Running DNSCrypt and DNSSEC (using Debian testing repositories)

FAQs Community How-to's
1

After reading this topic:

I’ve found a method to install DNSCrypt on the RPI using the latest dnsmasq version from the testing repositories (from Debian).

Keep in mind that this install method is no longer using the stable repositories from Jessie!

Another method to install the latest dnsmasq version is described here:

RPI – unattended upgrade (using Debian testing repositories):

Create an upgrade.sh file:

sudo nano upgrade.sh

And paste the following content:

vim upgrade.sh

Remove any third party sources

rm -rf /etc/apt/sources.list.d/*

Change the repo's

sed -i -e 's/jessie/testing/g' /etc/apt/sources.list

Update package lists

apt-get update

UPGRADE ALL THE THINGS!!!

DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get -q -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" dist-upgrade

Remove no longer needed packages

DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get -q -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" autoremove --purge

FINISH HIM

reboot

Start unattended upgrading to Testing with the following command:

sudo bash ./upgrade.sh

For future upgrade(s) use the sudo bash ./upgrade.sh each time!

Install the latest dnsmasq version:

sudo apt-get install -y dnsmasq

Version check:

dnsmasq -v

Dnsmasq version 2.76 Copyright (c) 2000-2016 Simon Kelley
Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify

Before installing DNSCrypt you could install pi-hole (optional) with the following command:

curl -sSL https://install.pi-hole.net | bash

DNSCrypt on Pi-hole:

Follow these steps to install and enable DNSCrypt on your Pihole installation.
Read more about DNSCrypt here: https://dnscrypt.org/

Please note that your Pihole will stop working during the installation so keep that in mind if there are other users on your network using the Pihole.

At the time of writing the latest version dnscrypt-proxy is 1.9.4 but that may change, please edit the commands according to version.

Please note, I take no responsibility for any breakage or corruption of your Pihole installation when following this guide.

Install necessary system packages and reboot

sudo apt-get update
sudo apt-get -y install build-essential tcpdump dnsutils libsodium-dev
sudo apt-get -y install locate bash-completion
sudo reboot
Build DNSCrypt from the sources

mkdir -p dnsproxy
cd dnsproxy
wget http://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-proxy-1.9.4.tar.gz
tar -xf dnscrypt-proxy-1.9.4.tar.gz
cd dnscrypt-proxy-1.9.4
sudo ldconfig
./configure
make
sudo make install

Configure the system

Starts DNSProxy in daemon mode automatically

sudo nano /etc/systemd/system/multi-user.target.wants/dnscrypt-proxy.service
sudo nano /etc/systemd/system/multi-user.target.wants/dnscrypt-proxy-backup.service (if adding a second resolver)

And paste this content:

[Unit]
Description=Secure connection between your computer and DNS resolver
After=network.target network-online.target
[Service]
Type=forking
Restart=always
RestartSec=5
PIDFile=/var/run/dnscrypt-proxy.pid
ExecStart=/usr/local/sbin/dnscrypt-proxy --daemonize
-a 127.0.0.2:40
-R dnscrypt.eu-nl
-E
--edns-payload-size=4096
-p /var/run/dnscrypt-proxy.pid
[Install]
WantedBy=multi-user.target

Change the -a flag to 127.0.0.3:40 and use a different resolver on the backup
You may choose anther resolver(s) from the following link:

https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv

Note: The reason why we're assigning the IPs 127.0.0.2 and 127.0.0.3 is so that we can have a better overview in the Forward Destinations chart inside the dashboard.

Then reboot the RPI:

sudo reboot

Change DNS resolver in DNSMasq config

sudo nano /etc/dnsmasq.d/01-pihole.conf
Edit this section and point to dnscrypt-proxy

Add other name servers here, with domain specs if they are for

non-public domains.

server=127.0.0.2#40
server=127.0.0.3#40 (if adding a second resolver)

Reboot your Pihole:
sudo reboot

Change the setupvars.conf

Change the following variables to customize your dnscrypt proxy services:

sudo nano /etc/pihole/setupVars.conf

to

PIHOLE_DNS_1=127.0.0.2#40
PIHOLE_DNS_2=127.0.0.3#40

Reboot your Pihole:
sudo reboot

Test if DNSSec is working:

http://dnssec.vs.uni-due.de/

Test DNSSec from a command line interface:

https://security.stackexchange.com/questions/20597/how-to-test-the-validity-of-dnssec-from-a-command-line-interface

Output dig comand:

