/tech/ - Technology

Where proprietary software comes to die

Posting mode: Reply

Name
Email
Subject
Comment
Password
Drawing x size canvas
File(s)

Remember to follow the rules

Max file size: 350.00 MB

Max files: 5

Max message length: 4096

Manage Board | Moderate Thread

Return | Catalog | Bottom

Expand All Images


(91.37 KB 350x350 R-10093967.jpg)
dns Anonymous 04/13/2017 (Thu) 14:49:50 [Preview] No. 8308
So I'm looking into dnscrypt and most guides recommend using a dns caching server? Is that really required for a desktop/laptop or is it a think you put on your router ?


Anonymous 04/13/2017 (Thu) 18:12:29 [Preview] No. 8309 del
(13.06 MB 560x684 docguy.gif)
I'm using Unbound right know, as a cache and authoritative server. So I'm directly connected to the root server, without using any proxy. Moreover, I have a little protection called DNSSEC.
The only default is that it's not encrypted. But I personaly hardly trust openssl anymore, nor Tor. Maybe the encryption itself is not at risk, but they don't need to break the encryption itself to get the info, as the leaks showed (see the conference of this guy saying that it's the goverment that forced to create a overly complicated ssl strandard to generate exploits easely). So that's a great compromise for me, since I cannot be censored at the DNS level.
I don't understand why there are not more people using Unbound on their main computer. You just need to modify the configuration of the DHCP to forbid him to change resolv.conf.
Moreover, you can use Unbound through openvpn, and that's great. And last but not least, you can apply restriction directly in Unbound, forbidding the server to ask for the ip adress. It's better than /etc/hosts restriction because nothing is going out of your computer.


Anonymous 04/13/2017 (Thu) 19:24:44 [Preview] No. 8310 del
Yeah, I used dnscrypt on my rtn66 router, caching was part of that. I used it exclusively for all traffic. If you just want to use it on your desktop it should be fairly simple.


Anonymous 04/13/2017 (Thu) 21:40:19 [Preview] No. 8312 del
>>8309
>But I personaly hardly trust openssl anymore
https://www.libressl.org/


Anonymous 04/13/2017 (Thu) 22:32:07 [Preview] No. 8313 del
>>8308

Kudos for moving into the 21st century.

Dnscrypt is a subset of DNS technology overall. DNS always suggests the use of a caching server if only to reduce bandwith use. This idea goes back to the days yore, where the primary advice to reduce strain on the network was: "hunt down and kill -9 Xpilot."

A caching server located on a router that clients are forced to use is just marketing speak for a plain old vanilla DNS server.

You should put your caching server on the client. There's a lotta reasons for doing so. It's a good idea to learn how to as an exercise in taking control of your own computer and communications. I happen to use Bind, but that's like the Space Shuttle of the DNS world. Simpler apps abound for client use.


Anonymous 04/14/2017 (Fri) 09:27:59 [Preview] No. 8317 del
I can't seem to be getting dnscrypt working on arch and people on irc just say "just use the systemd unit bro" "works for me TM"
So here's what I did:
- install dnscrypt-proxy from the repos
- copy /etc/dnscrypt-proxy.conf to someplace in my home folder which I bak up along with my dot files
- read all the config and the man page, didn't need to change much
- added entry in bspwmrc for 'dnscrypt-proxy ~/path/to/config'
- edit /etc/resolv.conf and set 127.0.0.1 as a nameserver which is the local address used by default in the config which remained unchained
- dnscrypt starts without any problems, but I can't connect to anything

Does dnscrypt need root ? I'm on grsec and I'm pretty sure I don't use the default port 53 for anything else.


Anonymous 04/14/2017 (Fri) 10:05:53 [Preview] No. 8319 del
>>8317

I've not used Arch so I may not have any answers. The general principals should still apply. The general principal here is: regular users cannot attach a process to any port under 1024. Change the port to something else. Maybe: 127.0.0.1:8000. Or, save yourself the hassle and run it as root while you are testing. At least until you get it to work.

Also, look under /var/log/syslog for messages. It might be some other log file, maybe /var/log/messages. Maybe some other log file. You want to be on the lookout for stuff like: "Cannot fetch server certificate".

You could try this command as root to do a broad search:

grep -i dnscrypt /var/log/*

This should also show you where it's logging to.


Anonymous 04/14/2017 (Fri) 12:06:34 [Preview] No. 8321 del
I'm thinking of looking at that systemd unit file because I don't know what I'm doing wrong currently.

