Very much superceded by DNS over TLS and DNS over HTTP. This post is left here for posterity only.
Please note this is a rough guide and is probably not the most elegant solution.
DNS or the DOMAIN NAME SYSTEM is the protocol used by computers to break down human recognisable hostname names into IP addresses that computers can work with.
For example, if you were to run a ping against http://www.google.com, the computer will first contact a DNS resolver to get the IP address for http://www.google.com and then run the ping against the IP address it returns:
Pinging http://www.google.com [126.96.36.199] with 32 bytes of data:
Reply from 188.8.131.52: bytes=32 time=8ms TTL=6
DNS queries and responses between a client and a DNS resolver are sent in plain text which subjects the protocol to snooping or even DNS hijacking where DNS responses can be faked by a device in the network path between the client and resolver to send the client to a different location. DNS hijacking can be used legitimately in scenarios such as logons to WIFI hotspots but can also be used by malicious third parties to redirect clients to websites serving up malware, viruses and suchlike.DNSCrypt is a program that can be used to encrypt communications between a DNS client and a DNS resolver to eliminate these problems.
The application is available for multiple platforms including Windows, Linux and even routers. To work successfully, the DNS resolver must be DNSCrypt compatible. Examples of such resolvers can be found at DNSCcrypt.eu and OpenDNS.
This article will focus on an install of DNSCrypt-proxy on a Ubuntu 16.04 LTS virtual machine.
Add the DNSCrypt-Proxy Repository to Ubuntu and install DNSCrypt-Proxy.
sudo add-apt-repository ppa:anton+/dnscrypt sudo apt-get update sudo apt-get install dnscrypt-proxy
At this point, you will need to ensure your server has a static IP address and the DNS server is configured to look at the primary IP address associated with the NIC. You will break DNS and will be unable to access the Internet at this point from this server until DNSCrypt is operational.
To set a static IP address, edit the interfaces file in /etc/network/
sudo nano /etc/network/interfaces
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto ens160 iface ens160 inet static address 192.168.1.1 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.254 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 192.168.1.4
You will now need to restart the networking service or reboot the Ubuntu box for the changes to take effect
sudo service networking restart
Edit the .socket file associated with DNSCrypt-proxy
sudo nano /lib/systemd/system/dnscrypt-proxy.socket
Update the ListenStream and ListenDatagram IP address from the loopback address (127.x.x.x) and ports to reflect the IP address associated with the NIC on your Ubuntu 16.04 server. In my case, this is 192.168.1.1.
[Socket] ListenStream=192.168.1.1:53 ListenDatagram=192.168.1.1:53
Once the .socket file has been updated, you will need to update systemd
sudo systemctl daemon-reload
The dnscrypt-proxy configuration file can now be updated to choose which Internet DNSCrypt resolver we want to use.
sudo nano /etc/default/dnscrypt-proxy
The resolver of choice is set at the end of the DNSCRYPT_PROXY_RESOLVER_NAME1 line. In this configuration file, dnscrypt.eu-dk is the upstream resolver.
# What local IP the daemon will listen to, with an optional port. # The default port is 53. If using systemd, this is not used and must be # specified in dnscrypt-proxy.socket. DNSCRYPT_PROXY_LOCAL_ADDRESS1=192.168.1.1:53 # Remote DNS(Crypt) resolver. # You can find a list of resolvers at # /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv. DNSCRYPT_PROXY_RESOLVER_NAME1=dnscrypt.eu-dk # Extra flags to pass to dnscrypt-proxy DNSCRYPT_PROXY_OPTIONS=""
Now restart the DNSCrypt-Proxy service or start it if it isn’t running
sudo service dnscrypt-proxy stop sudo service dnscrypt-proxy start
You should hopefully now be able to point a client at your Ubuntu server and resolve IP addresses securely.
Something to bear in mind is that DNSCrypt-Proxy is not a caching DNS server and every DNS request made by your client devices is forwarded to the upstream resolver. You can optimise this by introducing a caching DNS (such as dnsmasq, unbound etc) server between the clients and DNSCrypt but that is beyond the scope of this document.