To achieve secure DNS communications using dnscrypt-proxy, perform the following steps.
Achieving secure DNS communications can be a critical aspect of a strong operational security posture. Use the open source ‘dnscrypt-proxy‘ package to bring encrypted DNS communications to EFA.
apt-get install dnscrypt-proxy
/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv
and select
one. The name of this resolver is in the first column in this file. For example,
the ‘adguard-dns-ns1‘ resolver is displayed here:
adguard-dns-ns1,"Adguard DNS 1","Remove ads and protect your computer from malware","Anycast","",https://adguard.com/en/adguard-dns/overview.html,1,no,yes,no,176.103.130.130:5443,2.dnscrypt.default.ns1.adguard.com,D12B:47F2:52DC:F2C2:BBF8:9910:86EA:F79C:E449:5D8B:16C8:A0C4:322E:52CA:3F39:0873,pk.default.ns1.adguard.com
/etc/dnscrypt/dnscrypt-proxy.conf
file, and set
ResolverName adguard-dns-ns1 LocalAddress 127.0.0.1:53
/etc/systemd/system/sockets.target.wants/dnscrypt-proxy.socket
file and make sure the [Socket]
section looks like this:
[Socket] ListenStream=127.0.0.1:53 ListenDatagram=127.0.0.1:53
# systemctl daemon-reload # systemctl disable dncrypt-proxy.service # systemctl enable dnscrypt-proxy.service # reboot
At this point, dnscrypt-proxy should be functioning normally. One way to verify this is to look for DNS requests on the EFA management interface (‘eth0‘ for TPVM installations of EFA). There should be no traffic on UDP port 53 because encrypted DNS traffic is sent over UDP port 443.
# tcpdump -i eth0 -l -nn port 53 or port 443 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 15:26:54.136556 IP 192.168.10.109.40632 > 176.103.130.130.443: UDP, length 512 15:26:54.151425 IP 176.103.130.130.443 > 192.168.10.109.40632: UDP, length 304 15:26:54.152783 IP 192.168.10.109.40632 > 176.103.130.130.443: UDP, length 512 15:26:54.166523 IP 176.103.130.130.443 > 192.168.10.109.40632: UDP, length 304