Secure DNS and EFA

To achieve secure DNS communications using dnscrypt-proxy, perform the following steps.

Before you begin

Achieving secure DNS communications can be a critical aspect of a strong operational security posture. Use the open source ‘dnscrypt-proxy‘ package to bring encrypted DNS communications to EFA.

About this task

Procedure

Install dnscrypt-proxy by running:
```
apt-get install
        dnscrypt-proxy
```

Review the various resolvers that support encrypted DNS in the file /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv and select one. The name of this resolver is in the first column in this file. For example, the ‘adguard-dns-ns1‘ resolver is displayed here:

adguard-dns-ns1,"Adguard DNS 1","Remove ads and protect your computer from
        malware","Anycast","",https://adguard.com/en/adguard-dns/overview.html,1,no,yes,no,176.103.130.130:5443,2.dnscrypt.default.ns1.adguard.com,D12B:47F2:52DC:F2C2:BBF8:9910:86EA:F79C:E449:5D8B:16C8:A0C4:322E:52CA:3F39:0873,pk.default.ns1.adguard.com

Edit the /etc/dnscrypt/dnscrypt-proxy.conf file, and set

ResolverName adguard-dns-ns1

LocalAddress 127.0.0.1:53

Edit the /etc/systemd/system/sockets.target.wants/dnscrypt-proxy.socket file and make sure the [Socket] section looks like this:
```
[Socket]
 ListenStream=127.0.0.1:53
 ListenDatagram=127.0.0.1:53
```
Reload systemd, disable and re-enable dnscrypt-proxy.socket, and reboot:
```
# systemctl daemon-reload
 # systemctl disable dncrypt-proxy.service
 # systemctl enable dnscrypt-proxy.service
 # reboot
```
At this point, dnscrypt-proxy should be functioning normally. One way to verify this is to look for DNS requests on the EFA management interface (‘eth0‘ for TPVM installations of EFA). There should be no traffic on UDP port 53 because encrypted DNS traffic is sent over UDP port 443.

To verify, run a sniffer on eth0, cause the system to issue a DNS lookup, and make sure there are no UDP packets on port 53. The output should look similar to this:

# tcpdump -i eth0 -l -nn port 53 or port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

15:26:54.136556 IP 192.168.10.109.40632 > 176.103.130.130.443: UDP, length 512
15:26:54.151425 IP 176.103.130.130.443 > 192.168.10.109.40632: UDP, length 304
15:26:54.152783 IP 192.168.10.109.40632 > 176.103.130.130.443: UDP, length 512
15:26:54.166523 IP 176.103.130.130.443 > 192.168.10.109.40632: UDP, length 304

Switching

Routing

Wireless

Management & Automation

Analytics & Visibility

Security & Access Control

Remote

Cloud

Security

Machine Learning

Campus Fabric

Data Center Fabric

Internet of Things

Wi-Fi 6

Primary & Secondary Education (K-12)

Retail

Service Providers

Federal Government

Manufacturing

Higher Education

Healthcare

Hospitality

State & Local Government

Sports & Public Venues

Support Portal

Knowledge Base

Documentation

End of Sale

Policies & Warranties

Training & Courses

Maintenance Services

Premier Services

Professional Services

Managed Services

Secure DNS and EFA

Before you begin

About this task

Procedure