On 2017/11/09 09:58, Vinícius Zavam wrote:
> grep listening ports, I'd say (1024+ ports does not play a good reason
> though?).
If dnscrypt-proxy dies for some reason, you don't want to allow an
unprivileged user to take over the port. It should be <1024.
> I would still go for it, and suggest to use 'random'.
>
> why? most people setting net/dnscrypt-proxy on OpenBSD would just use the
> resolver shown at the example from pkg/README-main (that, of course,
> includes OpenBSD developers and lots of people worried about privacy),
> turning the setup pretty predictable* and also leading other available/good
> DNSCrypt resolvers to be misused.
Well, that's easily fixed by just not making the README example use a valid
server.
Here's an alternative diff that fixes some other problems too.
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/dnscrypt-proxy/Makefile,v
retrieving revision 1.31
diff -u -p -r1.31 Makefile
--- Makefile 2 Aug 2017 09:32:40 -0000 1.31
+++ Makefile 9 Nov 2017 14:43:50 -0000
@@ -7,6 +7,7 @@ V= 1.9.5
DISTNAME= dnscrypt-proxy-${V}
PKGNAME-main= dnscrypt-proxy-${V}
PKGNAME-plugins= dnscrypt-proxy-plugins-${V}
+REVISION-main= 0
CATEGORIES= net
Index: pkg/README-main
===================================================================
RCS file: /cvs/ports/net/dnscrypt-proxy/pkg/README-main,v
retrieving revision 1.8
diff -u -p -r1.8 README-main
--- pkg/README-main 23 Jan 2017 18:00:23 -0000 1.8
+++ pkg/README-main 9 Nov 2017 14:43:50 -0000
@@ -4,46 +4,86 @@ $OpenBSD: README-main,v 1.8 2017/01/23 1
| Running ${FULLPKGNAME} on OpenBSD
+-----------------------------------------------------------------------
-In order to perform queries over DNSCrypt, the easiest way is to change
-your /etc/resolv.conf file:
+Basic setup
+===========
+
+dnscrypt-proxy listens on a local address for DNS queries and forwards
+them over an encrypted channel to a resolver providing DNSCrypt service.
+
+To use this package, two things are required.
+
+Firstly, choose an upstream server. There is no default: the package
+lets you make a conscious decision about who to trust. A list of public
+servers is in ${TRUEPREFIX}/share/dnscrypt-proxy/dnscrypt-resolvers.csv,
+or an updated list is at https://dnscrypt.org/dnscrypt-resolvers.html,
+
+Choose one and configure it:
+
+# rcctl enable dnscrypt_proxy
+# rcctl set dnscrypt_proxy flags -E -m1 -R __YOUR_CHOICE__
+# rcctl start dnscrypt_proxy
+
+Replace __YOUR_CHOICE__ with one of the names from the first column
+(e.g. "cisco", "cs-nl", "dnscrypt-eu.nl"), or use the word "random" to
+select a random resolver at startup (chosen from those that claim that
+they use DNSSEC and do not log requests).
+
+Secondly, set /etc/resolv.conf to perform queries from dnscrypt-proxy:
nameserver 127.0.0.1
lookup file bind
-options edns0
-DNSCrypt does _not_ cache queries, so the recommended way to use it is
-as a forwarder for a DNS cache like Unbound. The following unbound.conf
-example may be used as a guideline:
+N.B. If fetching your IP address dynamically, dhclient(1) will normally
+update resolv.conf with network-provided DNS servers. This can be avoided
+by removing "domain-name" and "domain-name-servers" from the "request"
+line in /etc/dhclient.conf.
+
+
+Caching
+=======
+
+dnscrypt-proxy does not cache queries. Performance can be improved by
+configuring a local caching DNS resolver to forward requests via
+dnscrypt-proxy.
+
+In this configuration, the caching resolver should listen on port 53,
+and dnscrypt-proxy should be configured to use an alternative port.
+For example:
+
+# rcctl set dnscrypt_proxy flags -E -m1 -R __YOUR_CHOICE__ -a 127.0.0.1:40
+# rcctl restart dnscrypt_proxy
+
+And an example configuration to use this with Unbound:
+# cat /var/unbound/etc/unbound.conf
server:
interface: 127.0.0.1
- interface: 192.168.1.1 # additional addresses to listen on
- access-control: 192.168.1.0/24 allow # who's allowed to make queries
do-not-query-localhost: no
hide-identity: yes
hide-version: yes
+ auto-trust-anchor-file: "/var/unbound/db/root.key"
+ # provide service to other local machines, if needed:
+ #interface: 192.168.1.1
+ #access-control: 192.168.1.0/24 allow
+
+remote-control:
+ control-enable: yes
+ control-use-cert: no
+ control-interface: /var/run/unbound.sock
forward-zone:
- name: "."
- forward-addr: 127.0.0.1@40
- #forward-addr: 127.0.0.1@41 # example failover server, see below
-
-A list of resolvers providing DNSCrypt service is available at
-${TRUEPREFIX}/share/dnscrypt-proxy/dnscrypt-resolvers.csv.
-Choose one (there is no default) and configure it, for example:
-
-rcctl enable dnscrypt_proxy
-rcctl set dnscrypt_proxy flags -E -m1 -R dnscrypt.eu-nl -a 127.0.0.1:40
-rcctl start dnscrypt_proxy
+ name: "."
+ forward-addr: 127.0.0.1@40
+ #forward-addr: 127.0.0.1@41 # example failover server, see below
The dnscrypt-proxy utility does not support failover resolvers; as described
in "Using DNSCrypt in combination with a DNS cache" on https://dnscrypt.org/,
you will need to run a second instance of it for DNS redundancy. This can be
handled by rcctl(8) by adding a symbolic link to the script:
-ln -s dnscrypt_proxy /etc/rc.d/dnscrypt_proxy2
-rcctl enable dnscrypt_proxy2
-rcctl set dnscrypt_proxy2 flags -E -m1 -R dnscrypt.eu-dk -a 127.0.0.1:41
-rcctl start dnscrypt_proxy2
+# ln -s dnscrypt_proxy /etc/rc.d/dnscrypt_proxy2
+# rcctl enable dnscrypt_proxy2
+# rcctl set dnscrypt_proxy2 flags -E -m1 -R __SECOND_CHOICE__ -a 127.0.0.1:41
+# rcctl start dnscrypt_proxy2
For more information, see https://dnscrypt.org/
