CONFIGURATION DNSCRYPT PROXY AND UNBOUND ON PFSENSE

DNSCrypt proxy is a protocol that authenticates communications between DNS clients and DNS resolvers. DNSCrypt proxy can prevent DNS spoofing, because it uses cryptographic signatures to verify that responses come from the selected DNS resolver and have not been tampered with.

In layman's terms, DNSCrypt proxy is lightweight software that allows users to communicate online privately, without security concerns. Because it does so by taking all traffic passing between the user and the DNS server and encrypting it, and in turn, stops malicious interference, which prevents hacker attacks.


System Specifications:
OS: PFSense 2.6.0-RELEASE (amd64)
CPU Type : Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz
IP LAN: 192.168.9.1/24
IP & Port Unbound : 127.0.0.1@53
IP & Port Port DNSCrypt proxy : 127.0.0.1@5300


To install and configure Unbound and DNSCrypt proxy on the PFSense router, the first thing to do is set the general setup menu, click the System >> General Setup menu. In this menu, what you have to set is Hostname, Domain, DNS Servers and DNS Resolution Behavior.

What you need to pay attention to is that DNS Servers must be empty and DNS Resolution Behavior = Use local DNS (127.0.0.1), ignore remote DNS Servers.


Configure Unbound DNS Server

Unbound is a default program or package that has been provided by PFSense, so we don't have to install Unbound, PFSense has provided it, all we have to do is set Unbound.

To configure Unbound, click the Services >> DNS Resolver menu then select General Settings.

Enable DNS resolver = Checklist
Listen Port = 53
Network Interfaces = LANWIFI dan Localhost
Outgoing Network Interfaces = WANINDIHOME
System Domain Local Zone Type = Transparent
Enable DNSSEC Support = Checklist
Register DHCP leases in the DNS Resolver = Checklist
Register DHCP static mappings in the DNS Resolver = Checklist
Custom options =
do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@5300

After that, click the Save button. What you have to pay attention to is filling in the Custom options. IP 127.0.0.1@5300 is the DNSCrypt proxy IP, meaning that the Unbound DNS Server will be forwarded to the DNSCrypt proxy server. After that, click the Advanced Settings menu. Fill in according to the following instructions:

Hide Identity = Checklist
Hide Version = Checklist
Query Name Minimization = Checklist
Prefetch Support = Checklist
Prefetch DNS Key Support = Checklist
Harden DNSSEC Data = Checklist

The others are left as default or blank. Look at the following image to fill in the Advanced Settings menu.

Once everything is filled in, click the Save button, and the Unbound configuration is complete. Now we move on to discussing DNSCrypt proxy.


DNSCrypt proxy installation and configuration

DNSCrypt proxy is a flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2, DNS-over-HTTPS, Anonymous DNSCrypt, and ODoH (Oblivious DoH).

DNSCrypt proxy is not available in the PFSense package, DNSCrypt proxy is available in the FreeBSD repository. To install DNSCrypt proxy on PFSense we have to install it from the FreeBSD repository.

The first step to install dnscrypt-proxy2, we first activate the SSH server on PFSense. The way to do this is to click the System >> Advanced >> Admin Access menu then check the Secure Shell Server. To make it clearer.

After the SSH server is active, we enter the PFSense command line via the Putty console. Type LANWIFI IP: 192.168.9.1 then click open. After that we are asked to enter the PFSense user and password.

After the image above appears, press number 8, we will be directed to the command line menu, after that type pkg install dnscrypt-proxy2.

Install dnscrypt-proxy2
[2.7.2-RELEASE][root@nspfSense.unixwinbsd.site]/root: pkg install dnscrypt-proxy2
Wait until the installation process is complete.

After that, type cd /usr/local/etc/rc.d and change the dnscrypt-proxy file to dnscrypt-proxy.sh (with the suffix "sh"). To do this, type mv dnscrypt-proxy /usr/local/etc/rc.d/dnscrypt-proxy.sh, then DELETE all the contents of the dnscrypt-proxy.sh file and replace it with the following script.

#!/bin/sh

# PROVIDE: dnscrypt_proxy
# REQUIRE: cleanvar SERVERS
# BEFORE: unbound

. /etc/rc.subr

name=dnscrypt_proxy
procname=/usr/local/bin/dnscrypt-proxy
pidfile=/var/run/${name}.pid
load_rc_config $name

command=/usr/sbin/daemon
command_args="-p ${pidfile} -f ${procname} -config /usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml -syslog"


run_rc_command "$1"

After that, enter the script below in the rc.conf file. How to type ee /etc/rc.conf.


dnscrypt_proxy_enable="YES"
dnscrypt_proxy_conf="/usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml"
dnscrypt_proxy_pidfile="/var/run/dnscrypt_proxy.pid"

Kemudian buat file dnscrypt_relaunch.sh di folder /usr/local/bin, how to type
ee /usr/local/bin/dnscrypt_relaunch.sh dan masukkan script di bawah ini.


