CentOS, DNSCrypt and pdnsd · uwot.eu
another meaningless subtitle

CentOS, DNSCrypt and pdnsd

· by fabio · Read in about 3 min · (606 Words)
CentOS CentOS 7 DNS DNScrypt pdnsd systemd

DNSCrypt installation process is pretty simple since it is present in the repository, pdnsd on the other hand is missing, luckily compiling from source is not that hard.
For the sake of completeness I will also cover the procedure to install DNSCrypt from source, alternatively “yum install dnscrypt-proxy”.
Install the required dependencies and get the source code:

[root@CentOS ~]# yum install gcc libsodium-devel libtool-ltdl-dev git wget
[root@CentOS ~]# git clone https://github.com/jedisct1/dnscrypt-proxy.git
[root@CentOS ~]# wget http://members.home.nl/p.a.rombouts/pdnsd/releases/pdnsd-1.2.9a-par.tar.gz

.:. pdnsd

Compile and install:

[root@CentOS ~]# cd pdnsd-1.2.9a
[root@CentOS pdnsd-1.2.9a]# ./configure && make && make install

It is advisable to run pdnsd with its own unprivileged user and use a configuration file placed in the usual /etc directory.

[root@CentOS pdnsd-1.2.9a]# useradd pdnsd -s /bin/nologin -d /var/cache/pdnsd
[root@CentOS pdnsd-1.2.9a]# cp doc/pdnsd.conf /etc
[root@CentOS pdnsd-1.2.9a]# vi /etc/pdnsd.conf
---
global {
        perm_cache=16384;
        cache_dir="/var/cache/pdnsd";
        #pid_file = /var/run/pdnsd.pid;
        run_as="pdnsd";
        #server_ip = eth0;  # Use eth0 here if you want to allow other
                                # machines on your network to query pdnsd.
        status_ctl = on;
        #paranoid=on;       # This option reduces the chance of cache poisoning
                           # but may make pdnsd less efficient, unfortunately.
        query_method=udp_tcp;
        min_ttl=15m;       # Retain cached entries at least 15 minutes.
        max_ttl=1w;        # One week.
        timeout=10;        # Global timeout option (10 seconds).
        neg_domain_pol=on;
        udpbufsize=1024;   # Upper limit on the size of UDP messages.

        neg_rrs_pol=on;
        par_queries=2;
}

server {
        label= "dnscrypt-proxy";
        ip = 127.0.0.1;  # Put your ISP's DNS-server address(es) here.
        port = 40;
        proxy_only=on;     # Do not query any name servers beside your ISP's.
                           # This may be necessary if you are behind some
                           # kind of firewall and cannot receive replies
                           # from outside name servers.
        timeout=4;         # Server timeout; this may be much shorter
                           # that the global timeout option.
        uptest=query;         # Test if the network interface is active.
        interface=eth0;    # The name of the interface to check.
        interval=15m;      # Check every 10 minutes.
        purge_cache=off;   # Keep stale cache entries in case the ISP's
                           # DNS servers go offline.
        edns_query=yes;    # Use EDNS for outgoing queries to allow UDP messages
                           # larger than 512 bytes. May cause trouble with some
                           # legacy systems.
#       exclude=.thepiratebay.org,  # If your ISP censors certain names, you may
#               .thepiratebay.se,   # want to exclude them here, and provide an
#               .piratebay.org,     # alternative server section below that will
#               .piratebay.se;      # successfully resolve the names.

}

Also create a startup script for systemd, the “After=network.target” is used to ensure that the network is up and running before pdnsd try to start.
In case the system on which pdnsd is running has more than one network interface use “After=sys-subsystem-net-devices-eth0.device”, replace “eth0” with the actual name of the network interface pdnsd will be listening to.

[root@CentOS pdnsd-1.2.9a]# vi /usr/lib/systemd/system/pdnsd.service
---
[Unit]
Description=proxy name server
After=network.target

[Service]
ExecStart=/usr/local/sbin/pdnsd --config-file /etc/pdnsd.conf

[Install]
WantedBy=multi-user.target
---
systemctl enable pdnsd.service

.:. DNSCrypt-proxy

The other component needed is DNSCrypt-proxy, compile and install it

[root@CentOS pdnsd-1.2.9a]# cd ../dnscrypt-proxy
[root@CentOS dnscrypt-proxy]# ./autogen.sh && ./configure && make && make install

For DNSCrypt-proxy there is no need to create a configuration file, just write a small startup script for systemd to run it at boot

[root@CentOS dnscrypt-proxy]# vi /usr/lib/systemd/system/dnscrypt-proxy.service
---
[Unit]
Description=DNSCrypt client proxy
Before=pdnsd.service
After=network.target

[Install]
WantedBy=multi-user.target

[Service]
Type=simple
NonBlocking=true
ExecStart=/usr/local/sbin/dnscrypt-proxy --local-address=127.0.0.1:40 --resolver-address=208.67.220.220:443 --provider-name=2.dnscrypt-cert.opendns.com --provider-key=B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79 --user=nobody
---
[root@CentOS dnscrypt-proxy]# systemctl enable dnscrypt-proxy.service

Instruct the OS to use localhost as DNS server and open port UDP 53 on iptables.

[root@CentOS ~]# vi /etc/resolv.conf
---
nameserver 127.0.0.1
---
[root@CentOS ~]# iptables -A INPUT -s 192.168.0.0/24 -p udp -m udp --dport 53 -j ACCEPT

pdnsd should now cache DNS requests and queries should be encrypted, to check if everything is working fine use dig or nslookup commands (e.g. dig centos.org @_dns_server_ipaddress).