cofyc/dnscrypt-wrapper
1
1
Fork 0
mirror of https://github.com/cofyc/dnscrypt-wrapper.git synced 2024-10-04 07:07:08 +03:00
Code Issues Packages Projects Releases Wiki Activity
This is dnscrypt wrapper (server-side dnscrypt proxy), which helps to add dnscrypt support to any name resolver.
211 Commits 10 Branches 25 Tags 2.4 MiB
C 84.3%
Shell 4.8%
Python 3.6%
Makefile 2.8%
Gherkin 1.8%
Other 2.7%
8c53c4ee90
Go to file
Yecheng Fu 8c53c4ee90 release: bumped version to 0.2, because cli args changed a lot in 0.1.17 
Import argparse src files directly, it's convenient for people who
download source tarball from github.
2015-08-01 12:05:02 +08:00
argparse Import argparse sources directly, it is better if compile from tarball of source files. 2015-08-01 11:51:58 +08:00
example Merge pull request #48 from jedisct1/nobashism 2015-07-05 20:01:52 +08:00
.gitignore add configure.ac 2013-11-27 15:25:52 +08:00
.gitmodules clear argparse 2015-08-01 11:49:50 +08:00
.travis.yml Travis build: Sodium 0.4.1 is very old. Use at least 1.0.0. 2015-07-05 15:37:17 +02:00
cert.c The query "magic" header should not be fixed. 2015-07-04 22:40:09 +02:00
cert.h Backward compatibility 2015-07-04 23:13:06 +02:00
compat.h Add debug facilities to log stack trace in case of segment fault. 2015-05-24 19:38:39 +08:00
config.mak.in add configure.ac 2013-11-27 15:25:52 +08:00
configure.ac check libevent is version 2 2015-04-28 14:05:03 +08:00
COPYING dnsmasq and argparse are covered by this terrible viral license called GPL. 2013-06-06 20:52:34 -07:00
debug.c Add debug facilities to log stack trace in case of segment fault. 2015-05-24 19:38:39 +08:00
debug.h Add debug facilities to log stack trace in case of segment fault. 2015-05-24 19:38:39 +08:00
dns-protocol.h check txt query for provider name 2012-11-19 17:11:51 +08:00
dnscrypt.c Accept multiple keys. 2015-07-05 15:04:58 +02:00
dnscrypt.h Compatibility with very old versions of Sodium (as on Travis, sigh) 2015-07-05 15:33:30 +02:00
edns.c format code 2013-11-27 16:17:09 +08:00
edns.h format code 2013-11-27 16:17:09 +08:00
gen-version.sh fix crash bug in 1ed67b8f34 2014-11-28 18:11:27 +08:00
logger.c Negative file descriptors are valid descriptors. 2015-07-05 00:30:35 +02:00
logger.h Add debug facilities to log stack trace in case of segment fault. 2015-05-24 19:38:39 +08:00
main.c Merge pull request #53 from jedisct1/pasto 2015-07-06 08:15:55 +08:00
Makefile Clean dependencies. 2015-07-06 10:56:11 +08:00
pidfile.c format code 2013-11-27 16:17:09 +08:00
pidfile.h format code 2013-11-27 16:17:09 +08:00
README.md release: bumped version to 0.2, because cli args changed a lot in 0.1.17 2015-08-01 12:05:02 +08:00
rfc1035.c Don't return a valid hash in questions_hash() to signify an error 2015-01-05 11:02:33 +01:00
rfc1035.h Don't return a valid hash in questions_hash() to signify an error 2015-01-05 11:02:33 +01:00
safe_rw.c format code 2013-11-27 16:17:09 +08:00
safe_rw.h format code 2013-11-27 16:17:09 +08:00
tcp_request.c Accept multiple keys. 2015-07-05 15:04:58 +02:00
tcp_request.h Reorder TCPRequest and UDPRequest fields to save space due to alignment 2015-01-05 13:44:39 +01:00
test.sh Bash is not required to run these scripts. 2015-07-05 12:47:59 +02:00
TODO support tcp protocol 2012-11-22 17:40:04 +08:00
tree.h Replace the UDP request queue with a red-black tree 2015-01-05 13:35:34 +01:00
udp_request.c Accept multiple keys. 2015-07-05 15:04:58 +02:00
udp_request.h Respond to multiple identical queries 2015-01-05 13:58:54 +01:00
version.h release: bumped version to 0.2, because cli args changed a lot in 0.1.17 2015-08-01 12:05:02 +08:00

README.md

Name

dnscrypt-wrapper - A server-side dnscrypt proxy.

(c) 2012-2015 Yecheng Fu <cofyc.jackson at gmail dot com>

Build Status

Description

This is dnscrypt wrapper (server-side dnscrypt proxy), which helps to add dnscrypt support to any name resolver.

This software is modified from dnscrypt-proxy.

Installation

Install libsodium and libevent 2 first.

On Linux:

$ ldconfig # if you install libsodium from source
$ git clone --recursive git://github.com/Cofyc/dnscrypt-wrapper.git
$ make configure
$ ./configure
$ make install

On FreeBSD:

$ pkg_add -r gmake autoconf
$ pkg_add -r libevent2
$ gmake LDFLAGS='-L/usr/local/lib/event2 -L/usr/local/lib' CFLAGS=-I/usr/local/include

On OpenBSD:

$ pkg_add -r gmake autoconf
$ pkg_add -r libevent
$ gmake LDFLAGS='-L/usr/local/lib/' CFLAGS=-I/usr/local/include/

On MacOS:

$ brew install dnscrypt-wrapper # best recommended

In Docker:

See https://github.com/jedisct1/dnscrypt-server-docker.

