Dnscrypt-proxy

提供: ArchWiki
2015年2月16日 (月) 12:35時点におけるKusakata (トーク | 投稿記録)による版 (ページの作成:「Category:Domain Name System Category:セキュリティ en:DNSCrypt es:DNSCrypt pt:DNSCrypt [http://dnscrypt.org/ DNSCrypt] はユーザーと DNS リ...」)
(差分) ← 古い版 | 最新版 (差分) | 新しい版 → (差分)
ナビゲーションに移動 検索に移動

DNSCrypt はユーザーと DNS リゾルバの間の DNS トラフィックを暗号化するソフトウェアです。盗聴や改竄、中間者攻撃を防ぎます。

インストール

公式リポジトリから dnscrypt-proxy をインストールしてください。

設定

ヒント: To automatically configure DNSCrypt and choose a resolver, use dnscrypt-autoinstallAUR from the AUR.

By default dnscrypt-proxy is pre-configured in /etc/conf.d/dnscrypt-proxy (read by dnscrypt-proxy.service) to accept incoming requests on 127.0.0.1 to an OpenDNS resolver. See the list of public resolvers for alternatives.

With this setup, it will be necessary to alter your resolv.conf file and replace your current set of resolver addresses with localhost: 

nameserver 127.0.0.1

You might need to prevent other programs from overwriting it, see resolv.conf#Preserve DNS settings for details.

起動

Available as a systemd service: dnscrypt-proxy.service

Tips and tricks

DNSCrypt で DNS ローカルキャッシュを転送

It is recommended to run DNSCrypt as a forwarder for a local DNS cache, otherwise every single query will make a round-trip to the upstream resolver. Any local DNS caching program should work, examples below show configuration for Unbound, dnsmasq, and pdnsd.

例: Unbound の設定

Configure Unbound to your liking (remember to set /etc/resolv.conf to use the local DNS server) and add the following lines to the end of the server section in /etc/unbound/unbound.conf: 

do-not-query-localhost: no
forward-zone:
  name: "."
  forward-addr: 127.0.0.1@40
ノート: Port 40 is given as an example as Unbound by default listens to 53, these must be different.

Start the systemd service unbound.service. Then configure DNScrypt to match Unbound's new forward-zone IP and port in /etc/conf.d/dnscrypt-proxy: 

DNSCRYPT_LOCALIP=127.0.0.1
DNSCRYPT_LOCALPORT=40
ノート: DNSCrypt needs to start before Unbound, so include unbound.service on a Before= line in the [Unit] section of dnscrypt-proxy.service.

Restart dnscrypt-proxy.service and unbound.service to apply the changes.

例: dnsmasq の設定

Configure dnsmasq as a local DNS cache. The basic configuration to work with DNSCrypt: 

/etc/dnsmasq.conf
no-resolv
server=127.0.0.2#2053
listen-address=127.0.0.1

If you configured DNSCrypt to use a resolver with enabled DNSSEC validation, make sure to enable it also in dnsmasq: 

/etc/dnsmasq.conf
proxy-dnssec

Configure DNSCrypt to listen on 127.0.0.2, where dnsmasq will be querying: 

/etc/conf.d/dnscrypt-proxy
DNSCRYPT_LOCALIP=127.0.0.2
DNSCRYPT_LOCALPORT=2053

Restart dnscrypt-proxy.service and dnsmasq.service to apply the changes.

例: pdnsd の設定

Install pdnsd. A basic configuration to work with DNSCrypt is: 

/etc/pdnsd.conf
global {
	perm_cache=16384;
	cache_dir="/var/cache/pdnsd";
	run_as="pdnsd";
 	server_ip = 127.0.0.1;
	status_ctl = on;
	query_method=udp_tcp;
	min_ttl=15m;       # Retain cached entries at least 15 minutes.
	max_ttl=1w;        # One week.
	timeout=10;        # Global timeout option (10 seconds).
	neg_domain_pol=on;
	udpbufsize=1024;   # Upper limit on the size of UDP messages.
}

server {
	label = "dnscrypt-proxy";
	ip = 127.0.0.2;
	port = 53;
	timeout = 4;
	uptest = query;
	interval = 15m;
	proxy_only=on;
}

source {
	owner=localhost;
	file="/etc/hosts";
}


rr {
	name=localhost;
	reverse=on;
	a=127.0.0.1;
	owner=localhost;
	soa=localhost,root.localhost,42,86400,900,86400,86400;
}

Configure DNSCrypt to listen on 127.0.0.2:53 where pdnsd will be querying. The following has an example provider already in place. Be sure to use the provider you have chosen. 

/etc/conf.d/dnscrypt-proxy
DNSCRYPT_LOCALIP=127.0.0.2
DNSCRYPT_LOCALPORT=53
DNSCRYPT_USER=nobody
DNSCRYPT_PROVIDER_NAME=2.dnscrypt-cert.opendns.com
DNSCRYPT_PROVIDER_KEY=B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79
DNSCRYPT_RESOLVERIP=208.67.220.220
DNSCRYPT_RESOLVERPORT=443

Be sure you have configured resolv.conf properly for 127.0.0.1.

Uncomment the following line in pdnsd.service: 

Before=pdnsd.service

Now enable both the pdnsd and dnscrypt-proxy services.

EDNS0 の有効化

Extension Mechanisms for DNS that, among other things, allows a client to specify how large a reply over UDP can be.

Add the following line to your /etc/resolv.conf: 

options edns0

You may also wish to add the following argument to dnscrypt-proxy: 

--edns-payload-size=<bytes>

The default size being 1252 bytes, with values up to 4096 bytes being purportedly safe. A value below or equal to 512 bytes will disable this mechanism, unless a client sends a packet with an OPT section providing a payload size.

EDNS0 のテスト

Make use of the DNS Reply Size Test Server, use the dig command line tool available with dnsutils from the official repositories to issue a TXT query for the name rs.dns-oarc.net: 

$ dig +short rs.dns-oarc.net txt

With EDNS0 supported, the output should look similar to this: 

rst.x3827.rs.dns-oarc.net.
rst.x4049.x3827.rs.dns-oarc.net.
rst.x4055.x4049.x3827.rs.dns-oarc.net.
"2a00:d880:3:1::a6c1:2e89 DNS reply size limit is at least 4055 bytes"
"2a00:d880:3:1::a6c1:2e89 sent EDNS buffer size 4096"
https://wiki.archlinux.jp/index.php?title=Dnscrypt-proxy&oldid=2370」から取得