From 17b5596d80d3d7cd004f6d948d9bdd872449a254 Mon Sep 17 00:00:00 2001
From: Mikaela Suomalainen <mikaela+git@mikaela.info>
Date: Wed, 13 May 2015 22:20:28 +0300
Subject: [PATCH] etc: dnscrypt

---
 etc/conf.d/dnscrypt-proxy                 |  7 +++++
 etc/pdnsd.conf                            | 38 +++++++++++++++++++++++
 etc/resolv.conf                           | 11 +++++--
 etc/systemd/system/dnscrypt-proxy.service | 19 ++++++++++++
 4 files changed, 72 insertions(+), 3 deletions(-)
 create mode 100644 etc/conf.d/dnscrypt-proxy
 create mode 100644 etc/pdnsd.conf
 create mode 100644 etc/systemd/system/dnscrypt-proxy.service

diff --git a/etc/conf.d/dnscrypt-proxy b/etc/conf.d/dnscrypt-proxy
new file mode 100644
index 00000000..978b3047
--- /dev/null
+++ b/etc/conf.d/dnscrypt-proxy
@@ -0,0 +1,7 @@
+DNSCRYPT_LOCALIP=127.0.0.2
+DNSCRYPT_LOCALPORT=53
+DNSCRYPT_USER=nobody
+DNSCRYPT_PROVIDER_NAME=2.dnscrypt-cert.opendns.com
+DNSCRYPT_PROVIDER_KEY=B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79
+DNSCRYPT_RESOLVERIP=208.67.220.220
+DNSCRYPT_RESOLVERPORT=443
diff --git a/etc/pdnsd.conf b/etc/pdnsd.conf
new file mode 100644
index 00000000..be54f8bf
--- /dev/null
+++ b/etc/pdnsd.conf
@@ -0,0 +1,38 @@
+# https://wiki.archlinux.org/index.php?title=DNSCrypt&oldid=373568#Example:_configuration_for_pdnsd
+global {
+    perm_cache=16384;
+    cache_dir="/var/cache/pdnsd";
+    run_as="pdnsd";
+    server_ip = 127.0.0.1;
+    status_ctl = on;
+    query_method=udp_tcp;
+    min_ttl=15m;       # Retain cached entries at least 15 minutes.
+    max_ttl=1w;        # One week.
+    timeout=10;        # Global timeout option (10 seconds).
+    neg_domain_pol=on;
+    udpbufsize=1024;   # Upper limit on the size of UDP messages.
+}
+
+server {
+    label = "dnscrypt-proxy";
+    ip = 127.0.0.2;
+    port = 53;
+    timeout = 4;
+    uptest = query;
+    interval = 15m;
+    proxy_only=on;
+}
+
+source {
+    owner=localhost;
+    file="/etc/hosts";
+}
+
+
+rr {
+    name=localhost;
+    reverse=on;
+    a=127.0.0.1;
+    owner=localhost;
+    soa=localhost,root.localhost,42,86400,900,86400,86400;
+}
diff --git a/etc/resolv.conf b/etc/resolv.conf
index 16d71d58..37979959 100644
--- a/etc/resolv.conf
+++ b/etc/resolv.conf
@@ -1,6 +1,11 @@
 nameserver ::1
-#nameserver 2001:4860:4860::8888
-nameserver 2001:4860:4860::8844
+nameserver 2001:4860:4860::8888
+#nameserver 2001:4860:4860::8844
 #nameserver 8.8.8.8
-nameserver 8.8.4.4
+#nameserver 8.8.4.4
+#nameserver 2620:0:ccc::2
+#nameserver 2620:0:ccd::2
+nameserver 208.67.222.222
+#nameserver 208.67.220.220
+options edns 0
 search mikaela.info
diff --git a/etc/systemd/system/dnscrypt-proxy.service b/etc/systemd/system/dnscrypt-proxy.service
new file mode 100644
index 00000000..023f57c6
--- /dev/null
+++ b/etc/systemd/system/dnscrypt-proxy.service
@@ -0,0 +1,19 @@
+[Unit]
+Description=A tool for securing communications between a client and a DNS resolver.
+After=network.target
+# Only needed if you use pdnsd, other caching DNS servers can go here. Could be ignored too.
+Before=pdnsd.service
+
+[Service]
+EnvironmentFile=/etc/conf.d/dnscrypt-proxy
+ExecStart=/usr/bin/dnscrypt-proxy \
+    --local-address=${DNSCRYPT_LOCALIP}:${DNSCRYPT_LOCALPORT} \
+    --resolver-address=${DNSCRYPT_RESOLVERIP}:${DNSCRYPT_RESOLVERPORT} \
+    --provider-name=${DNSCRYPT_PROVIDER_NAME} \
+    --provider-key=${DNSCRYPT_PROVIDER_KEY} \
+    --user=${DNSCRYPT_USER} \
+    --edns-payload-size=4096
+Restart=on-abort
+
+[Install]
+WantedBy=multi-user.target