[Abandoned] Package request: dnscrypt-proxy v2

[pemartins]

Currently on the MX 17/18 repo we only have the old and unmaintained version of dnscrypt-proxy, is it possible to have the new version 2 instead?
Debian has it on the test branches.


EDIT: never mind, I cannot get it to work. For what I've been browsing it's a systemd thing.

[Stevo]

Does it work if you boot MX with systemd?

[rootetsy]

This sound like you're trying to do DNS over TLS. I haven't tried dnscrypt-proxy before but I was able to get this mostly working with Unbound. I have a thread about it here:
viewtopic.php?f=80&t=46918

The only thing that I couldn't get working was the certificate verification. It looks like the version of Unbound in the debian stable repos are not a high enough version and the one from Debian Testing needs a higher version of libc. :(

So that might help you. It would be great to have others feedback on that. :)

[pemartins]

Does it work if you boot MX with systemd?

Apparently it all seems to work but when testing it does not change the dns provider. All behaves as expected following these instructions but when I test it here or here, it does change the IP address number's final digits but not the country or the ISP no matter what server I put on server_names = ['********'] at /etc/dnscrypt-proxy/dnscrypt-proxy.toml It always shows the info of my ISP provider.
Testing in kde neon it does change the country and the ISP.

But nevertheless it is not my goal to use systemd so even if I got it to work it wouldn't be of much value.

---

This sound like you're trying to do DNS over TLS. I haven't tried dnscrypt-proxy before but I was able to get this mostly working with Unbound. I have a thread about it here:
viewtopic.php?f=80&t=46918

The only thing that I couldn't get working was the certificate verification. It looks like the version of Unbound in the debian stable repos are not a high enough version and the one from Debian Testing needs a higher version of libc. :(

So that might help you. It would be great to have others feedback on that. :)

I cannot be of assistance due to lack of knowledge, basically I wanna use dnscrypt-proxy because I came across an article that said that it solves a security/privacy problem I didn't even know existed. I did some browsing on the matter and that's all the knowledge I have, technically I know nothing on the matter.

[rootetsy]

Hi pemartins,

OK it definitely sounds like you're trying to solve the same problem as me. At least at this step.

I haven't tried dnscrypt-proxy but it looks like the version in the Debian Testing repo has the same problem as Unbound ( the method I'm using ). dnscrypt-proxy v2 requires a newer version of libc6 than is currently not available with Debian Stable unfortunately.

Maybe one of the talented guys here at MX can weigh in but I think that libc6 requirement is a killer for us on Debian Stable.

That said, Unbound is working for me and shows Cloudflare as my "ISP" in the tests that you are using to verify. Additionally, my DNS traffic is encrypted and can be verified with tcpdump. :) Check out this guide that I followed to get it working.
https://www.dnsknowledge.com/unbound/co ... -on-linux/

It's for Centos but it works on Debian too. The only part we're missing from this setup is the section labeled "How do I verifying the certificates of the forwarders with this setup?". That part can't be done in the version that we have available.

So what does that leave us with? With the Unbound setup that I'm using it does indeed encrypt all of my DNS traffic. That will stop most ISP's and attackers from spying or manipulating my DNS traffic. Only more advanced MITM attacks would be able to spy or change the DNS results in this case. SImply because it doesn't actually verify the SSL connection.

The Unbound setup actually looks easier to setup to me than dnscrypt-proxy too.

Let me know if you have any questions about the config I'm using with Unbound. And of course, if you do get dnscrypt-proxy working correcty let me know. :)

Cheers!

[pemartins]

That said, Unbound is working for me and shows Cloudflare as my "ISP" in the tests that you are using to verify.

I apologize again if I'm saying nonsense because I totally lack the knowledge, but is there a chance that it is not working properly for you? Let me explain for what I observed in my testing using kde neon and this website.

1- Without dnscrypt-proxy, using automatic dns from my isp
I get something like
IP HOSTNAME ISP COUNTRY
62.169.xx.xxx 62.169.xx.xxx.rev.xxxx.xx <name of my ISP> <my country flag>
+ several equal lines more only changing the final couple of digits of the IP

2- Without dnscrypt-proxy, using automatic (only addresses) with Coudfare's dns 1.1.1.1, 1.0.0.1
IP HOSTNAME ISP COUNTRY
172.68.xxx.xx CLOUDFLARENET <my country flag>
+ several equal lines more only changing the final couple of digits of the IP

3- With dnscrypt-proxy working with the default settings, untouched and without any personal server settings
IP HOSTNAME ISP COUNTRY
77.66.84.233 resolver2.dnscrypt.eu Inota DK
178.216.201.222 dc1.soltysiak.com E24-NET PL
77.72.125.206 206.125.72.77.chtp.net LTD "Chaika Telecom Peterburg" ISP RU
37.221.195.181 trashvpn.de netcup GmbH DE
77.88.56.72 Yandex enterprise network RU

So wouldn't you be getting the same results you have now if you just entered Cloudfare's DNS like I did in 2, without even using Unbound at all?
Can you test it with tcpdump and check if the traffic is getting encrypted as well?

I have the idea that, for it to be working, that maybe at least a different country should be being shown? So some routing/encrypting was taking place?
But like I said, maybe I'm just saying nonsense because I totally lack any technical knowledge.

[Brigs]

Currently on the MX 17/18 repo we only have the old and unmaintained version of dnscrypt-proxy, is it possible to have the new version 2 instead?
Debian has it on the test branches.

EDIT: never mind, I cannot get it to work. For what I've been browsing it's a systemd thing.

I'm following their instruction install on linux system here. Change some parameter from their default value in dnscrypt-proxy.toml and voila.. work in MX18 without need to remove resolvconf package. Opening tcp/udp 53 as service in my localnet so other device can connect as working dns server.

Does it work if you boot MX with systemd?

Yes stevo.. they give an explaination about working in systemd here. It would be nice if can be porting to MX repo too.

Code: Select all

systemctl status dnscrypt-proxy.service
● dnscrypt-proxy.service - LSB: DNSCrypt client proxy
   Loaded: loaded (/etc/init.d/dnscrypt-proxy; generated; vendor preset: enabled)
   Active: active (running) since Wed 2019-03-06 20:21:56 WIB; 6min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 1020 ExecStart=/etc/init.d/dnscrypt-proxy start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/dnscrypt-proxy.service
           └─1032 /opt/dnscrypt-proxy/dnscrypt-proxy -child

Mar 06 20:21:55 DerPanzer systemd[1]: Starting LSB: DNSCrypt client proxy...
Mar 06 20:21:55 DerPanzer dnscrypt-proxy[1020]: Starting dnscrypt-proxy
Mar 06 20:21:56 DerPanzer systemd[1]: Started LSB: DNSCrypt client proxy.

[Username]

Hey brigs,

would it be rude of me asking if you could share your knowledge on how did you configure it in detail? like a mini guide or something?