diff --git a/blog/_posts/2018-10-21-dnscrypt-proxy-quick-dirty-debian.md b/blog/_posts/2018-10-21-dnscrypt-proxy-quick-dirty-debian.md index 48fc257..57344dc 100644 --- a/blog/_posts/2018-10-21-dnscrypt-proxy-quick-dirty-debian.md +++ b/blog/_posts/2018-10-21-dnscrypt-proxy-quick-dirty-debian.md @@ -101,7 +101,8 @@ Nameserver is the host where dnscrypt-proxy said to be listening on in journalctl, options are from dnscrypt-proxy documentation and search means domains that are automatically searched for if you don't use fully qualified domain names, e.g. `ssh machine` in my (uncommented) config -would turn into `ssh machine.mikaela.info`. +would turn into `ssh machine.mikaela.info`. Update: I find this a privacy +leakage (whenever NXDOMAIN happens), which is why I nowadays have it commented. You should also tell dhclient to not touch resolv.conf or you may get many files into `/etc` beginning with names `resolv.conf.dhclient-new.` @@ -130,3 +131,35 @@ sudo chown -R _dnscrypt-proxy:nogroup /var/cache/dnscrypt-proxy /var/log/dnscryp * * * * * For the curious my dnscrypt-proxy config [is in my shell-things repository](https://github.com/Mikaela/shell-things/tree/master/etc/dnscrypt-proxy) [mirror](https://gitea.blesmrt.net/mikaela/shell-things/src/branch/master/etc/dnscrypt-proxy). + +* * * * * + +## 2019-07-22 update + +I have also started performing local DNSSEC validation by running Unbound +in front of DNSCrypt-proxy, so my queries go resolv.conf -> Unbound -> +dnscrypt-proxy -> configured resolvers. This has the advantage that if the +resolver didn't perform DNSSEC validation or lied about performing it, the +protection by DNSSEC would still be received. + +The steps are simple: + +1. `sudo apt install unbound` + * You should see a file `/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf` + which simply says `server:` and on another line after intending + `auto-trust-anchor-file: "/var/lib/unbound/root.key"` (the path varies + by distribution) which means it's performing DNSSEC validation with + those trust anchors. +2. `sudo nano /etc/unbound/unbound.conf.d/dnscrypt-proxy.conf` + +``` +do-not-query-localhost: no +forward-zone: + name: "." + forward-addr: 127.0.2.1@53 +``` + +3. `sudo systemctl restart unbound` +4. Ensure `/etc/resolv.conf` points to `127.0.0.1` and optionally `::1` +instead of `127.0.2.1` where dnscrypt-proxy runs by default. For more +details, CTRL + F for resolv.conf or chattr.