Usage

  1. Generate the provider key pair:

    $ dnscrypt-wrapper --gen-provider-keypair

This will create two files in the current directory: public.key and secret.key.

This is a long-term key pair that is never supposed to change unless the secret key is compromised. Make sure that secret.key is securely stored and backuped.

  1. Generate a time-limited secret key, which will be used to encrypt and authenticate DNS queries. Also generate a certificate for it:

    $ dnscrypt-wrapper --gen-crypt-keypair --crypt-secretkey-file=1.key $ dnscrypt-wrapper --gen-cert-file --crypt-secretkey-file=1.key --provider-cert-file=1.cert

In this example, the time-limited secret key will be saved as 1.key and its related certificate as 1.cert in the current directory.

Time-limited secret keys and certificates can be updated at any time without requiring clients to update their configuration.

  1. Run the program with a given key, a provider name and the most recent certificate:

    dnscrypt-wrapper --resolver-address=114.114.114.114:53 --listen-address=0.0.0.0:443 \

                    --provider-name=2.dnscrypt-cert.yechengfu.com \
                --crypt-secretkey-file=1.key --provider-cert-file=1.cert

The provider name can be anything; it doesn't have to be within an existing domain name. However, it has to start with 2.dnscrypt-cert..

When the service is started with the --provider-cert switch, the proxy will automatically serve the certificate as a TXT record when a query for the provider name is received.

As an alternative, the TXT record can be served by a name server for an actual DNS zone you are authoritative for. In that scenario, the --provider-cert-file option is not required, and instructions for Unbound and TinyDNS are displayed by the program when generating a provider certificate.

  1. Run dnscrypt-proxy to check if it works:

    dnscrypt-proxy --local-address=127.0.0.1:55 --resolver-address=127.0.0.1:443 \

                  --provider-name=2.dnscrypt-cert.yechengfu.com \
              --provider-key=<provider_public_key_fingerprint>

    $ dig -p 55 google.com @127.0.0.1

<provider_public_key_fingerprint> is public key fingerprint generated by dnscrypt-wrapper --gen-provider-keypair, which looks like 4298:5F65:C295:DFAE:2BFB:20AD:5C47:F565:78EB:2404:EF83:198C:85DB:68F1:3E33:E952.

Optionally, add -d/--daemonize flag to run as a daemon.

Run dnscrypt-wrapper -h to view command line options.

Running unauthenticated DNS and the dnscrypt service on the same port

By default, and with the exception of records used for the certificates, only queries using the DNSCrypt protocol will be accepted.

If you want to run a service only accessible using DNSCrypt, this is what you want.

If you want to run a service accessible both with and without DNSCrypt, what you usually want is to keep the standard DNS port for the unauthenticated DNS service (53), and use a different port for DNSCrypt. You don't have to change anything for this either.

However, if you want to run both on the same port, maybe because only port 53 is reachable on your server, you can add the -U (--unauthenticated) switch to the command-line. This is not recommended.

Key rotation

Time-limited keys are bound to expire.

dnscrypt-proxy can check if the current key for a given server is not going to expire soon:

$ dnscrypt-proxy --resolver-address=127.0.0.1:443 \
                 --provider-name=2.dnscrypt-cert.yechengfu.com \
                 --provider-key=<provider_public_key_fingerprint> \
                 --test=10080

The --test option is followed by a "grace margin".

The command will immediately exit after verifying the certificate validity.

The exit code is 0 if a valid certificate can be used, 2 if no valid certificates ca be used, 3 if a timeout occurred, and 4 if a currently valid certificate is going to expire before margin.

The margin is always specificied in minutes.

This can be used in a cron tab to trigger an alert before a key is going to expire.

In order to switch to a fresh new key:

  1. Create a new time-limited key (do not change the provider key!) and its certificate:

    $ dnscrypt-wrapper --gen-crypt-keypair --crypt-secretkey-file=2.key $ dnscrypt-wrapper --gen-cert-file --crypt-secretkey-file=2.key --provider-cert-file=2.cert

  2. Tell new users to use the new certificate but still accept the old key until all clients have loaded the new certificate:

    dnscrypt-wrapper --resolver-address=114.114.114.114:53 --listen-address=0.0.0.0:443 \

                    --provider-name=2.dnscrypt-cert.yechengfu.com \
                --crypt-secretkey-file=1.key,2.key --provider-cert-file=2.cert

Note that both 1.key and 2.key have be specified, in order to accept both the previous and the current key.

  1. Clients automatically check for new certificates every hour. So, after one hour, the old certificate can be refused, by leaving only the new one in the configuration:

    dnscrypt-wrapper --resolver-address=114.114.114.114:53 --listen-address=0.0.0.0:443 \

                    --provider-name=2.dnscrypt-cert.yechengfu.com \
                --crypt-secretkey-file=2.key --provider-cert-file=2.cert

Please note that on Linux systems, multiples instances of dnscrypt-wrapper can run at the same time. Therefore, in order to switch to a new configuration, one can start a new daemon without killing the previous instance, and only kill the previous instance after the new one started.

This also allows upgrades with zero downtime.

中文文档

注:第三方文档可能未及时与最新版本同步,以 README.md 为准。

See also