#/usr/bin/env sh
service /usr/local/etc/rc.d/dnscrypt-proxy.sh status > /dev/null
if [ $? != 0 ]; then
service /usr/local/etc/rc.d/dnscrypt-proxy.sh restart
fi


Edit the crontab file in the PFSense WEB GUI, type Services >> Cron >> Settings menu then click the Add button at the bottom.

Once everything is finished, click the Save button.
The next step, edit the dnscrypt-proxy.toml file which is in the /usr/local/etc/dnscrypt-proxy folder. To edit the file, type ee /usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml.

Then DELETE ALL scrypt files dnscrypt-proxy.toml and replace with the following script.

server_names = ['cloudflare', 'cloudflare-ipv6']
listen_addresses = ['127.0.0.1:5300', '[::1]:5300']
max_clients = 300
force_tcp = false
timeout = 2000
keepalive = 30
bootstrap_resolvers = ['1.1.1.1:53','8.8.8.8:53', '9.9.9.9:53']
ignore_system_dns = true
netprobe_timeout = 30
cache = true
cache_size = 512
cache_min_ttl = 30
cache_max_ttl = 900
cache_neg_min_ttl = 10
cache_neg_max_ttl = 300
dnscrypt_servers = true


[sources]


## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers


[sources.'public-resolvers']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://download.dnscrypt.net/resolvers-list/v3/public-resolvers.md']
cache_file = 'public-resolvers.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 72
prefix = ''


## Anonymized DNS relays


[sources.'relays']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://download.dnscrypt.net/resolvers-list/v3/relays.md']
cache_file = 'relays.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 72
prefix = ''


[static]
# Singapore DoH
[static.'blahdns-sg-doh']
stamp = 'sdns://AgMAAAAAAAAADjEwMy4xNjcuMTUwLjQ1ABJkb2gtc2cuYmxhaGRucy5jb20KL2Rucy1xdWVyeQ'
[static.'blahdns-sg-doh-v6']
stamp = 'sdns://AgMAAAAAAAAAFVsyNDA2OmVmODA6Mjo1ZWU0OjoxXQASZG9oLXNnLmJsYWhkbnMuY29tCi9kbnMtcXVlcnk'


# Singapore Dnscrypt
[static.'blahdns-sg-dnscrypt-v4']
stamp = 'sdns://AQMAAAAAAAAAEzEwMy4xNjcuMTUwLjQ1Ojg0NDMghROpa8Tgg0uVDWO1AujT4tVNBJZrJgKTNOkHHboj_CsbMi5kbnNjcnlwdC1jZXJ0LmJsYWhkbnMuY29t'
[static.'blahdns-sg-dnscrypt-v6']
stamp = 'sdns://AQMAAAAAAAAAGlsyNDA2OmVmODA6Mjo1ZWU0OjoxXTo4NDQzIIUTqWvE4INLlQ1jtQLo0-LVTQSWayYCkzTpBx26I_wrGzIuZG5zY3J5cHQtY2VydC5ibGFoZG5zLmNvbQ'


# Finland DoH
[static.'blahdns-fi-doh']
stamp = 'sdns://AgMAAAAAAAAADjk1LjIxNi4yMTIuMTc3ABJkb2gtZmkuYmxhaGRucy5jb20KL2Rucy1xdWVyeQ'
[static.'blahdns-fi-doh-v6']
stamp = 'sdns://AgMAAAAAAAAAF1syYTAxOjRmOTpjMDEwOjQzY2U6OjFdABJkb2gtZmkuYmxhaGRucy5jb20KL2Rucy1xdWVyeQ'


# Finland Dnscrypt
[static.'blahdns-fi-dnscrypt-v4']
stamp = 'sdns://AQMAAAAAAAAAEzk1LjIxNi4yMTIuMTc3Ojg0NDMghROpa8Tgg0uVDWO1AujT4tVNBJZrJgKTNOkHHboj_CsbMi5kbnNjcnlwdC1jZXJ0LmJsYWhkbnMuY29t'
[static.'blahdns-fi-dnscrypt-v6']
stamp = 'sdns://AQMAAAAAAAAAHFsyYTAxOjRmOTpjMDEwOjQzY2U6OjFdOjg0NDMghROpa8Tgg0uVDWO1AujT4tVNBJZrJgKTNOkHHboj_CsbMi5kbnNjcnlwdC1jZXJ0LmJsYWhkbnMuY29t'


# Japan DoH
[static.'blahdns-jp-doh']
stamp = 'sdns://AgMAAAAAAAAADDIxMi41Mi4wLjEyMgASZG9oLWpwLmJsYWhkbnMuY29tCi9kbnMtcXVlcnk'
[static.'blahdns-jp-doh-v6']
stamp = 'sdns://AgMAAAAAAAAAFVsyNDA2OmVmODA6NDoxNTM3OjoxXQASZG9oLWpwLmJsYWhkbnMuY29tCi9kbnMtcXVlcnk'


