Hits: 3042

DNSCrypt


notes here


Contents

SPECS / RPMs


this page has personal notes, be careful !


So here are my RPM SPEC files for building DNSCrypt-Wrapper (DNSCrypt server)


github


To build these RPM specs:


# rpmbuild -ba libsodium.spec
# rpmbuild -ba dnscrypt-wrapper


then


# rpm -ivh libsodium-1.0.4-1.el7.centos.x86_64.rpm
# rpm -ivh dnscrypt-wrapper-v0.1.17-1.el7.centos.x86_64.rpm


dnscrypt-wrapper


Directory 


# mkdir -pv /etc/dnscrypt-wrapper

# cd !$

Long Term Keys 


## This is a long-term key pair that is never supposed to change unless the secret key is compromised.

# dnscrypt-wrapper --gen-provider-keypair
Generate provider key pair... ok.
Public key fingerprint: C443:37C2:6915:7E43:468D:E7AC:0B6F:6393:F18F:E0D7:E6A2:1E49:50E6:F0D7:6C26:EC42

This is the provider key you should give to users for your service.
(i.e. dnscrypt-proxy --provider-key=C443:37C2:6915:7E43:468D:E7AC:0B6F:6393:F18F:E0D7:E6A2:1E49:50E6:F0D7:6C26:EC42
                     --resolver-address=<your resolver public IP>
                     --provider-name=2.dnscrypt-cert...)
Keys are stored in public.key & secret.key.

# ls -l public.key secret.key 
-r--r--r--. 1 root root 32 Nov 20 23:12 public.key
-r--r--r--. 1 root root 64 Nov 20 23:12 secret.key


C.


$ dnscrypt-wrapper --show-provider-publickey-fingerprint --provider-publickey-file <your-publickey-file>

# dnscrypt-wrapper --show-provider-publickey-fingerprint --provider-publickey-file public.key

Provider public key fingerprint : C443:37C2:6915:7E43:468D:E7AC:0B6F:6393:F18F:E0D7:E6A2:1E49:50E6:F0D7:6C26:EC42

Time Limited Keys 


## Generate a time-limited secret key, which will be used to encrypt and authenticate DNS queries
## Also generate a certificate !


$ dnscrypt-wrapper --gen-crypt-keypair --crypt-secretkey-file=1.key

# dnscrypt-wrapper --gen-crypt-keypair
Generate crypt key pair... ok.
Secret key stored in crypt_secret.key

$ dnscrypt-wrapper \
	--gen-cert-file \
	--crypt-secretkey-file=1.key \
	--provider-cert-file=1.cert \
	--provider-publickey-file=public.key \
	--provider-secretkey-file=secret.key \
	--cert-file-expire-days=365


# dnscrypt-wrapper \
	--gen-cert-file \
	--crypt-secretkey-file crypt_secret.key \
	--provider-publickey-file=public.key \
	--provider-secretkey-file=secret.key




[988] 20 Nov 23:28:21.284 [notice] [main.c:406] Generating pre-signed certificate.
[988] 20 Nov 23:28:21.284 [notice] [main.c:413] TXT record for signed-certificate:

* Record for nsd:
2.dnscrypt-cert	86400	IN	TXT	"DNSC\000\001\000\000\026\203\243\135\186\255k\212<,\207r\243W\133\212+\204k%{\198P\026d\001\157\215\144d\240\204\245\142\024\239\220\012\015$\217\181+@\010\128\196f\225^\203\024\219Q\150\142\159q?a\247\188\195\000\253\190Mq\206\149\226\190\177\239\132\222\001\031\185a\237\016\024'k\019\207&\179\237.I\213=\174w\253\190Mq\206\149\226\190X2\021uX2\021uZ\019H\245"

* Record for tinydns:
'2.dnscrypt-cert:DNSC\000\001\000\000\032\313\363\207\272\377k\324\074,\317r\363W\205\324+\314k%{\306P\032d\001\235\327\220d\360\314\365\216\030\357\334\014\017$\331\265+@\012\200\304f\341^\313\030\333Q\226\216\237q?a\367\274\303\000\375\276Mq\316\225\342\276\261\357\204\336\001\037\271a\355\020\030'k\023\317\046\263\355.I\325=\256w\375\276Mq\316\225\342\276X2\025uX2\025uZ\023H\365:86400

[988] 20 Nov 23:28:21.285 [notice] [main.c:428] Certificate stored in dnscrypt.cert.

dnscrypt-wrapper daemon 


# pwd -P
/etc/dnscrypt-wrapper

# ls -l
total 16
-r--r--r--. 1 root root  32 Nov 20 23:20 crypt_secret.key
-r--r--r--. 1 root root 124 Nov 20 23:28 dnscrypt.cert
-r--r--r--. 1 root root  32 Nov 20 23:12 public.key
-r--r--r--. 1 root root  64 Nov 20 23:12 secret.key


E.

## Run the program 


$ # dnscrypt-wrapper \
	--resolver-address=8.8.8.8:53 \
	--listen-address=0.0.0.0:443 \
	--provider-name=2.dnscrypt-cert.yechengfu.com \
	--crypt-secretkey-file=1.key \
	--provider-cert-file=1.cert


# dnscrypt-wrapper \
	--resolver-address=127.0.0.1:53 \
	--listen-address=0.0.0.0:44353 \
	--crypt-secretkey-file=crypt_secret.key \
	--crypt-publickey-file=crypt_public.key \
	--provider-cert-file=dnscrypt.cert \
	--provider-name=2.dnscrypt-cert.MyDomain.TLD

# dnscrypt-wrapper \
	--resolver-address=MyIP:53 \
	--listen-address=0.0.0.0:44353 \
	--crypt-secretkey-file=crypt_secret.key \
	--crypt-publickey-file=crypt_public.key \
	--provider-cert-file=dnscrypt.cert \
	--provider-name=2.dnscrypt-cert.MyDomain.TLD

Client Side 


 sudo /usr/bin/dnscrypt-proxy --local-address=127.0.0.1:55 --resolver-address=94.242.59.170:44353 --provider-name=2.dnscrypt-cert.MyDomain.TLD --provider-key=8FB3:679F:4E88:A083:272B:5AE5:CDDC:1E64:E534:FEE8:A05B:7DB7:6DD0:4626:6FCF:71F2 
[NOTICE] Starting dnscrypt-proxy 1.7.0
[INFO] Generating a new session key pair
[INFO] Done

[INFO] Chosen certificate #1479677301 is valid from [2016-11-20] to [2017-11-20]
[INFO] Server key fingerprint is FDBE:4D71:CE95:E2BE:B1EF:84DE:011F:B961:ED10:1827:6B13:CF26:B3ED:2E49:D53D:AE77
[NOTICE] Proxying from 127.0.0.1:55 to 94.242.59.170:44353


on a another console:


$ dig -p 55 google.com @127.0.0.1

;; ANSWER SECTION:
google.com.		293	IN	A	216.58.214.238