Secure DNS and EFA
To achieve secure DNS communications using dnscrypt-proxy, perform the following steps.
Before you begin
Achieving secure DNS communications can be a critical aspect of a strong operational security posture. Use the open source ‘dnscrypt-proxy‘ package to bring encrypted DNS communications to EFA.
About this task
Procedure
-
Install dnscrypt-proxy by
running:
apt-get install dnscrypt-proxy
-
Review the various resolvers that support encrypted DNS in the file
/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv
and select one. The name of this resolver is in the first column in this file. For example, the ‘adguard-dns-ns1‘ resolver is displayed here:adguard-dns-ns1,"Adguard DNS 1","Remove ads and protect your computer from malware","Anycast","",https://adguard.com/en/adguard-dns/overview.html,1,no,yes,no,176.103.130.130:5443,2.dnscrypt.default.ns1.adguard.com,D12B:47F2:52DC:F2C2:BBF8:9910:86EA:F79C:E449:5D8B:16C8:A0C4:322E:52CA:3F39:0873,pk.default.ns1.adguard.com
-
Edit the
/etc/dnscrypt/dnscrypt-proxy.conf
file, and setResolverName adguard-dns-ns1 LocalAddress 127.0.0.1:53
-
Edit the
/etc/systemd/system/sockets.target.wants/dnscrypt-proxy.socket
file and make sure the[Socket]
section looks like this:[Socket] ListenStream=127.0.0.1:53 ListenDatagram=127.0.0.1:53
-
Reload systemd, disable and re-enable dnscrypt-proxy.socket, and reboot:
# systemctl daemon-reload # systemctl disable dncrypt-proxy.service # systemctl enable dnscrypt-proxy.service # reboot
At this point, dnscrypt-proxy should be functioning normally. One way to verify this is to look for DNS requests on the EFA management interface (‘eth0‘ for TPVM installations of EFA). There should be no traffic on UDP port 53 because encrypted DNS traffic is sent over UDP port 443.
-
To verify, run a sniffer on eth0, cause the system to issue a DNS lookup, and
make sure there are no UDP packets on port 53. The output should look similar to
this:
# tcpdump -i eth0 -l -nn port 53 or port 443 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 15:26:54.136556 IP 192.168.10.109.40632 > 176.103.130.130.443: UDP, length 512 15:26:54.151425 IP 176.103.130.130.443 > 192.168.10.109.40632: UDP, length 304 15:26:54.152783 IP 192.168.10.109.40632 > 176.103.130.130.443: UDP, length 512 15:26:54.166523 IP 176.103.130.130.443 > 192.168.10.109.40632: UDP, length 304