Adding DNSCrypt to Unbound

In my last post Setting Up a FreeBSD DNS Adblocker, I discussed how to setup an Unbound DNS server on FreeBSD to block ads.

In this post, we'll take a look at adding DNSCrypt to resolve queries sent to our FreeBSD Unbound server in order to add an additional layer of protection for you and your users.


DNSCrypt

DNSCrypt, as defined by their website is:

A protocol that authenticates communications between a DNS client and a DNS resolver. It prevents DNS spoofing. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered with.

Aside from that, DNSCrypt also states the following:

Please note that DNSCrypt is not a replacement for a VPN, as it only authenticates DNS traffic, and doesn't prevent third-party DNS resolvers from logging your activity. By design, the TLS protocol, as used in HTTPS and HTTP/2, leaks websites host names in plain text, so DNSCrypt is not enough to hide this information.

This is important to understand!

A Quick Note

In this post, we are going to setup DNSCrypt to be used by our Unbound DNS server. DNSCrypt will essentially be the forwarder. I recommend that you read up on available DNSCrypt servers as some of them knowingly log queries (if that is a valid concern to you).

Installing DNSCrypt-proxy

Similarly to how we installed Unbound, we are going to use ports to install DNSCrypt-proxy. Setting up DNSCrypt is relatively simple and only takes a few minutes.

Installing DNSCrypt-proxy:

cd /usr/ports/dns/dnscrypt-proxy/

sudo make install clean

DNSCrypt Setup

Great, we've installed DNSCrypt-proxy. It is now time to configure the service. Once we are setup, we will want to configure the service with sysrc.

Enable the service:

sudo sysrc dnscrypt_proxy_enable="YES"

Specify that we are going to use lo/localhost and port 5353:

sudo sysrc dnscrypt_proxy_flags="-a 127.0.0.1:5353"

Next up, we want to specify what resolver we're going to use. When installed, DNSCrypt-proxy will put a CSV of public resolvers on the system (/usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv). Additionally, a listing can be found online https://dnscrypt.org/dnscrypt-resolvers.html.

Specify the resolver (*cisco == OpenDNS):

sudo sysrc dnscrypt_proxy_resolver="cisco"

* In this example, I used OpenDNS. Feel free to use whatever DNSCrypt resolver you want.

Start the service:

sudo service dnscrypt-proxy start

Unbound Configuration

Now that we've configured DNSCrypt on localhost on port 5353, we will want to alter our unbound.conf file to ensure that we now use our proxy for resolving. Doing this is quite simple; we only need to alter two/three things.

Ensure that localhost can communicate with Unbound:

do-not-query-localhost: no

Change your forward-zone section to:

    forward-zone:
        name:"."
        forward-addr: [email protected]

In one instance I had to specify my DNS server in resolv.conf. Once I did, things seemed to work.

Now that this is all completed, restart the Unbound service and we should be good to go.

End

That's it! We've now configured DNSCrypt to be used with our public Unbound Adblocker.


As usual, I wrote this post late. If something's wrong, please feel free to let me know!

Cheers,
ProToxin

Join EFF!