Hits: 3081
DNSCrypt
notes here
Contents
SPECS / RPMs
this page has personal notes, be careful !
So here are my RPM SPEC files for building DNSCrypt-Wrapper (DNSCrypt server)
To build these RPM specs:
# rpmbuild -ba libsodium.spec # rpmbuild -ba dnscrypt-wrapper
then
# rpm -ivh libsodium-1.0.4-1.el7.centos.x86_64.rpm # rpm -ivh dnscrypt-wrapper-v0.1.17-1.el7.centos.x86_64.rpm
dnscrypt-wrapper
Directory
# mkdir -pv /etc/dnscrypt-wrapper # cd !$
Long Term Keys
## This is a long-term key pair that is never supposed to change unless the secret key is compromised. # dnscrypt-wrapper --gen-provider-keypair Generate provider key pair... ok. Public key fingerprint: C443:37C2:6915:7E43:468D:E7AC:0B6F:6393:F18F:E0D7:E6A2:1E49:50E6:F0D7:6C26:EC42 This is the provider key you should give to users for your service. (i.e. dnscrypt-proxy --provider-key=C443:37C2:6915:7E43:468D:E7AC:0B6F:6393:F18F:E0D7:E6A2:1E49:50E6:F0D7:6C26:EC42 --resolver-address=<your resolver public IP> --provider-name=2.dnscrypt-cert...) Keys are stored in public.key & secret.key. # ls -l public.key secret.key -r--r--r--. 1 root root 32 Nov 20 23:12 public.key -r--r--r--. 1 root root 64 Nov 20 23:12 secret.key
C.
$ dnscrypt-wrapper --show-provider-publickey-fingerprint --provider-publickey-file <your-publickey-file> # dnscrypt-wrapper --show-provider-publickey-fingerprint --provider-publickey-file public.key Provider public key fingerprint : C443:37C2:6915:7E43:468D:E7AC:0B6F:6393:F18F:E0D7:E6A2:1E49:50E6:F0D7:6C26:EC42
Time Limited Keys
## Generate a time-limited secret key, which will be used to encrypt and authenticate DNS queries ## Also generate a certificate ! $ dnscrypt-wrapper --gen-crypt-keypair --crypt-secretkey-file=1.key # dnscrypt-wrapper --gen-crypt-keypair Generate crypt key pair... ok. Secret key stored in crypt_secret.key $ dnscrypt-wrapper \ --gen-cert-file \ --crypt-secretkey-file=1.key \ --provider-cert-file=1.cert \ --provider-publickey-file=public.key \ --provider-secretkey-file=secret.key \ --cert-file-expire-days=365 # dnscrypt-wrapper \ --gen-cert-file \ --crypt-secretkey-file crypt_secret.key \ --provider-publickey-file=public.key \ --provider-secretkey-file=secret.key [988] 20 Nov 23:28:21.284 [notice] [main.c:406] Generating pre-signed certificate. [988] 20 Nov 23:28:21.284 [notice] [main.c:413] TXT record for signed-certificate: * Record for nsd: 2.dnscrypt-cert 86400 IN TXT "DNSC\000\001\000\000\026\203\243\135\186\255k\212<,\207r\243W\133\212+\204k%{\198P\026d\001\157\215\144d\240\204\245\142\024\239\220\012\015$\217\181+@\010\128\196f\225^\203\024\219Q\150\142\159q?a\247\188\195\000\253\190Mq\206\149\226\190\177\239\132\222\001\031\185a\237\016\024'k\019\207&\179\237.I\213=\174w\253\190Mq\206\149\226\190X2\021uX2\021uZ\019H\245" * Record for tinydns: '2.dnscrypt-cert:DNSC\000\001\000\000\032\313\363\207\272\377k\324\074,\317r\363W\205\324+\314k%{\306P\032d\001\235\327\220d\360\314\365\216\030\357\334\014\017$\331\265+@\012\200\304f\341^\313\030\333Q\226\216\237q?a\367\274\303\000\375\276Mq\316\225\342\276\261\357\204\336\001\037\271a\355\020\030'k\023\317\046\263\355.I\325=\256w\375\276Mq\316\225\342\276X2\025uX2\025uZ\023H\365:86400 [988] 20 Nov 23:28:21.285 [notice] [main.c:428] Certificate stored in dnscrypt.cert.
dnscrypt-wrapper daemon
# pwd -P /etc/dnscrypt-wrapper # ls -l total 16 -r--r--r--. 1 root root 32 Nov 20 23:20 crypt_secret.key -r--r--r--. 1 root root 124 Nov 20 23:28 dnscrypt.cert -r--r--r--. 1 root root 32 Nov 20 23:12 public.key -r--r--r--. 1 root root 64 Nov 20 23:12 secret.key E. ## Run the program $ # dnscrypt-wrapper \ --resolver-address=8.8.8.8:53 \ --listen-address=0.0.0.0:443 \ --provider-name=2.dnscrypt-cert.yechengfu.com \ --crypt-secretkey-file=1.key \ --provider-cert-file=1.cert # dnscrypt-wrapper \ --resolver-address=127.0.0.1:53 \ --listen-address=0.0.0.0:44353 \ --crypt-secretkey-file=crypt_secret.key \ --crypt-publickey-file=crypt_public.key \ --provider-cert-file=dnscrypt.cert \ --provider-name=2.dnscrypt-cert.MyDomain.TLD # dnscrypt-wrapper \ --resolver-address=MyIP:53 \ --listen-address=0.0.0.0:44353 \ --crypt-secretkey-file=crypt_secret.key \ --crypt-publickey-file=crypt_public.key \ --provider-cert-file=dnscrypt.cert \ --provider-name=2.dnscrypt-cert.MyDomain.TLD
Client Side
sudo /usr/bin/dnscrypt-proxy --local-address=127.0.0.1:55 --resolver-address=94.242.59.170:44353 --provider-name=2.dnscrypt-cert.MyDomain.TLD --provider-key=8FB3:679F:4E88:A083:272B:5AE5:CDDC:1E64:E534:FEE8:A05B:7DB7:6DD0:4626:6FCF:71F2 [NOTICE] Starting dnscrypt-proxy 1.7.0 [INFO] Generating a new session key pair [INFO] Done [INFO] Chosen certificate #1479677301 is valid from [2016-11-20] to [2017-11-20] [INFO] Server key fingerprint is FDBE:4D71:CE95:E2BE:B1EF:84DE:011F:B961:ED10:1827:6B13:CF26:B3ED:2E49:D53D:AE77 [NOTICE] Proxying from 127.0.0.1:55 to 94.242.59.170:44353
on a another console:
$ dig -p 55 google.com @127.0.0.1 ;; ANSWER SECTION: google.com. 293 IN A 216.58.214.238