Ceci est une ancienne révision du document !
Version: dnscrypt-proxy 1.9.5 Web: version 2.0.15 has been released, but Ubuntu 18.04 still uses 1.9.5 Chat: The official URL / Link is: #dnscrypt-proxy:matrix.org I am a private person, I do not like my privacy invaded. This is one of the main reasons I use Linux. Today I am going to show you how to set up DNScrypt on Ubuntu 18.04. Take that, Mr ISP, and anyone else trying to map your internet usage!
Version: dnscrypt-proxy 1.9.5
Web: la version 2.0.15 a été publiée mais Ubuntu 18.04 utilise encore la 1.9.5
Chat : l'URL / lien officiel est : #dnscrypt-proxy:matrix.org
Je suis une personne privée, et je n'aime pas que mon vie privée soit envahie. C'est une des principales raisons pour lesquelles j'utilise Linux.
Aujourd'hui, je vais vous montrer comment paramétrer DNSCrypt sur Ubuntu 18.04. Prenez ça, M. ISP, ainsi que tout autre personne essayant de décider de mon usage d'Internet !
Whether you like it or not, you are a commodity, you are being bought and sold all over the world. Let’s improve your security and privacy by following this guide. DNSCrypt turns regular DNS traffic into encrypted DNS traffic that secures you from eavesdropping and man-in-the-middle attacks. Just like HTTPS now secures your internet traffic, DNScrypt secures your DNS traffic. (That said, it is not a complete solution.) Let me tell you more about the protocol. Those of you who have no interest in this can skip to the next section. I promise to keep this section short. DNSCrypt is a protocol that authenticates communications between a DNS client and a DNS resolver.
Que vous aimiez ça ou non, vous êtes un consommable, vous êtes achetez et vendu partout dans le monde. Améliorez votre sécurité et le respect de votre vie privée en suivant ce guide.
DNSCrypt transforme le trafic DNS normal en trafic DNS chiffré ce qui vous protège contre les attaques « eavesdropping » (litt., xx) et « man-in-the-middle » (litt., homme au milieu). De la même façon que HTTPS protège maintenant votre trafic sur Internet, DNSCrypt sécurise votre trafic DNS. (Ceci dit, ce n'est pas une solution complète).
Laissez-moi vous en dire plus sur le protocole. Ceux d'entre vous qui n'y trouve aucun intérêt peuvent passer à la section suivante. Je vous promets que cette section sera courte. DNSCrypt est un protocole qui authentifie les communications entre un client DNS et un « resolver » DNS.
The DNScrypt protocol works on both TCP connections and UDP connections. The default HTTPS port is 443, and this is what DNScrypt uses also. This will let it pass through most firewalls unhindered. For those of you interested, you can find a list of ports here: http://www.hostingreviewbox.com/rhel-tcp-and-udp-ports/ Both the client and the resolver initially generate a temporary key pair for each supported encryption system. Each certificate includes a validity period, a serial number, a version that defines a key exchange mechanism, an authenticated encryption algorithm and its parameters, as well as a short-term public key, known as the resolver public key. So… From your computer or laptop (client), a DNSCrypt session begins with the client sending a non-authenticated DNS query to a DNSCrypt-enabled resolver, such as OpenDNS.
This DNS query encodes the certificate versions supported by the client, as well as a public identifier of the provider requested by the client. The server (resolver) responds with a public set of signed certificates, that must be verified by the client using a provider public key. Each certificate includes a “magic number” that the client must prefix all of its queries with, for the resolver to know what certificate was chosen by the client before it does anything. The encryption algorithm, resolver public key and client magic number from the chosen certificate are then used by the client to send encrypted queries. These queries include the client public key.
Using this client public key, and knowing which certificate was chosen by the client as well as the relevant secret key, the resolver verifies and decrypts the query, and encrypts the response the same way. DNScrypt is not to be confused with DoH, (not the arkanoid one) which is DNS over HTTPS. This is a project by the Mozilla foundation. If you are not 100% sure of your command line fu, please backup every file you edit, BEFORE EDITING! Open a terminal and type the following: sudo apt-get install dnscrypt-proxy Type in your password and let it finish. Then: sudo sed -i 's/fvz-anyone/cisco/g' /etc/dnscrypt-proxy/dnscrypt-proxy.conf
Explanation: sed is a stream editor, the s denotes substitution, the g means globally. The “-i” switch means in place. S, first we have the expression we want to substitute followed by what we want to replace it with, then immediately followed by the file path. The first line changes the default resolver from fvz-anyone to cisco. You do not have to choose Cisco, there are many resolvers, but I will use Cisco in the example. A list of resolvers can be found here: https://github.com/dyne/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv
You can of course also do it manually: sudo nano /etc/dnscrypt-proxy/dnscrypt-proxy.conf Change the text 'ResolverName fvz-anyone' to 'ResolverName cisco' Do not change the local address. As with all edits in the /etc folder, make a backup of the file first! Now that you understand the syntax of sed, let’s continue: sed -i 's/127.0.2.1/127.0.0.1/g' /lib/systemd/system/dnscrypt-proxy.socket
Let us check to see if it is correct: grep '127' /lib/systemd/system/dnscrypt-proxy.socket You should see the following: ListenStream=127.0.0.1:53 ListenDatagram=127.0.0.1:53 In previous versions of Ubuntu, you simply had to point your DNS entry in network manager to 127.0.2.1. In 18.04, we need to change it to 127.0.0.1 (localhost), however bionic beaver is not happy with this.
Now, let’s use systemd to stop and start the services, etc: sudo systemctl daemon-reload sudo systemctl stop dnscrypt-proxy.socket sudo systemctl start dnscrypt-proxy sudo systemctl disable systemd-resolved.service sudo systemctl stop systemd-resolved.service sudo systemctl disable systemd-resolved sudo systemctl stop systemd-resolved At this stage you may lose your internet connection.
If you desperately need a connection before we continue to the next part, simply type the following: sudo nano /etc/resolv.conf You will see Ubuntu has changed the nameserver to 127.0.0.53; don’t worry, simply change it to 127.0.0.1 and save it. Should you still not have a connection, change it to 1.1.1.1, this should resolve your connection problem. Just remember that by changing it to 1.1.1.1, you are NOT using the DNScrypt proxy, rather Cloudflare directly. This issue is speedily rectified by installing and configuring unbound. Unbound is a validating, recursive, and caching DNS resolver. apt-get install unbound Once it finishes, add “dns=unbound” in the [main] section in NetworkManager.conf sudo nano /etc/NetworkManager/NetworkManager.conf
Under the [main] section, there should already be: plugins=ifupdown,keyfile Just add dns=unbound below it. Save and exit nano. Now let us enable unbound, then reboot to finish: sudo systemctl enable unbound-resolvconf sudo systemctl enable unbound Close your terminal and reboot, making sure all your work is saved first.
After rebooting, let us test our handiwork. Open a browser and go to: https://welcome.opendns.com/ You should see a check mark. Now open a terminal again and type: nslookup -type=txt debug.opendns.com The last indented line should tell you if dnscrypt is enabled. Let’s look locally: sudo lsof -i -n | grep -i dnscrypt TCP and UDP should both point to 127.0.0.1
Let’s get a quick overview of unbound and a link to more information. Unbound is an alternative to BIND – aiming to be faster and more secure. Unbound is open source. Website: https://www.unbound.net/ You can find out more here: https://jpmens.net/2010/10/29/alternative-dns-servers-the-book-as-pdf/ The book is available free of charge.