Secure DNS and EFA

This topic provides steps for achieving secure DNS communications using dnscrypt-proxy.

Before you begin

Achieving secure DNS communications can be a critical aspect of a strong operational security posture. Use the open source ‘dnscrypt-proxy‘ package to bring encrypted DNS communications to EFA.

About this task

Procedure

  1. Install dnscrypt-proxy by running: 
    apt-get install
        dnscrypt-proxy
  2. Review the various resolvers that support encrypted DNS in the file /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv and select one. The name of this resolver is in the first column in this file. For example, the ‘adguard-dns-ns1‘ resolver is displayed here: 
    adguard-dns-ns1,"Adguard DNS 1","Remove ads and protect your computer from
        malware","Anycast","",https://adguard.com/en/adguard-dns/overview.html,1,no,yes,no,176.103.130.130:5443,2.dnscrypt.default.ns1.adguard.com,D12B:47F2:52DC:F2C2:BBF8:9910:86EA:F79C:E449:5D8B:16C8:A0C4:322E:52CA:3F39:0873,pk.default.ns1.adguard.com
  3. Edit the /etc/dnscrypt/dnscrypt-proxy.conf file, and set 
    ResolverName adguard-dns-ns1

LocalAddress 127.0.0.1:53
  4. Edit the /etc/systemd/system/sockets.target.wants/dnscrypt-proxy.socket file and make sure the [Socket] section looks like this: 
    [Socket]
 ListenStream=127.0.0.1:53
 ListenDatagram=127.0.0.1:53
  5. Reload systemd, disable and re-enable dnscrypt-proxy.socket, and reboot: 
    # systemctl daemon-reload
 # systemctl disable dncrypt-proxy.service
 # systemctl enable dnscrypt-proxy.service
 # reboot

    At this point, dnscrypt-proxy should be functioning normally. One way to verify this is to look for DNS requests on the EFA management interface (‘eth0‘ for TPVM installations of EFA). There should be no traffic on UDP port 53 because encrypted DNS traffic is sent over UDP port 443.

  6. To verify, run a sniffer on eth0, cause the system to issue a DNS lookup, and make sure there are no UDP packets on port 53. The output should look similar to this: 
    # tcpdump -i eth0 -l -nn port 53 or port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

15:26:54.136556 IP 192.168.10.109.40632 > 176.103.130.130.443: UDP, length 512
15:26:54.151425 IP 176.103.130.130.443 > 192.168.10.109.40632: UDP, length 304
15:26:54.152783 IP 192.168.10.109.40632 > 176.103.130.130.443: UDP, length 512
15:26:54.166523 IP 176.103.130.130.443 > 192.168.10.109.40632: UDP, length 304
9037430-00 Rev AA