# Japan Dnscrypt
[static.'blahdns-jp-dnscrypt-v4']
stamp = 'sdns://AQMAAAAAAAAAETIxMi41Mi4wLjEyMjo4NDQzIIUTqWvE4INLlQ1jtQLo0-LVTQSWayYCkzTpBx26I_wrGzIuZG5zY3J5cHQtY2VydC5ibGFoZG5zLmNvbQ'
[static.'blahdns-jp-dnscrypt-v6']
stamp = 'sdns://AQMAAAAAAAAAGlsyNDA2OmVmODA6NDoxNTM3OjoxXTo4NDQzIIUTqWvE4INLlQ1jtQLo0-LVTQSWayYCkzTpBx26I_wrGzIuZG5zY3J5cHQtY2VydC5ibGFoZG5zLmNvbQ'


# Gearmany DoH
[static.'blahdns-de-doh']
stamp = 'sdns://AgMAAAAAAAAADTc4LjQ2LjI0NC4xNDMAEmRvaC1kZS5ibGFoZG5zLmNvbQovZG5zLXF1ZXJ5'
[static.'blahdns-de-doh-v6']
stamp = 'sdns://AgMAAAAAAAAAFlsyYTAxOjRmODpjMTc6ZWM2Nzo6MV0AEmRvaC1kZS5ibGFoZG5zLmNvbQovZG5zLXF1ZXJ5'


# Germany Dnscrypt
[static.'blahdns-de-dnscrypt-v4']
stamp = 'sdns://AQMAAAAAAAAAEjc4LjQ2LjI0NC4xNDM6ODQ0MyCFE6lrxOCDS5UNY7UC6NPi1U0ElmsmApM06QcduiP8KxsyLmRuc2NyeXB0LWNlcnQuYmxhaGRucy5jb20'
[static.'blahdns-de-dnscrypt-v6']
stamp = 'sdns://AQMAAAAAAAAAG1syYTAxOjRmODpjMTc6ZWM2Nzo6MV06ODQ0MyCFE6lrxOCDS5UNY7UC6NPi1U0ElmsmApM06QcduiP8KxsyLmRuc2NyeXB0LWNlcnQuYmxhaGRucy5jb20'


# Switzerland DoH
[static.'blahdns-ch-doh']
stamp = 'sdns://AgMAAAAAAAAAEDQ1LjkxLjkyLjEyMTo0NDMAEmRvaC1jaC5ibGFoZG5zLmNvbQovZG5zLXF1ZXJ5'
[static.'blahdns-ch-doh-v6']
stamp = 'sdns://AgMAAAAAAAAAFlsyYTBlOmRjMDo2OjIzOjoyXTo0NDMAEmRvaC1jaC5ibGFoZG5zLmNvbQovZG5zLXF1ZXJ5'


# Switzerland Dnscrypt
[static.'blahdns-ch-dnscrypt-v4']
stamp = 'sdns://AQMAAAAAAAAAETQ1LjkxLjkyLjEyMTo4NDQzIIUTqWvE4INLlQ1jtQLo0-LVTQSWayYCkzTpBx26I_wrGzIuZG5zY3J5cHQtY2VydC5ibGFoZG5zLmNvbQ'
[static.'blahdns-ch-dnscrypt-v6']
stamp = 'sdns://AQMAAAAAAAAAF1syYTBlOmRjMDo2OjIzOjoyXTo4NDQzIIUTqWvE4INLlQ1jtQLo0-LVTQSWayYCkzTpBx26I_wrGzIuZG5zY3J5cHQtY2VydC5ibGFoZG5zLmNvbQ'


Run the DNSCrypt proxy program, in the putty console type

[2.6.0-RELEASE][root@router.home.arpa]/root: service dnscrypt-proxy.sh restart

Stopping dnscrypt_proxy.
Waiting for PIDS: 37565, 37565.
Starting dnscrypt_proxy.
This means that the DNSCrypt proxy application is RUNNING. Still in the putty console, now we test the dnscrypt-proxy.
[2.6.0-RELEASE][root@router.home.arpa]/root: dig -p 5300 google.com @127.0.0.1

Dnscrypt-proxy is a free and open source application that supports protocols such as DNSCrypt v2 and DNS-over-HTTPS (DoH) which can prevent DNS spoofing and hacker attacks.

This article tries to review how to install and configure the DNSCrypt proxy application. Having this application on your computer will improve your DNS security system, especially for ports 80 and 443 which we often use.
Iwan Setiawan

I Like Adventure: Mahameru Mount, Rinjani Mount I Like Writer FreeBSD

Post a Comment

Previous Post Next Post