I’ve been at it for quite some time now, running pihole on raspbian jessie lite, build February 2017. I’ve been communicating with the developer of dnscrypt-proxy, the developer of dnsmasq and qpad. After all this work, I wanted to share my findings here.
- Not all dnscrypt-proxy servers are the same, you should find servers that use port 443, support DNSSEC and keep no logs. This isn’t obvious, as the port isn’t always mentioned in dnscrypt-resolvers.csv, some however explicitly indicate the use of a different port. In my sample configuration, I’ve enable dnscrypt logging. You can than verify the name, IP and port used in /var/log/dnscrypt-proxy.log
- Some dnscrypt administrators are lazy, they create certificates that are valid for an extended period of time. It is, from a security point of view, necessary to avoid security risks (Isn’t that what we are trying to achieve). It implies you need to run update_resolvers.sh frequently (see this wiki, it will be referenced later)
- There are different ways to setup dnscrypt-proxy. Qpad has provided a possible (and easy) method here, but it changes your system even more than I will and, as he has indicated here, his configuration doesn’t allow for more than 2 proxies. I understand he has since changed his method to my (less invasive) way to upgrade dnsmasq, but you can forget about this, this version doesn’t work either. I’ve explained here how to get a configuration with four (4) proxies, so I’m not going to repeat it here. Be aware however that I’ve updated the rar file, containing the sample (working) configuration.
All of this (assuming you followed the wiki configuration) will lead to a working dnscrypt-proxy configuration. You can test it by (example for one proxy) running:
dig @127.10.10.1 -p 5551 +dnssec www.raspberrypi.org
Repeat this for all proxies, ensure you get a valid reply.
Notice (this may not be the case on your system) the message ;; Truncated, retrying in TCP mode., the first line after the dig command, you entered.
This warning is the reason why dnsmasq v2.76-5 doesn’t validate DNSSEC records correctly.
The dnscrypt developer indicated: “When local DNSSEC validation is enabled, dnsmasq 2.77 sends multiple queries on the same TCP connection which is incompatible with DNSCrypt”
The dnsmasq developer replied: "Well, that statement may well be true, the first part, about dnsmasq, is, the second part. about dnscrypt, I’d expect to be true also, given it’s source."
So the developer needed to fix dnsmasq. AND HE DID:
Long story short; I found all of the above, trying to get dig to respond properly to the requests, sending dozens of emails back and forth with the developer. We finally were sure dig was getting the correct response by trying the instructions in this document. The document itself references explanations.
So the dnsmasq developer rewrote, resulting in:
WARNING: Don’t do this if you’re not willing to run anything else but the stable build!!!
IMPORTANT: you need to disable DNSSEC during this update, or you may not be able to access the required packages!!!
step 1: add the four (4) files to your system, as indicated by this document. Run sudo apt-get update
step 2: install packages required:
you need to enter q to teminate the readme
select YES to restart the services without asking
sudo apt-get -y install build-essential sudo apt-get -y install gettext sudo apt-get -y install libnetfilter-conntrack-dev sudo apt-get -y install libidn11-dev sudo apt-get -y install libdbus-1-dev sudo apt-get -y install libgmp-dev sudo apt-get -y install nettle-dev
sudo apt-get autoremove
step 3: IMPORTANT: remove the four (4) files (2 files in each dir) you created in /etc/apt/… . Run sudo apt-get update
step 4: create the new dnsmasq:
mkdir -p dnsmasq
tar xzf dnsmasq-2.77test4.tar.gz
you’ll get a lot of undefined symbol warnings, you can ignore these,
as per instructions of the developer
fakeroot debian/rules binary
verify you have these three (3) files:
#Enter N to keep your current configuration
sudo dpkg -i dnsmasq*.deb
This should now show you are using version 2.77test4
According to the developer, you can keep (backup) the three (3) .deb files.
This for future installations, avoiding the download and compilation.
Read this solution to solve the time synchronization problem, add dnssec-no-timecheck. I’ve created a separate dnssec.conf configuration file in /etc/dnsmasq.d:
dnssec trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 dnssec-no-timecheck
Make sure these lines are removed from 01-pihole.conf.
You can no longer use the settings page of the pihole admin website, but that wasn’t an option anyway, after you installed dnscrypt-proxy.
Read this to find out, how I make my life easy, looking at the pihole log.
Finally, you should now be able to go to www.raspberrypi.org and get a log entry that says:
Feb 11 19:17:23 dnsmasq: validation result is SECURE
When testing DNSSEC on this site, (hit the start test button) you should get:
Feb 11 19:22:45 dnsmasq: validation 3490-sigfail.verteiltesysteme.net is BOGUS
Feb 11 19:24:03 dnsmasq: validation sigfail.verteiltesysteme.net is BOGUS
Edit: tested on an existing pihole installation, and a clean system.