102 ;; WE HAVE MATERIAL, WE NOW DO VALIDATION
103 ;; VERIFYING DS RRset for eu. with DNSKEY:61045: success
104 ;; OK We found DNSKEY (or more) to validate the RRset
105 ;; Ok, find a Trusted Key in the DNSKEY RRset: 61045
106 ;; Ok, find a Trusted Key in the DNSKEY RRset: 19036
107 ;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success
108
109 ;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS
110

Test if DNSCrypt is working:

sudo journalctl -u dnscrypt-proxy -f
sudo journalctl -u dnscrypt-proxy-backup -f (to test backup resolver)

Ouput:

-- Logs begin at Thu 2016-11-03 18:16:42 CET. --
Feb 05 09:44:21 raspberrypi dnscrypt-proxy[527]: Chosen certificate #808464433 is valid from [2016-09-08] to [2017-09-08]
Feb 05 09:44:21 raspberrypi dnscrypt-proxy[527]: The key rotation period for this server may exceed the recommended value. This is bad for forward secrecy.
Feb 05 09:44:21 raspberrypi dnscrypt-proxy[527]: Server key fingerprint is 72DF:BE14:531F:F2AD:FD0F:BC8B:F711:B93D:799F:E4D0:34EC:D26B:8BF9:FFA9:32E7:2B79
Feb 05 09:44:21 raspberrypi dnscrypt-proxy[527]: Proxying from 127.0.0.2:40 to 176.56.237.171:443
Feb 05 10:45:30 raspberrypi dnscrypt-proxy[527]: Refetching server certificates
Feb 05 10:45:30 raspberrypi dnscrypt-proxy[527]: Server certificate with serial '0001' received
Feb 05 10:45:30 raspberrypi dnscrypt-proxy[527]: This certificate is valid
Feb 05 10:45:30 raspberrypi dnscrypt-proxy[527]: Chosen certificate #808464433 is valid from [2016-09-08] to [2017-09-08]
Feb 05 10:45:30 raspberrypi dnscrypt-proxy[527]: The key rotation period for this server may exceed the recommended value. This is bad for forward secrecy.
Feb 05 10:45:30 raspberrypi dnscrypt-proxy[527]: Server key fingerprint is 72DF:BE14:531F:F2AD:FD0F:BC8B:F711:B93D:799F:E4D0:34EC:D26B:8BF9:FFA9:32E7:2B79

For further checks you can run:

sudo tail -f /var/log/syslog

Source - Raspberry Pi unattended upgrade Raspbian to Debian Testing:

https://raymii.org/s/blog/Raspberry_Pi_Raspbian_Unattended_Upgrade_Jessie_to_Testing.html

2

The procedure is performed with a fresh installation of raspbian (using raspbian Jessie lite)

3

I don't want to question the instructions above, these are the first DNSCRYPT /DNSSEC comments on this forum that contribute to problem solving. I will however list some thoughts and findings that I've discovered, trying to get things to work. I also don't pretend to be a linux guru, everything I found comes from google, thus, I may even try to make some invalid points, correct me If I'm wrong.

  • I don't like running all testing (stretch) packages. I already researched a solution to upgrade dnsmasq only, read this topic. This will allow you to run current packages, apart from dnsmasq.
  • I explained here, why I moved away from dnscrypt-loader, and use dnscrypt-proxy.
  • I edited the entry a few times, and updated the rar file, containing a configuration example.
  • I also added a remark to eliminate a warning dnscrypt-proxy gave (random numbers)
  • I tried to get responses from other users in this, this, this and this topic (maybe even some more), unfortunately the responses only inspired me to continue looking
  • I researched the chicken or the egg problem explained in the dnsmasq man pages (search for --dnssec-no-timecheck). and listed a solution (for those users that are interested) here

Despite my efforts, I still cannot get valid results, using dnscrypt-proxy and DNSSEC. I get a lot of INSECURE validations, some ABANDONED, some BOGUS and a few SECURE.
So I decided to contact the developer of dnsmasq (mail only) and the developer of dnscrypt (issue on github). These guys have been very helpful, unfortunately I'm still no closer to a result, even though the dnsmasq developer stated, in one of his replies:

I can see how the dnsmasq validation routines would react badly to an upstream server which sometimes just closed the connection in TCP mode: that's probably the cause of the ABANDONED message.

The investigation continues...

Some questions:
I noticed you added a lot of parameters to the service file(s), and have no socket file(s). Compared to my configuration (I just followed the instructions from the wiki), I have one service file and multiple socket files. I also noticed my configuration instructs dnscrypt-proxy to NOT run as root, I cannot find this in your configuration.Could you please explain these questions.

Again, I'm NOT a linux guru, just trying to get a stable workin dnscrypt-proxy/DNSSEC enabled running pihole.

