7.2 KiB
How to Install DNSCrypt and Unbound in Arch Linux
DNSCrypt is a protocol that encrypt and authenticate communications between a DNS client and a DNS resolver. Prevent from DNS spoofing or man in the middle-attack. DNSCrypt are available for most operating system, including Linux, Windows, MacOSX android and iOS. And in this tutorial I'm using archlinux with kernel 4.1.
Unbound is a DNS cache server used to resolve any DNS query received. If the user requests a new query, then unbound will store it as a cache, and when the user requests the same query for the second time, then unbound would take from the cache that have been saved. This will be faster than the first request query.
And now I will try to install "DNSCrypt" to secure the dns communication, and make it faster with dns cache "Unbound".
Step 1 - Install yaourt
Yaourt is one of AUR(Arch User Repository) helper that make archlinux users easy to install a program from AUR. Yaourt use same syntax as pacman, so you can install the program with yaourt. and this is easy way to install yaourt :
-
Edit the arch repository configuration file with nano or vi, stored in a file "/etc/pacman.conf".
$ nano /etc/pacman.conf
-
Add at the bottom line yaourt repository, just paste script below :
[archlinuxfr] SigLevel = Never Server = http://repo.archlinux.fr/$arch
-
Save it with press "Ctrl + x" and then "Y".
-
Now update the repository database and install yaourt with pacman command :
$ sudo pacman -Sy yaourt
Step 2 - Install DNSCrypt and Unbound
DNSCrypt and unbound available on archlinux repository, then you can install it with pacman command :
$ sudo pacman -S dnscrypt-proxy unbound
wait it and press "Y" for proceed with installation.
Step 3 - Install dnscrypt-autoinstall
Dnscrypt-autoinstall is A script for installing and automatically configuring DNSCrypt on Linux-based systems. Dnscrypt-autoinstall available in AUR(Arch User Repository), and you must use "yaourt" command to install it :
$ yaourt -S dnscrypt-autoinstall
Note :
-S = it is same as pacman -S to install a software/program.
Step 4 - Run dnscrypt-autoinstall
run the command "dnscrypt-autoinstall" with root privileges to configure DNSCrypt automatically :
$ sudo dnscrypt-autoinstall
Press "Enter" for the next configuration, and then type "y" and choose the DNS provider you want to use, I'm here use DNSCrypt.eu featured with no logs and DNSSEC.
Step 5 - Configure DNSCrypt and Unbound
-
Open the dnscrypt configuration file "/etc/conf.d/dnscrypt-config" and make sure the configuration of "DNSCRYPT_LOCALIP" point to localhost IP, and for port configuration "DNSCRYPT_LOCALPORT" it's up to you, I`m here use port 40.
$ nano /etc/conf.d/dnscrypt-config
DNSCRYPT_LOCALIP=127.0.0.1 DNSCRYPT_LOCALIP2=127.0.0.2 DNSCRYPT_LOCALPORT=40
Save and exit.
-
Now you can edit unbound configuration in "/etc/unbound/". edit the file configuration with nano editor :
$ nano /etc/unbound/unbound.conf
-
Add the following script in the end of line :
do-not-query-localhost: no forward-zone: name: "." forward-addr: 127.0.0.1@40
Make sure the "forward-addr" port is same with "DNSCRYPT_LOCALPORT" configuration in DNSCrypt. You can see the I`m use port 40.
and then save and exit.
Step 6 - Run DNSCrypt and Unbound, then Add to startup/Boot
Please run DNSCrypt and unbound with root privileges, you can run with systemctl command :
$ sudo systemctl start dnscrypt-proxy unbound
Add the service at the boot time/startup. You can do it by running "systemctl enable" :
$ sudo systemctl enable dnscrypt-proxy unbound
the command will create the symlink of the service to "/usr/lib/systemd/system/" directory.
Step 7 - Configure resolv.conf and restart all services
Resolv.conf is a file used by linux to configure Domain Name Server(DNS) resolver. it is just plain-text created by administrator, so you must edit by root privileges and make it immutable/no one can edit it.
Edit it with nano editor :
$ nano /etc/resolv.conf
and add the localhost IP "127.0.0.1". and now make it immutable with "chattr" command :
$ chattr +i /etc/resolv.conf
Note :
If you want to edit it again, make it writable with command "chattr -i /etc/resolv.conf".
Now yo need to restart the DNSCrypt, unbound and the network :
$ sudo systemctl restart dnscrypt-proxy unbound netctl
If you see the error, check your configuration file.
Testing
- Test DNSCrypt
You can be sure that DNSCrypt had acted correctly by visiting https://dnsleaktest.com/, then click on "Standard Test" or "Extended Test" and wait the process running.
And now you can see that DNSCrypt is working with DNSCrypt.eu as your DNS provider.
And now you can see that DNSCrypt is working with DNSCrypt.eu as your DNS provider.
- Test Unbound
Now you should ensure that the unbound is working correctly with "dig" or "drill" command.
This is the results for dig command :
$ dig linoxide.com
Now see in the results, the "Query time" is "533 msec" :
;; Query time: 533 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 30 14:48:19 WIB 2015
;; MSG SIZE rcvd: 188
and try again with the same command. And you will see the "Query time" is "0 msec".
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 30 14:51:05 WIB 2015
;; MSG SIZE rcvd: 188
And in the end DNSCrypt secure communications between the DNS clients and DNS resolver is working perfectly, and then Unbound make it faster if there is the same request in another time by taking the cache that have been saved.
Conclusion
DNSCrypt is a protocol that can encrypt data flow between the DNS client and DNS resolver. DNSCrypt can run on various operating systems, either mobile or desktop. Choose DNS provider also includes something important, choose which provide a DNSSEC and no logs. Unbound can be used as a DNS cache, thus speeding up the resolve process resolv, because Unbound will store a request as the cache, then when a client request same query in the next time, then unbound would take from the cache that have been saved. DNSCrypt and Unbound is a powerful combination for the safety and speed.
via: http://linoxide.com/tools/install-dnscrypt-unbound-archlinux/