DNSCrypt for pfsense 2.3 :)
-
I just wanted to point out that using sudo is unnecessary. Also, it's a good idea to add –user=_dnscrypt-proxy to the command.
-
How could one verify that it is actually working?
-
How could one verify that it is actually working?
From a client, run this command
dig -t txt debug.opendns.com @routeripaddressFrom the PFSense router itself, run this command
dig -p 40 -t txt debug.opendns.com @127.0.0.1If its working, you will see this in the ANSWER SECTION
debug.opendns.com. 0 IN TXT "dnscrypt enabled (123456789)"
EDIT: If you are using cisco (opendns) as your resolver…..
-
Wow - posting up to install an opnsense package.. Talk about bad netiquette..
Sorry I wouldn't touch that with your d_ck ;) is the phrase that comes to mind..
-
Well, the Snoopers Charter just passed in the UK so I think demand for official support is about to skyrocket.
-
Use a VPN. Even the dnscrypt site says that it isn't enough to hide what is being requested.
Direct from https://dnscrypt.org/
Please note that DNSCrypt is not a replacement for a VPN, as it only authenticates DNS traffic, and doesn't prevent "DNS leaks", or third-party DNS resolvers from logging your activity. The TLS protocol, as used in HTTPS and HTTP2, also leaks leaks websites host names in plain text, rendering DNSCrypt useless as a way to hide this information.
I still don't get its appeal, given its limitations. It's DNSSEC made over for resolvers that want to deliberately alter records and break end-to-end trust (like OpenDNS). It isn't for privacy.
-
"I still don't get its appeal"
Because its a buzz word that users think they need because they heard words like privacy, etc.. Prob 99% of them have no real clue to what it is does or how dns works anyway.. But my god they run to a site that tells them they have a "dns leak" Oh My F'ing gawd the black helicopters are coming, the black helicopters are coming ;) rofl…
If your so worried about privacy.. Maybe not use that company discount card when you by your groceries or your condoms.. Sure an the hell wouldn't use a CC.. Better be cash, and you should prob be wearing something to hide your face from the facial recognition camera's - you prob passed 20 of them walking through the store ;)
There is concern for info that doesn't need to be made public, there is understanding the technology you use and then there is just tinfoil hat crazy ;) Do you have your rfid blocking wallet? You have tape over your camera on your laptop right. What about your phone, your tablet? You don't care the nsa is watching while you surf your porn - but your worried about someone sniffing your dns queries between you and the dns your using dnscrypt too? ;) What about the fact that opendns knows everything your doing queries for?? Everything!! From a privacy concern don't you think it better to resolve vs forward.. If you forward your just handing someone ever query you ever make. If you resolve, they really have to be watch all your traffic because your going to be talking to ns all over the globe.. Which do you think is easier to use and get info with? ;)
-
regardless if people think its pointless, I am scratching my head as to why there is no dnscrypt package on pfsense.
The 2.2 thread suggests it used to be supported as someone posted a command to install it via pkg.
VPN's have too much of a performance hit, dnscrypt is a nice middle ground.
-
The pkg linked too was on opnsense package. A fork of pfsense that has had some heated discussions lets say. That the OP linked to a package of theirs on a pfsense forum is pure douchebaggery..
-
Some thoughts:
-
as chrcoluk mentioned VPN will impact performance, so I would also prefer a DNSCrypt package for pfSense
-
I disagree with johnpoz because there are several DNSCrypt resolvers out there that can be used as proxies and anybody could also host his/her own DNSCrypt server. You don't have to trust OpenDNS for all your DNS traffic, that would be definitely a bad idea from a privacy point of view.
-
I also disagree with jimp in regards to the analogy with TLS. It's true that DNSCrypt cannot encrypt the address/hostname of the server but the actual content (request and response) are encrypted and that's a big difference.DNSSEC had nothing to do with privacy but DNSCrypt definitely does
-
-
You did not understand what I said. DNSCrypt encrypts the contents of the DNS request/reply but your request to the web server will send the hostname in plain text in the request and the host is also visible in the certificate exchange. Read the text on their page, it isn't talking about their protocol but HTTPS and TLS in general.
Without a VPN, your request can be sniffed enough to tell where you're going even if it's not an exact full URL or page contents. You must use a VPN to hide that from your ISP or anyone intercepting your line.
If you think DNSCrypt without a VPN is doing anything for privacy you don't understand the limits/flaws of all the other protocols in play.
Use a VPN, don't bother with dnscrypt, you'll be better off. Or use both if you want, but the VPN part is non-negotiable if you want privacy. And of course the VPN has to be one with privacy-compatible policies and regulations.
-
^ exactly!!
So what is the point of of dnscrypt exactly?? All it does is validate that your talking to the NS you were hoping to talk too.. Its not actually hiding where you going or what your asking for. Well it does hide what your asking when you ask.. .But then when you actually go there.. As jimp points out its in the tls exchange, and to be honest they could still see what IPs and protocols your talking to, etc.