4

I've posted the above procedure also on Tweakers.net (you're familiair with it;) )
After reading you're reply regarding to upgrade dnsmasq I've managed this to do so!

User(s) are able to install the same procedure using the stable repositories from Debian.
If needed I'm willing to write this out (for other users) with some more information...

I was not aware of all the comments you've been posting on pi-hole forum in the past.
Regarding to DNSCrypt I've found some comments on openwrt:

https://wiki.openwrt.org/inbox/dnscrypt

/pool.ntp.org/208.67.222.222 adds an exception for pool.ntp.org, which will be resolved through the standard unencrypted DNS channel. DNSCrypt requires precise time, otherwise it will not resolve any domain, including pool.ntp.org. So if your device's time was incorrect, it could never update its time, and therefore DNSCrypt would never work.

After a fresh install I'm setting the rapberry pi system clock with the following command:

sudo raspi-config

select option 4 - Internationalisation Options
Then select option I2 - Change Timezone

Select the country and city to you're needs.

I'm not sure if changing the time zone would avoid you're time synchronsation problem(s).

Regarding to you're comments not showing the message 'DNS Security Extension are supported' =>

sudo systemctl status -l dnscrypt-proxy

Results:

pi@raspberrypi:~ $ sudo systemctl status -l dnscrypt-proxy
● dnscrypt-proxy.service - Secure connection between your computer and DNS resolver
Loaded: loaded (/etc/systemd/system/multi-user.target.wants/dnscrypt-proxy.service; bad; vendor preset: enabled)
Active: active (running) since Sun 2017-02-05 16:25:11 CET; 9min ago
Process: 452 ExecStart=/usr/local/sbin/dnscrypt-proxy --daemonize -a 127.0.0.2:40 -R dnscrypt.eu-nl -E --edns-payload-size=4096 -p /var/run/dnscrypt-proxy.pid
Main PID: 679 (dnscrypt-proxy)
CGroup: /system.slice/dnscrypt-proxy.service
└─679 /usr/local/sbin/dnscrypt-proxy --daemonize -a 127.0.0.2:40 -R dnscrypt.eu-nl -E --edns-payload-size=4096 -p /var/run/dnscrypt-proxy.pid

Feb 05 16:25:11 raspberrypi dnscrypt-proxy[452]: Sun Feb 5 16:25:11 2017 [INFO] + DNS Security Extensions are supported
Feb 05 16:25:11 raspberrypi dnscrypt-proxy[452]: Sun Feb 5 16:25:11 2017 [INFO] + Provider supposedly doesn't keep logs
Feb 05 16:25:11 raspberrypi dnscrypt-proxy[679]: Ephemeral keys enabled - generating a new seed
Feb 05 16:25:11 raspberrypi dnscrypt-proxy[679]: Done
Feb 05 16:25:16 raspberrypi dnscrypt-proxy[679]: Server certificate with serial '0001' received
Feb 05 16:25:16 raspberrypi dnscrypt-proxy[679]: This certificate is valid
Feb 05 16:25:16 raspberrypi dnscrypt-proxy[679]: Chosen certificate #808464433 is valid from [2016-09-08] to [2017-09-08]
Feb 05 16:25:16 raspberrypi dnscrypt-proxy[679]: The key rotation period for this server may exceed the recommended value. This is bad for forward secrecy.
Feb 05 16:25:16 raspberrypi dnscrypt-proxy[679]: Server key fingerprint is 72DF:BE14:531F:F2AD:FD0F:BC8B:F711:B93D:799F:E4D0:34EC:D26B:8BF9:FFA9:32E7:2B79
Feb 05 16:25:16 raspberrypi dnscrypt-proxy[679]: Proxying from 127.0.0.2:40 to 176.56.237.171:443

Using dnscrypt.eu-nl I'm recieving the message DNS Security Extensions are supported.
Currently I'm not using the DNSSec option via the admin console.

Overall...I'm not an (linux and DNSsec) expert also!
Hopefully you're able to provide a working dnsscript-proxy/DNSSec with my comments.

5

Again, before I type my remarks, I appreciate your effort to get to a working system, I'm NOT a linux guru, I just google and ask questions to whoever I can...

I posted your configuration as a comment / question to the developer here, with some questions, regarding it. I like multiple answers (preferably the same) to solve a problem, as it is more reassuring.

