DNSCrypt for pfsense 2.3 :)
-
-
I am not going to get further tangled into is the dnscrypt pointless debate, but for those of us who want to use dnscrypt I have discovered that the freebsd dnscrypt package does work out of the box on pfsense, but obviously you have to manually configure it in the shell and manage its init script yourself. So the actual situation is ok for me as I am ok doing stuff in the shell.
-
has anybody a copy of this tutorial somewhere?
can you post it? -
I can also confirm dnscrypt-proxy 1.9.1 does work on pfSense 2.3.2. I don't have time (at this moment) to do a full tutorial, but these are the steps I took.
Since 2.3 took the base FreeBSD pkg repos out, I did not want to muddy up the pfSense install (or compromise security) by adding other repos back in. I also couldn't locate a pre-compiled package for FreeBSD 10.3, therefore:
- I spun up a FreeBSD 10.3 VM with the standard packages (it'll come with dnscrypt-proxy in /usr/ports/dns/dnscrypt-proxy once ports is configured, but that was only 1.6.1 for me)
- Downloaded the source from github for 1.9.1
- Compiled the exec and libraries from source in the VM, tested that it worked properly in the VM
- Moved the exec and the library files over to pfSense, using essentially the directories and config instructions as listed at https://github.com/jedisct1/dnscrypt-proxy/wiki
- Configure dnscrypt-proxy from the command line, get it running and test from CLI with dig or similar, to ensure the proxy is running
- Then setup the DNS forwarder in pfSense to point to 127.0.0.1, and your proxy port (this is similar to the instructions in prior versions)
Great success!
I've had a goal for a few years to put together a proposed pfSense package for it. Hopefully I can find the time soon. DNSCrypt is definitely not some magic panacea of security, it serves just one singular purpose in the chain of networking - but if people want to run it, it seems like they should be allowed to.
-
"it serves just one singular purpose in the chain of networking"
For those users running in forwarder mode.. It has ZERO purpose when running resolver on pfsense. Which is the out of box configuration.. So while anyone creating packages for pfsense that work and add function is a good thing. Your audience is going to be very small imho..
-
kcmichaelm your method will of course work but is quicker to just download the pre compiled FreeBSD package.
For pfSense 2.2/2.3 get from here http://pkg.freebsd.org/FreeBSD:10:amd64/latest/All/dnscrypt-proxy-1.9.1_1.txz
For pfSense 2.4 get from here http://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/dnscrypt-proxy-1.9.1_1.txzNote first browse http://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/ in the browser to get the latest package name as the version may change.
then can simply install with the pkg install dnscrypt-proxy-1.9.1_1.txz command
-
chrcoluk - Thank you - yes this is a much easier way. FreeBSD is not my usual distro so I am not at all familiar with pkg - I could not find the direct pkg links for 10.3, only the archive site for V9 and older. I greatly appreciate it.
johnpoz - Yes, we're in agreement. This is only for forwarder mode. I do agree the audience is small, too. The number of folks that understand what it does (and the limitations) and know how to use it 'properly' would be small, but in those cases it is an option that is nice to have. Debating whether another option is "better" is mostly vi vs emacs.
-
It is situational use but there needs to be respect that there is valid reasons for some people to use dnscrypt.
e.g. in the UK some isp's intercept queries even when the queries are for third party resolvers. They will have a hard time doing that with dnscrypt.
-
how do you DNS forwarder in pfSense to point to 127.0.0.1?
what command? -
/usr/local/sbin/dnscrypt-proxy: Undefined symbol "crypto_core_hchacha20"
what does this means?
-
"it serves just one singular purpose in the chain of networking"
For those users running in forwarder mode.. It has ZERO purpose when running resolver on pfsense. Which is the out of box configuration.. So while anyone creating packages for pfsense that work and add function is a good thing. Your audience is going to be very small imho..
Why is this a small audience? Anybody running a Pfsense router with a VPN will likely be forwarding requests to an upstream DNS server. That's a pretty common thing.
-
"Anybody running a Pfsense router with a VPN will likely be forwarding requests to an upstream DNS server."
No.. Out of the box pfsense uses unbound as a resolver - not a forwarder, doesn't matter if you sending your traffic down a vpn or not. Out of the box your resolving - not forwarding. Dnscrypt has zero use in a resolver mode.
As to hiding your dns queries from your isp.. Again to be honest dnscrypt is pointless if your using a vpn anyway.. The actual valid use case where dnscrypt of any use at all is minuscule…
"The number of folks that understand what it does (and the limitations)"
Completely agree this statement.. To be honest most of the people that actually want to use it - don't actually know why.. They just hear the term dns leak, and oh my gawd did you hear that.. The black helicopters just went into whisper mode.. Those bastards!!!
-
john the same can be said with vpn's tho.
I dont want my dns queries intercepted, I do want to connect to endpoints directly for performance reasons, dnscrypt is the solution in my case.
Setting up a vpn just to secure dns queries is way overkill and has performance implications.
