DNSCrypt

DNS stands for Domain Name System. It is a decentralized system that translates domain names to IP addresses that are needed by your computer to connect to other computers. The problem is that even if you use https these queries are unencrypted. This is vulnerable to spoofing and eavesdropping. A malicious user can record your queries and/or change the responses. This opens the door to several vulnerabilities. An attacker can respond with a fake IP address that your browser will try to visit or it act as a silent forward while capturing all what it needs. DNSCrypt is a network protocol that encrypt DNS queries and responses between you and the DNS resolver. This way spoofing of your DNS queries and eavesdropping can be prevented.

Install and configure DNSCrypt on Arch Linux

1. Install the dnscrypt package with $ sudo pacman -S dnscrypt-proxy.

2. To prevent NetworkManager to change the resolv.conf file we need to edit the NetworkManager.conf file. Go into the conf file with $ sudo nano /etc/NetworkManager/NetworkManager.conf and then add/edit the following in the [main] section.

1dns=none

Alternatively you can prevent it from being modified by anythin. To do this we can set a write-protection attribute with $ sudo chattr +i /etc/resolv.conf.

3. Replace the current set of resolver addresses in $ sudo nano /etc/resolv.conf with the following one:

1nameserver 127.0.0.1

4. Choose a resolver address near to your location. A list of resolver addresses can be found here. In our case we are using cs-de3. This is a DNS server owned by cryptostorm.is, a VPN service provider. And then edit the file $ sudo nano /etc/dnscrypt-proxy.conf and change to:

   1ResolverName cs-de3

5. To prevent dnscrypt to be run by root, we first need to add another user: $ sudo useradd -r -d /var/dnscrypt -m -s /sbin/nologin dnscrypt

   Now change the systemd config file so dnscrypt is started by the added user. Edit the file with $ sudo nano /usr/lib/systemd/system/dnscrypt-proxy.service and add two lines to Service:

   1[Service]
   2User=dnscrypt
   3CapabilityBoundingSet=CAP_NET_BIND_SERVICE

6. No we can start dnscrypt. At first we reload systemctl because we just changed a systemd config file and the we start dnscrypt.

   1$ sudo systemctl daemon-reload
   2$ sudo systemctl start dnscrypt-proxy.service

   To check if dnscrypt is really executed by a different user than root, we check can it with $ ps -u dnscrypt. You should see something like:

   1PID TTY          TIME CMD
   232639 ?        00:00:00 dnscrypt-proxy

   If everything is correct you can enable dnscrypt so it starts at boot time. $ sudo systemctl enable dnscrypt-proxy.service

7. When you now run an extended test at DNS leak test you should only see the hostname of the resolver you have just added. In our case something like warlock.deepdns.cryptostorm.net.