  • The time issue, I use NTP, configured as explained here, section 4.12. As I explained here, it takes my pi 15 minutes to synchronize time after a reboot, the solution (ntpcheck.sh, combined with the cron job and the dnsmasq option dnssec-no-timecheck) is the only thing that is reliable so far.
  • If I understand you right, you are currently running one proxy (dnscrypt.eu-nl). I'm asking this, as it looks to me you would run into a possible problem when simply duplicating your configuration for the backup resolver.
    First of all, according to this, there is NO SUCH THING as a backup resolver. The main page of pihole (graph forward destinations) proves them right.
    Secondly, duplicating the configuration would overwrite (due to the setting -p /var/run/dnscrypt-proxy.pid) the pid file. Since I don't have this file, I cannot verify it, maybe I simply don't understand how this works.
  • In this topic (github), first entry, I list the output of the command sudo systemctl status -l dnscrypt-proxy@* (works for my configuration, using a service file and four socket files) In that listing, there is only one (of four) proxies that reports to be DNSSEC enabled (I've highlighted that line). I cannot even replicate this, running the command shows none of the proxies provide this message (doesn't mean they aren't DNSSEC enabled, dnscrypt-resolvers.csv says they are - this is one of the questions I asked the dnscrypt developer).
  • Are you not using DNSSEC or simply not using the settings page of pihole (I never do).
    If your NOT using DNSSEC, you can't help me, this is the core of my inquiries . If you do use DNSSEC, please count the number of SECURE, INSECURE, ABANDONED and BOGUS entries (notepad++ can help you here, it has a count button on the search dialog). Please count the entries of the previous day (pihole.log.1)

You haven't explained what all the settings in your configuration are doing and what you try to achieve with them.
Does your configuration allows for more then 2 proxies?

6

I'll shown you the content of the following two files I'm currently using:

sudo nano /etc/systemd/system/multi-user.target.wants/dnscrypt-proxy.service

[Unit]
Description=Secure connection between your computer and DNS resolver
After=network.target network-online.target
[Service]
Type=forking
Restart=always
RestartSec=5
PIDFile=/var/run/dnscrypt-proxy.pid
ExecStart=/usr/local/sbin/dnscrypt-proxy --daemonize
-a 127.0.0.2:40
-R dnscrypt.eu-nl
-E
--edns-payload-size=4096
-p /var/run/dnscrypt-proxy.pid
[Install]
WantedBy=multi-user.target

sudo nano /etc/systemd/system/multi-user.target.wants/dnscrypt-proxy-backup.service

[Unit]
Description=Secure connection between your computer and DNS resolver
After=network.target network-online.target
[Service]
Type=forking
Restart=always
RestartSec=5
PIDFile=/var/run/dnscrypt-proxy.pid
ExecStart=/usr/local/sbin/dnscrypt-proxy --daemonize
-a 127.0.0.3:40
-R d0wn-nl-ns1
-E
--edns-payload-size=4096
-p /var/run/dnscrypt-proxy.pid
[Install]
WantedBy=multi-user.target

Both resolvers support DNSSec and No logs.

When using www.dnsleaktest.com most of the time dnscrypt.eu-nl is showing (and sometimes down-nl-ns1)

Using a second resolver could be handy in case one of the resolvers is offline.
In this case a 'backup' resolver could be handy...

Comments regarding to DNSSec:
I'm not using the settings/admin page of pihole.

By choosing the DNSSec support resolver you should be able to use it.
Futhermore when testing the DNSSec validation I'm using the following sites:

http://dnssec.vs.uni-due.de/

Another test validation is using the following commandline:

dig sigok.verteiltesysteme.net @127.0.0.1 (should return A record)
dig sigfail.verteiltesysteme.net @127.0.0.1 (should return SERVFAIL)

http://en.conn.internet.nl/connection/

In my case all the validations passed!

Just examined the pihole.log.1 file with notepad++.
Results:

SECURE : 161
INSECURE: 0
ABANDONED: 0
BOGUS: 0

Seems my configuration does not allow more than two proxies.

7

You may have noticed the developer of dnscrypt-proxy has replied, you can find his reply here. This means the developer prefers your configuration! So I followed his instructions (and replied). The result: still ABANDONED validations.

I received your reply a little later, so again, I reconfigured, just copy/pasted your dnscrypt.eu-nl configuration, changed absolutely nothing. The IP already matched the IP and port I used before. The result: still ABANDONED validations.

I'm completely lost now, the only difference I noticed between your and my configuration now is:

  • You create the file in /etc/systemd/system/multi-user.target.wants/
  • I create the file in /lib/systemd/system.
    When I enable the proxy, a symbolic link is created in /etc/systemd/system/multi-user.target.wants/

The dig commands produce the output you described.

Could you please tell me what version of raspbian jessie lite you are using, I'm using the latest (januari 2017), but I have an older one available (november 2016). I think, as a last resort, i will setup the system from scratch.

I assume you did run sudo apt-get update, and everything is OK?