To me its one of those my tinfoil hat is so tight its driving me crazy I have to do something, even if its not really doing anything.. It keeps my tinfoil hat from itching ;)
"several DNSCrypt resolvers out there that can be used"
So your saying they don't cache, and actually do a clean resolve every time someone asks.. Or do you get back a cache answer that is outside your control? if so how is that any freaking different then asking any public dns?? You do understand at some point a resolver has to be involved!! Be it the NS you asked or something upstream that they asked.. Your missing the point completely on doing your own resolving and dnssec.
If your tinfoil hat is itchy.. Use a vpn, and resolve.. Now your not handing your dns queries off to any specific place.. And your traffic is encrypted from your isp, etc. Now you are sending everything through this vpn.. So you trust them more than your isp.. This is the part I don't get.. How do you think these vpn companies that make any money when you get vpn for LIFE for $49 bucks ;) Something is being sold to make create a continuous stream of cash.. If your not giving them cash every month to pay the bills to provide the service they give you, then they are getting it from somewhere else - most likely selling info about what their users do ;)
So I pay a company X $ a month to connect me to the internet, I don't trust these guys to not watch what I do.. So I will pay a different company Y $ a month to funnel all my internet traffic through – why do I trust them and not the isp?? ;) Because they say they don't log??
-
Hehehe, that's an interesting thread.
I think we all agree that VPN is better than DNSCrypt for privacy and when performance is not a concern. However as johnpoz also mentioned you have to trust a VPN provider…and why should you do that? You could also get a cheap VPS, hosted in a certain country and provider, that you can use as an exit point and have a VPN tunnel between your pfsense and that host. An advantage of a VPN provider and disadvantage of this approach is that the provider adds a lot of noise and multiple users use the same exit nodes. That means it's not easy to match individual users with their traffic. If you use your own VPN server and you are the only user using it as an exit node, then at least make sure that the VPN host resides in a country which is not an ally of the country your pfsense resides. :)Tor would be a better option for privacy but with certain limitations around usability, stability and performance.
Tor over VPN would be even better, protecting your traffic between you and the Tor entry node...but come on, you are a paranoid or cyber criminal if you really consider this option. :)
-
And who says the black helicopter guys are not running their own exit nodes? ;)
-
-
I am not going to get further tangled into is the dnscrypt pointless debate, but for those of us who want to use dnscrypt I have discovered that the freebsd dnscrypt package does work out of the box on pfsense, but obviously you have to manually configure it in the shell and manage its init script yourself. So the actual situation is ok for me as I am ok doing stuff in the shell.
-
has anybody a copy of this tutorial somewhere?
can you post it? -
I can also confirm dnscrypt-proxy 1.9.1 does work on pfSense 2.3.2. I don't have time (at this moment) to do a full tutorial, but these are the steps I took.
Since 2.3 took the base FreeBSD pkg repos out, I did not want to muddy up the pfSense install (or compromise security) by adding other repos back in. I also couldn't locate a pre-compiled package for FreeBSD 10.3, therefore:
- I spun up a FreeBSD 10.3 VM with the standard packages (it'll come with dnscrypt-proxy in /usr/ports/dns/dnscrypt-proxy once ports is configured, but that was only 1.6.1 for me)
- Downloaded the source from github for 1.9.1
- Compiled the exec and libraries from source in the VM, tested that it worked properly in the VM
- Moved the exec and the library files over to pfSense, using essentially the directories and config instructions as listed at https://github.com/jedisct1/dnscrypt-proxy/wiki
- Configure dnscrypt-proxy from the command line, get it running and test from CLI with dig or similar, to ensure the proxy is running
- Then setup the DNS forwarder in pfSense to point to 127.0.0.1, and your proxy port (this is similar to the instructions in prior versions)
Great success!
I've had a goal for a few years to put together a proposed pfSense package for it. Hopefully I can find the time soon. DNSCrypt is definitely not some magic panacea of security, it serves just one singular purpose in the chain of networking - but if people want to run it, it seems like they should be allowed to.
-
"it serves just one singular purpose in the chain of networking"
For those users running in forwarder mode.. It has ZERO purpose when running resolver on pfsense. Which is the out of box configuration.. So while anyone creating packages for pfsense that work and add function is a good thing. Your audience is going to be very small imho..
-
kcmichaelm your method will of course work but is quicker to just download the pre compiled FreeBSD package.
For pfSense 2.2/2.3 get from here http://pkg.freebsd.org/FreeBSD:10:amd64/latest/All/dnscrypt-proxy-1.9.1_1.txz
For pfSense 2.4 get from here http://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/dnscrypt-proxy-1.9.1_1.txzNote first browse http://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/ in the browser to get the latest package name as the version may change.
then can simply install with the pkg install dnscrypt-proxy-1.9.1_1.txz command
