Tuesday 28 April 2015

How to Use Dnscrypt on Raspberry to Safeguard Your Online Privacy?



how to use DNS Nowadays user privacy is under pressure, and Internet Service Providers or governments are coming up with new privacy and online security policies to avoid the major attacks. Full DNS protection is recommended to avoid cyber attacks like snooping, man-in-the-middle attacks, and other crucial cyber flaws. One of the advantages of securing DNS servers is that you can easily prevent online criminal activities and censor malicious websites. Sometimes, you may think that why is it important to avail DNS security and why you should encrypt DNS servers on open WIFI networks? Well, the simply reply to the same is installing Dnscrypt will make your network connection fully encrypted from start to end. The tool can encrypt your DNS queries and protect them from spying and tampering. Read below to know how to use DNS on a Raspberry Pi: 


Stage1: Configure DNSMASQ

Before installing DNSCrypt, you will need to work on dnsmasq, also known as DNS cacher/server, on your system. Below is a quick checklist for DNS dnsmasq configuration and you can match them with the settings installed on your system:

·         Go to the “$ sudo vi /etc/dnsmasq.conf” server and check for the following settings: 

“## DNS CONFIGURATION ##
# Interfaces for DNS
interface=eth0
listen-address=192.168.1.3
bind-interfaces
# Never forward plain names (without a dot or domain part)
domain-needed
# Never forward addresses in the non-routed address spaces.
bogus-priv
# Max concurrent DNS queries (default = 150)
dns-forward-max=150
# DNS cache size (default = 150)
cache-size=300” 

·         Replace the current ‘listen address’ to your system IP address

·         Now, go to the second server “$ sudo vi /etc/resolv.conf” and look out for the following results:

“nameserver 127.0.0.1
nameserver 208.67.220.220
nameserver 208.67.222.222”

·         If you get the IP addresses of both the servers, then your dnsmasq is working correctly, and you can continue to the next stage.

Installing DnscryptStage2: Installing Dnscrypt


·         Check the last version of the tool by visiting the link:
“$ wget https://github.com/downloads/opendns/dnscrypt-proxy/dnscrypt-proxy-1.2.0.tar.gz”
·         Now, type the “sudo pacman -S gcc” command to build your program from sources
·         Build DNSCrypt by typing the following commands, but be patient as it will take a long time to compile on a Raspberry:

“$ tar zxpvf ./dnscrypt-proxy-1.2.0.tar.gz
$ cd dnscrypt-proxy-1.2.0
$ ./configure
$ make
$ sudo make install”

·         If you are setting up the tool on a PiWall, you will need to allow online traffic in your tool’s rules. Type the PiWall advanced script mentioned below:

“DNS_SERVER1="208.67.220.220"
DNS_SERVER2="208.67.222.222"
iptables -A GATEWAY_INTERNET -p udp --sport $UNPRIV_PORTS -d $DNS_SERVER1 -m multiport --dports domain,https -j ACCEPT
iptables -A GATEWAY_INTERNET -p udp --sport $UNPRIV_PORTS -d $DNS_SERVER2 -m multiport --dports domain,https -j ACCEPT
iptables -A GATEWAY_INTERNET -p tcp --sport $UNPRIV_PORTS -d $DNS_SERVER1 -m multiport --dports domain,https -j ACCEPT
iptables -A GATEWAY_INTERNET -p tcp --sport $UNPRIV_PORTS -d $DNS_SERVER2 -m multiport --dports domain,https -j ACCEPT”
·         Try starting the tool from the console and confirm that it launches correctly by typing the “$ sudo /usr/local/sbin/dnscrypt-proxy -a 127.0.0.2:53” command

·         You will now see that the tool is starting, retrieving a certificate, and listening on 127.0.0.2:53. If it does not work, check your firewall rules and your system’s date and time

·         Once it is up and running, interrupt its operations by pressing ‘CTRL+C’ keys and continue to the next stage.

Stage3: Configure the Tool


Configure the ToolNow, you need to define that ‘Dnsmasq’ will serve as a DNS cache/server for the LAN, but it will make its requests to DNSCrypt.

·         Type the following commands to confirm that the DNSCrypt gets launched at startup:

“$ sudo vi /etc/rc.local
echo "Starting DNSCrypt"
/usr/local/sbin/dnscrypt-proxy -a 127.0.0.2:53 –daemonize”

·         To ensure that the static NTP IP address should not interrupt the process of securing DNS servers, you need to use a dnsmasq parameter

·         Command the tool to use another "resolv.conf" file by typing the following commands:

“$ sudo vi /etc/dnsmasq.conf
## DNS CONFIGURATION ##
# Interfaces for DNS
interface=eth0
listen-address=192.168.1.3
bind-interfaces
resolv-file=/etc/resolv-dnsmasq.conf”

·         Now, create a file by typing these commands:

“$ sudo vi /etc/resolv-dnsmasq.conf
nameserver 127.0.0.2
Your regular resolve file can be like this :
nameserver 127.0.0.1
nameserver 208.67.220.220
nameserver 208.67.222.222”

·         Now, launch DNSCrypt by typing the “$ sudo /usr/local/sbin/dnscrypt-proxy -a 127.0.0.2:53 –daemonize” command

·         Check everything, reboot your Linux and confirm that everything is working fine after the system startup.

Conclusion


Once you’ve completed all the stages mentioned above, you can enjoy full DNS protection on your Linux systems. After the tool gets installed on your system, the Raspberry Pi can easily handle the network gateway, firewall, DHCP server and other device security roles. It is true that DNSCrypt does not fix DNS protocol's vulnerabilities, but it plays a vital role in ensuring user, network and device privacy and security.

No comments:

Post a Comment