Your count(s) imply you never use an insecure (non DNSSEC) domain. I find this hard to believe (but given your results WHO AM I to doubt your words). I just think, the way notepad++ works, searching and counting SECURE also matches INSECURE, I did search for "is SECURE" or check the option "match hole word only". Of course I may be wrong, I assume INSECURE means the domain simply doesn't have DNSSEC records.

Did you visit https://www.raspberrypi.org, that's the domain I get the ABANDONED messages from (not limited to, but I use it as a test)

Thank you for your time and effort.

Edit: what model of raspberry pi are you using?
Are you running any other packages?

8

Log file pi-hole (when visiting https://www.raspberrypi.org):

Feb 7 21:06:26 dnsmasq[1988]: query[A] www.raspberrypi.org from 192.168.1.1
Feb 7 21:06:26 dnsmasq[1988]: cached www.raspberrypi.org is
Feb 7 21:06:26 dnsmasq[1988]: forwarded www.raspberrypi.org to 127.0.0.3
Feb 7 21:06:26 dnsmasq[1988]: forwarded www.raspberrypi.org to 127.0.0.2
Feb 7 21:06:26 dnsmasq[1988]: reply www.raspberrypi.org is
Feb 7 21:06:26 dnsmasq[1988]: reply lb.raspberrypi.org is 93.93.130.39
Feb 7 21:06:26 dnsmasq[1988]: reply lb.raspberrypi.org is 93.93.128.133
Feb 7 21:06:26 dnsmasq[1988]: reply lb.raspberrypi.org is 93.93.130.104
Feb 7 21:06:26 dnsmasq[1988]: reply lb.raspberrypi.org is 93.93.130.214
Feb 7 21:06:26 dnsmasq[1988]: reply lb.raspberrypi.org is 93.93.128.230
Feb 7 21:06:26 dnsmasq[1988]: reply lb.raspberrypi.org is 46.235.227.11

Currently using a Raspberry Pi 3 Model B
OS: Raspbian Jessie Lite - 2017-01-11

After fresh install first upgrading to DNSMasq 2.76-5 (stretch method) first.
Then install Pi-hole followed by DNSCrypt.

I'm not running any other packages.

9

Post changed!

Insert: Change DNS reolver in DNSMasq config

Apologize for the inconvenience...

10

In the mean time, the developer of dnscrypt has added a comment here, changed the title of the issue and closed it. The title of the issue is now: When local DNSSEC validation is enabled, dnsmasq 2.77 sends multiple queries on the same TCP connection which is incompatible with DNSCrypt, e.g. this may be a problem.
The developer of dnsmasq has:

  • confirmed dnsmasq 2.77 exists, is out there, but <quote> the point is moot, since there are no changes in the relevant areas since 2.76 </quote>.
  • stated, as a response to the title change: <quote> Well, that statement may well be true, the first part, about dnsmasq, is, the second part. about dnscrypt, I'd expect to be true also, given it's source </quote>.
  • a solution may be comming: <quote> I'm happy to look at making dnsmasq more flexible in this regard </quote>

I've been busy to:

  • installed a fresh copy of Raspbian Jessie Lite - version February 2017
  • upgraded dnsmasq to 2.76-5 (stretch method).
  • installed dnscrypt 1.9.4, I used the systemd / socket setup (I definitely want more than 2 resolvers)
  • I than simply copied the dnsmasq configuration files, the result of a full pihole configuration (yes I have a backup), into /etc/dnsmasq.d (I didn't install pihole, the result however is the same, apart from the fact you don't have a fancy web interface).
  • I changed the resolver of one of my workstations (running this setup on a different pi) to use the new setup as the resolver. although initially, it looked great (the log is identical to what a full pihole installation would generate), after a while, everything responded the same way as the full pihole install did.

I'm starting to wonder:

  • Is my provider (telenet.be) messing with the requests to dnscrypt servers (it's encrypted - port 443, but the destination IP address is visible)?
  • There aren't any dnscrypt servers in my country, so I use the geographically closest possible. Is the response time to slow?
    dig @127.10.10.1 -p 5551 +dnssec www.raspberrypi.org (which is dnscrypt.org-fr) results in:
    ;; Query time: 65 msec.
    All other dnscrypt resolvers have a similar response time, from 57 msec to 67 msec

to be continued...

<edit>this problem has a solution, you can find the solution here.</edit>

11

Sorry for the lame question in advance.
When using dnscrypt does it disable the web interface?

12

No, it shouldn't. They're two separate things.

1 Like
13

Dnsmasq 2.77-2 migrated to Debian testing... would this work?

https://tracker.debian.org/news/848684