-
You did not understand what I said. DNSCrypt encrypts the contents of the DNS request/reply but your request to the web server will send the hostname in plain text in the request and the host is also visible in the certificate exchange. Read the text on their page, it isn't talking about their protocol but HTTPS and TLS in general.
Without a VPN, your request can be sniffed enough to tell where you're going even if it's not an exact full URL or page contents. You must use a VPN to hide that from your ISP or anyone intercepting your line.
If you think DNSCrypt without a VPN is doing anything for privacy you don't understand the limits/flaws of all the other protocols in play.
Use a VPN, don't bother with dnscrypt, you'll be better off. Or use both if you want, but the VPN part is non-negotiable if you want privacy. And of course the VPN has to be one with privacy-compatible policies and regulations.
Jim, you clearly do not see nor understand the real world use cases that DNSCrypt solves for. Take your average American ISP, who actively intercepts and manipulates their customers' DNS traffic in the name of profit (I am one such customer affected by these despicable practices). Encrypting DNS requests and responses completely mitigates their abilities to fiddle with traffic through DNS response manipulation. It has nothing to do with privacy, it has everything to do with preventing traffic manipulation via DNS - you need to comprehend this, because your replies here do nothing to show that you acknowledge the specific problem.
I agree that using a VPN is likely the best real world solution for privacy, but from a minimum viable product perspective all that the affected customers of these ISPs need to do (in today's landscape) is route HTTP (TCP/80) over the VPN tunnel. These ISPs run proxy servers to MiTM their customers' HTTP traffic - injecting ads into the plain text streams, there is clear evidence of this and it is something that can I can personally reproduce 100% of the time if I had to do so). They do not proxy HTTPS. Sure - they can scrape identifiable information from the encrypted streams to identify the hosts that are being requested, but in terms of traffic manipulation all that is needed is DNSCrypt to privatize DNS and a tunnel for plain text HTTP.
There is no need to tunnel HTTPS to combat this specific problem – they do not proxy or manipulate HTTPS traffic. Hopefully you're able to actually see what the problems are that DNSCrypt solves for.
-
/usr/local/sbin/dnscrypt-proxy: Undefined symbol "crypto_core_hchacha20"
what does this means?
You need the new libsodium also, get it from here:
2.2/2.3: http://pkg.freebsd.org/FreeBSD:10:amd64/latest/All/libsodium-1.0.11_1.txz
2.4: http://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/libsodium-1.0.11_1.txz(I'm following this instruction on how to setup DNSCrypt for my network, adding only "Query DNS servers sequentially" to make it finally works: http://ramirosalas.com/2015/07/installing-dnscrypt-in-pfssense/)
-
what is the point of encrypting your DNS requests? Just resolve via pfsense and skip the middle man. If you really want to encrypt your DNS requests for tin hat purposes, why? Who do you think you're hiding from?
Don't get me wrong, I'm all for doing crazy hit tin hat things with pfsense just for no reason other than it's neat and you can.
But with DNS resolver and OpenVPN built into pfsense, what use case is there where DNS encryption is viable?
-
what is the point of encrypting your DNS requests? Just resolve via pfsense and skip the middle man. If you really want to encrypt your DNS requests for tin hat purposes, why? Who do you think you're hiding from?
Don't get me wrong, I'm all for doing crazy hit tin hat things with pfsense just for no reason other than it's neat and you can.
But with DNS resolver and OpenVPN built into pfsense, what use case is there where DNS encryption is viable?
To escape DNS poisoning by my government? I also don't have much money to spare to buy a VPN service for my network…
I just want to be able to browse whatever sites I want at the speed that I paid for. I am not doing it for tin hat reasons.
-
I'm not up to date with government level DNS poisoning, but wouldn't the resolver bypass that if it's passive? Unless you have an exceptionally shit government, no way am I buying that your pfsense box is going to hide you from a state…
$4/mo gets you VPN. -
I'm not up to date with government level DNS poisoning, but wouldn't the resolver bypass that if it's passive? Unless you have an exceptionally shit government, no way am I buying that your pfsense box is going to hide you from a state…
$4/mo gets you VPN.Indonesian government impose the ISPs to use transparent DNS proxy to filter DNS query againts a list (provided by the government) to many publicly known DNS server, such as Google's and OpenDNS' and many others that I tested, with something called "Internet Positif" . Read this if you want some more context. So, yeah, maybe my government is an exceptionally shitty one in this regard.
I'm not hiding from the state, I'm just bypassing their DNS poisoning.I was using an OpenWRT-based router to do this, but nowadays the traffic in my network is becoming much larger, the device I used cannot cope with that…
-
That sucks man, but I think pfSense still has you covered with Resolver + DNSSEC doesn't it?
http://www.cisco.com/c/en/us/about/security-center/dns-best-practices.html#4
Domain Name System Security Extensions
DNS Security Extensions (DNSSEC) adds security functions to the DNS protocol that can be used to prevent some of the attacks discussed in this document such as DNS cache poisoning. DNSSEC adds data origin authentication and data integrity to the DNS protocol. DNSSEC specifications, implementation, and operational information is defined in multiple RFCs.
