | |||
+ | Ouvrez un terminal et saisissez ce qui suit : | ||
+ | |||
+ | sudo apt-get install | ||
+ | Entrez votre mot de passe et laissez l' | ||
+ | Puis : | ||
+ | |||
+ | sudo sed -i ' | ||
+ | |||
+ | **Explanation: | ||
+ | |||
You can of course also do it manually: | You can of course also do it manually: | ||
sudo nano / | sudo nano / | ||
- | Change the text ' | + | Change the text ' |
+ | |||
+ | Explication : sed est un éditeur de flux, le s indique une substitution, | ||
+ | |||
+ | Vous pouvez, bien sûr, le faire aussi à la main : | ||
+ | |||
+ | sudo nano / | ||
+ | |||
+ | Remplacez le texte « ResolverName fvz-anyone » par « ResolverName cisco ». | ||
- | Do not change the local address. As with all edits in the /etc folder, make a backup of the file first! | + | **Do not change the local address. As with all edits in the /etc folder, make a backup of the file first! |
Now that you understand the syntax of sed, let’s continue: | Now that you understand the syntax of sed, let’s continue: | ||
Ligne 71: | Ligne 124: | ||
ListenDatagram=127.0.0.1: | ListenDatagram=127.0.0.1: | ||
- | In previous versions of Ubuntu, you simply had to point your DNS entry in network manager to 127.0.2.1. In 18.04, we need to change it to 127.0.0.1 (localhost), | + | In previous versions of Ubuntu, you simply had to point your DNS entry in network manager to 127.0.2.1. In 18.04, we need to change it to 127.0.0.1 (localhost), |
+ | |||
+ | Ne modifiez pas l' | ||
+ | |||
+ | Maintenant que vous comprenez la syntaxe de sed, continuons : | ||
+ | |||
+ | sed -i ' | ||
+ | |||
+ | Vérifions pour voir si tout est correct : | ||
+ | |||
+ | grep ' | ||
+ | |||
+ | Vous devriez voir ceci : | ||
+ | |||
+ | ListenStream=127.0.0.1: | ||
+ | |||
+ | ListenDatagram=127.0.0.1: | ||
+ | |||
+ | Dans les versions précédentes d' | ||
- | Now, let’s use systemd to stop and start the services, etc: | + | **Now, let’s use systemd to stop and start the services, etc: |
sudo systemctl daemon-reload | sudo systemctl daemon-reload | ||
Ligne 89: | Ligne 160: | ||
sudo systemctl stop systemd-resolved | sudo systemctl stop systemd-resolved | ||
- | At this stage you may lose your internet connection. | + | At this stage you may lose your internet connection.** |
+ | |||
+ | Maintenant, utilisons systemd pour démarrer et arrêter les services, etc. : | ||
+ | |||
+ | sudo systemctl daemon-reload | ||
+ | |||
+ | sudo systemctl stop dnscrypt-proxy.socket | ||
+ | |||
+ | sudo systemctl start dnscrypt-proxy | ||
+ | |||
+ | sudo systemctl disable systemd-resolved.service | ||
+ | |||
+ | sudo systemctl stop systemd-resolved.service | ||
+ | |||
+ | sudo systemctl disable systemd-resolved | ||
+ | |||
+ | sudo systemctl stop systemd-resolved | ||
+ | |||
+ | À ce stade, vous pouvez perdre votre connexion à Internet. | ||
- | If you desperately need a connection before we continue to the next part, simply type the following: | + | **If you desperately need a connection before we continue to the next part, simply type the following: |
sudo nano / | sudo nano / | ||
Ligne 103: | Ligne 192: | ||
Once it finishes, add “dns=unbound” in the [main] section in NetworkManager.conf | Once it finishes, add “dns=unbound” in the [main] section in NetworkManager.conf | ||
+ | sudo nano / | ||
+ | |||
+ | Si vous avez désespérément besoin d'une connexion avant de passer à l' | ||
+ | |||
+ | sudo nano / | ||
+ | |||
+ | Vous verrez qu' | ||
+ | |||
+ | Ce problème est rapidement rectifié en installant et en configurant unbound. Unbound est un resolver DNS de validation, avec une cache et récursif. | ||
+ | |||
+ | apt-get install unbound | ||
+ | |||
+ | Une fois terminé, ajoutez « dns=unbound » dans la section [main] de NetworkManager.conf. | ||
+ | |||
sudo nano / | sudo nano / | ||
- | Under the [main] section, there should already be: | + | **Under the [main] section, there should already be: |
plugins=ifupdown, | plugins=ifupdown, | ||
Ligne 119: | Ligne 222: | ||
sudo systemctl enable unbound | sudo systemctl enable unbound | ||
- | Close your terminal and reboot, making sure all your work is saved first. | + | Close your terminal and reboot, making sure all your work is saved first.** |
+ | |||
+ | Dans la section [main], il devrait y avoir : | ||
+ | |||
+ | | ||
+ | |||
+ | Ajoutez dns=unbound en dessous. | ||
+ | |||
+ | Sauvegardez et sortez de nano. | ||
+ | |||
+ | Maintenant, activons unbound, puis redémarrons pour finir : | ||
+ | |||
+ | sudo systemctl enable unbound-resolvconf | ||
+ | |||
+ | sudo systemctl enable unbound | ||
+ | |||
+ | Fermez votre terminal et redémarrez, | ||
- | After rebooting, let us test our handiwork. | + | **After rebooting, let us test our handiwork. |
Open a browser and go to: https:// | Open a browser and go to: https:// | ||
Ligne 135: | Ligne 254: | ||
sudo lsof -i -n | grep -i dnscrypt | sudo lsof -i -n | grep -i dnscrypt | ||
- | TCP and UDP should both point to 127.0.0.1 | + | TCP and UDP should both point to 127.0.0.1** |
+ | |||
+ | Après le redémarrage, | ||
+ | |||
+ | Ouvrez un navigateur et allez à : https:// | ||
+ | |||
+ | Maintenant, ouvrez à nouveau un terminal et saisissez : | ||
+ | |||
+ | nslookup -type=txt debug.opendns.com | ||
+ | |||
+ | La dernière ligne indentée devrait vous dire si dnscrypt est activé. | ||
+ | |||
+ | Regardons localement : | ||
+ | |||
+ | sudo lsof -i -n | grep -i dnscrypt | ||
+ | |||
+ | TCP et UDP devraient pointer tous les deux vers 127.0.0.1. | ||
- | Let’s get a quick overview of unbound and a link to more information. | + | **Let’s get a quick overview of unbound and a link to more information. |
Unbound is an alternative to BIND – aiming to be faster and more secure. Unbound is open source. | Unbound is an alternative to BIND – aiming to be faster and more secure. Unbound is open source. | ||
Ligne 146: | Ligne 281: | ||
You can find out more here: https:// | You can find out more here: https:// | ||
- | The book is available free of charge. | + | The book is available free of charge.** |
+ | |||
+ | Voici une brève description de undbound et un lien pour de plus amples informations. | ||
+ | |||
+ | Unbound est une alternative à BIND, se voulant plus rapide et plus sûr. Unbound est Open Source. | ||
+ | |||
+ | Site Web : https:// | ||
+ | |||
+ | Vous en trouverez plus ici : https:// | ||
+ | |||
+ | L' | ||
issue137/tutoriel1.1538411147.txt.gz · Dernière modification : 2018/10/01 18:25 de auntiee