OpenBSD DNSCrypt Howto

 

This Howto has been moved to the miniguide section and will be maintained there from now on.

h2. Introduction

This Howto describes setting up DNScrypt on OpenBSD using packages.

Installing dnscrypt_proxy  

Install dnscrypt-proxy from the FTP package repository with root permissions. Make sure to set the environment variable PKG_PATH properly.

# export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/`uname -r`/packages/`machine -a`/
# pkg_add -i dnscrypt-proxy

Configuring dnscrypt_proxy  

dnscrypt_proxy is listening on the loopback device lo0. dnscrypt_proxy is bound to port 5353 and logging is disabled. It uses one of the public IPredator resolvers with the IP address 194.132.32.32.

Edit /etc/rc.conf.local and add the following lines to run dnscrypt_proxy at system startup:

dnscrypt_proxy_flags="-a 127.0.0.1:5353 --provider-key=F581:BDCD:C1F7:469C:6B55:A144:39AA:F2F6:3AD1:8C5F:AE57:7EE1:06C9:B2EC:D29E:6849 --provider-name=2.dnscrypt-cert.ipredator.se --resolver-address=194.132.32.32 -T -E -l /dev/null"
pkg_scripts="dnscrypt_proxy"

Starting dnscrypt_proxy  

To start the dnscrypt_proxy without rebooting your machine, invoke the startup script:

# /etc/rc.d/dnscrypt_proxy start
dnscrypt_proxy(ok)

Testing dnscrypt_proxy  

Use dig to send a query for the A record of ipredator.se to the dnscrypt_proxy listening on 127.0.0.1:5353:

# dig ipredator.se @127.0.0.1 -p 5353 +tcp

; <<>> DiG 9.4.2-P2 <<>> ipredator.se @127.0.0.1 -p 5353 +tcp
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18123
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 0
    
;; QUESTION SECTION:
;ipredator.se.                  IN      A
    
;; ANSWER SECTION:
ipredator.se.           508     IN      A       193.234.198.40
ipredator.se.           508     IN      A       193.234.198.41
 
;; AUTHORITY SECTION:
ipredator.se.           599     IN      NS      ns3u.resolv.to.
ipredator.se.           599     IN      NS      ns1a.resolv.to.
ipredator.se.           599     IN      NS      ns2u.resolv.to.
ipredator.se.           599     IN      NS      ns1u.resolv.to.

;; Query time: 245 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Mon Jun 29 23:45:52 2015
;; MSG SIZE  rcvd: 147

If you see results in the ANSWER SECTION like above, dnscrypt_proxy basically works. Now you need to setup your system to use dnscrypt_proxy with the unbound resolver.

Configure local DNS cache using Unbound  

Unbound is a DNS resolver and part of the OpenBSD base system.

Edit rc.conf.local to enable unbound at system startup:

unbound_flags=""

For clarity, unbound_flags should go above the pkg_scripts variable in rc.conf.local. pkg_scripts is used to reference scripts installed by packages that should be invoked during system startup. Because unbound is part of the OpenBSD base system, its startup script does not get referred to in pkg_scripts.

Edit or create /var/unbound/etc/unbound.conf. unbound listens on 127.0.0.1 on port 53 by default. Only queries originating from 127.0.0.1 are permitted. All queries received by unbound are forwarded to dnscrypt_proxy listening on 127.0.0.1 port 5353.

server:
    username: _unbound
    directory: /var/unbound
    chroot: /var/unbound

    interface: 127.0.0.1
    do-ip6: no

    access-control: 127.0.0.0/8 allow
    hide-identity: yes
    hide-version: yes
    do-not-query-localhost: no

    tcp-upstream: yes

    private-address: 10.0.0.0/8
    private-address: 172.16.0.0/12
    private-address: 192.168.0.0/16

forward-zone:
    name: "."
    forward-addr: 127.0.0.1@5353

Start unbound:

# /etc/rc.d/unbound start
unbound(ok)

Now do the same query as before, but this time query the unbound resolver:

# dig ipredator.se @127.0.0.1

; <<>> DiG 9.4.2-P2 <<>> ipredator.se @127.0.0.1
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37537
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;ipredator.se.                  IN      A

;; ANSWER SECTION:
ipredator.se.           592     IN      A       193.234.198.41
ipredator.se.           592     IN      A       193.234.198.40

;; AUTHORITY SECTION:
ipredator.se.           592     IN      NS      ns2u.resolv.to.
ipredator.se.           592     IN      NS      ns3u.resolv.to.
ipredator.se.           592     IN      NS      ns1u.resolv.to.
ipredator.se.           592     IN      NS      ns1a.resolv.to.

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jun 30 00:16:36 2015
;; MSG SIZE  rcvd: 147

The outcome should be identical. Note the different SERVER in the answer, which is not dnscrypt_proxy running on port 5353.

System wide DNS configuration  

On OpenBSD DNS servers are configured in /etc/resolv.conf. Depending on whether your machine uses a statically configured or dynamically assigned address, you can either edit /etc/resolv.conf directly or configure dhclient via /etc/dhclient.conf to supersede the DNS server entries it receives during interface configuration.

DNS queries are to be sent to unbound listening on 127.0.0.1, which in turn forwards the queries to dnscrypt_proxy.

Statically configured IP address

Add 127.0.0.1 as the only nameserver in /etc/resolv.conf. It is important to not have any other nameserver entries in this file, otherwise you are leaking DNS queries to these machines.

# echo "nameserver 127.0.0.1" > /etc/resolv.conf

Dynamically assigned IP address via DHCP

When using DHCP to configure your host's IP address, dhclient needs to supersede the nameservers it receives from local DHCP servers with 127.0.0.1. You still receive an IP address from the network range your machine sits in as well es a default gateway, but all your DNS queries are safely piped through unbound and dnscrypt_proxy.

# echo "supersede domain-name-servers 127.0.0.1;" >> /etc/dhclient.conf

If you experience any problems after following this Howto, please contact support@ipredator.se. For error corrections or feedback please write an email to feedback@ipredator.se. Of course we are also available via our Online Chat.