Nowadays
user privacy is under pressure, and Internet Service Providers or governments
are coming up with new privacy and online security policies to avoid the major
attacks. Full DNS
protection is recommended to avoid cyber attacks like snooping,
man-in-the-middle attacks, and other crucial cyber flaws. One of the advantages
of securing DNS
servers is that you can easily prevent online criminal activities and censor
malicious websites. Sometimes, you may think that why is it important to avail DNS security and why you
should encrypt DNS servers on open WIFI networks? Well, the simply reply to the
same is installing Dnscrypt
will make your network connection fully encrypted from start to end. The tool
can encrypt your DNS queries and protect them from spying and tampering. Read
below to know how to use
DNS on a Raspberry Pi:
Stage1: Configure DNSMASQ
Before
installing DNSCrypt, you
will need to work on dnsmasq, also known as DNS cacher/server, on your system. Below
is a quick checklist for DNS dnsmasq configuration and you can match them with
the settings installed on your system:
·
Go to the “$ sudo vi /etc/dnsmasq.conf” server
and check for the following settings:
“## DNS CONFIGURATION ##
# Interfaces for DNS
interface=eth0
listen-address=192.168.1.3
bind-interfaces
# Never forward plain names (without a dot
or domain part)
domain-needed
# Never forward addresses in the non-routed
address spaces.
bogus-priv
# Max concurrent DNS queries (default = 150)
dns-forward-max=150
# DNS cache size (default = 150)
cache-size=300”
·
Replace the current ‘listen address’ to your
system IP address
·
Now, go to the second server “$ sudo vi
/etc/resolv.conf” and look out for the following results:
“nameserver 127.0.0.1
nameserver 208.67.220.220
nameserver 208.67.222.222”
·
If you get the IP addresses of both the servers,
then your dnsmasq is working correctly, and you can continue to the next stage.
Stage2: Installing Dnscrypt
·
Check the last version of the tool by visiting
the link:
“$ wget https://github.com/downloads/opendns/dnscrypt-proxy/dnscrypt-proxy-1.2.0.tar.gz”
·
Now, type the “sudo pacman -S gcc” command to
build your program from sources
·
Build DNSCrypt by typing the following commands, but be patient as it
will take a long time to compile on a Raspberry:
“$ tar zxpvf ./dnscrypt-proxy-1.2.0.tar.gz
$ cd dnscrypt-proxy-1.2.0
$ ./configure
$ make
$ sudo make install”
·
If you are setting up the tool on a PiWall, you
will need to allow online traffic in your tool’s rules. Type the PiWall
advanced script mentioned below:
“DNS_SERVER1="208.67.220.220"
DNS_SERVER2="208.67.222.222"
iptables -A GATEWAY_INTERNET -p udp --sport
$UNPRIV_PORTS -d $DNS_SERVER1 -m multiport --dports domain,https -j ACCEPT
iptables -A GATEWAY_INTERNET -p udp --sport
$UNPRIV_PORTS -d $DNS_SERVER2 -m multiport --dports domain,https -j ACCEPT
iptables -A GATEWAY_INTERNET -p tcp --sport
$UNPRIV_PORTS -d $DNS_SERVER1 -m multiport --dports domain,https -j ACCEPT
iptables -A GATEWAY_INTERNET -p tcp --sport
$UNPRIV_PORTS -d $DNS_SERVER2 -m multiport --dports domain,https -j ACCEPT”
·
Try starting the tool from the console and confirm
that it launches correctly by typing the “$ sudo /usr/local/sbin/dnscrypt-proxy -a 127.0.0.2:53”
command
·
You will now see that the tool is starting,
retrieving a certificate, and listening on 127.0.0.2:53. If it does not work,
check your firewall rules and your system’s date and time
·
Once it is up and running, interrupt its
operations by pressing ‘CTRL+C’ keys and continue to the next stage.
Stage3: Configure the Tool
Now,
you need to define that ‘Dnsmasq’ will serve as a DNS cache/server for the LAN,
but it will make its requests to DNSCrypt.
·
Type the following commands to confirm that the DNSCrypt gets launched at
startup:
“$ sudo vi /etc/rc.local
echo "Starting DNSCrypt"
/usr/local/sbin/dnscrypt-proxy -a 127.0.0.2:53 –daemonize”
·
To ensure that the static NTP IP address should
not interrupt the process of securing
DNS servers, you need to use a dnsmasq parameter
·
Command the tool to use another
"resolv.conf" file by typing the following commands:
“$ sudo vi /etc/dnsmasq.conf
## DNS CONFIGURATION ##
# Interfaces for DNS
interface=eth0
listen-address=192.168.1.3
bind-interfaces
resolv-file=/etc/resolv-dnsmasq.conf”
·
Now, create a file by typing these commands:
“$ sudo vi /etc/resolv-dnsmasq.conf
nameserver 127.0.0.2
Your regular resolve file can be like this :
nameserver 127.0.0.1
nameserver 208.67.220.220
nameserver 208.67.222.222”
·
Now, launch DNSCrypt by typing the “$ sudo /usr/local/sbin/dnscrypt-proxy -a
127.0.0.2:53 –daemonize” command
·
Check everything, reboot your Linux and confirm
that everything is working fine after the system startup.
Conclusion
Once
you’ve completed all the stages mentioned above, you can enjoy full DNS protection on
your Linux systems. After the tool gets installed on your system, the Raspberry
Pi can easily handle the network gateway, firewall, DHCP server and other
device security roles. It is true that DNSCrypt does not fix DNS protocol's vulnerabilities, but it plays
a vital role in ensuring user, network and device privacy and security.
No comments:
Post a Comment