I started dnscrypt-proxy both with:
dnscrypt-proxy ~/path/to/conf
and
su -c 'dnscrypt-proxy /full/path/to/conf'

dnscrypt-proxy.conf - http://ix.io/qCA
resolv.conf contains only nameserver 127.0.0.2, I also tried adding the port as in 127.0.0.2:8000
dnscrypt-proxy.log - http://ix.io/qCE

This is the only thing I can find running grep as root as instructed:
http://ix.io/qCF


Anonymous 04/14/2017 (Fri) 12:13:29 [Preview] No. 8322 del
>>8317
Just stick the command in rc.local


Anonymous 04/14/2017 (Fri) 13:40:47 [Preview] No. 8323 del
>>8322
There's no such thing right now. I can emulate it by creating a systemd unit and I don't see how that helps.


Anonymous 04/14/2017 (Fri) 17:02:57 [Preview] No. 8324 del
>>8323
>no such thing as rc.local
Either you are so much smarter than me that I am having trouble understanding you or you are fucking dumb.
If it's the former, then please ignore me and don't waste your time explaining it to me. If it's the latter, just do this.

# mkdir /run/dnscrypt
# sudo adduser --system --quiet --home /run/dnscrypt --shell /bin/false --group --disabled-password --disabled-login dnscrypt
# echo "dnscrypt-proxy --daemonize --user=dnscrypt" >> /etc/rc.local

I assume you know how to change your dns to 127.0.0.1 and fuck with the configs yourself.


Anonymous 04/14/2017 (Fri) 19:06:25 [Preview] No. 8325 del
>>8324
Nigga arch no longer has rc.local since the migration to systemd :).You need to create a systemd unit for it.

https://raymii.org/s/tutorials/rc.local_support_on_Arch_Linux_and_systemd.html


Anonymous 04/14/2017 (Fri) 21:31:50 [Preview] No. 8326 del
>>8325
Well then, it seems I was fucking dumb all along. No point holding onto my iq points, I'm off to drink from the air conditioner.


Anonymous 04/17/2017 (Mon) 10:10:42 [Preview] No. 8337 del
>>8326
filter out the air conditioner water with zerowater filter


Anonymous 04/18/2017 (Tue) 05:32:33 [Preview] No. 8343 del
(404.74 KB 1024x1019 1492106506787.jpg)
>>8308

>Is that really required for a desktop/laptop

It's not required, but they don't recommend it idly. It's not difficult to set up Unbound or BIND to do nothing but cache and forward novel requests to dnscrypt-proxy listening on, say port 5353.

Do it, faggot.


Anonymous 04/18/2017 (Tue) 06:25:37 [Preview] No. 8344 del
(644.38 KB 700x700 fuck-the-cia-niggers.png)
>>8343

Is it better to access the root server directly, or to forward Unbound to dnsscrypt?
Is it not better to set up a vps offshore, and forward all of your traffic through it, than using a dnsscrypt?


Anonymous 04/18/2017 (Tue) 10:36:48 [Preview] No. 8347 del
>Do it, faggot.
I gave up since I cant get it working without systemd, I just added opendns to my firejail profiles.


Anonymous 04/19/2017 (Wed) 04:58:13 [Preview] No. 8354 del
>>8344

>Is it better to access the root server directly, or to forward Unbound to dnsscrypt?

I think it depends on how much you trust the dnscrypt operator you're using vs how much you trust that your network traffic between you and the root server, then you and the TLD authoritative servers, and then you and the nameservers of the domain you're trying to fetch isn't being intercepted or tampered with.

DNSSEC is still not widely deployed, so that's not much help. It also only provides authentication of the data you're receiving, not privacy.

>Is it not better to set up a vps offshore, and forward all of your traffic through it, than using a dnsscrypt?

DNS leaks while using a VPN (which is what I assume you mean by routing through a VPS, although I suppose you could be using ssh forwarding or something instead) are common, so you'd have to make sure that's not happening.

Then, even if your DNS requests are being routed through your VPS what's happening on that end?

All of this depends on your threat model. What's your goal? To ensure the authenticity of the DNS information you're receiving? To ensure that your DNS requests are private? Both? Who are your adversaries? Malicious actors on coffee shop wifi? Your skiddie roommate on your home network? Incompetents/data miners at your ISP? MI5? GCHQ?

>>8317

>I can't seem to be getting dnscrypt working on arch and people on irc just say "just use the systemd unit bro" "works for me TM"

Which is the correct advice for Arch, which uses systemd for its init system. If you're so desperate to avoid systemd, why use Arch?


Anonymous 04/19/2017 (Wed) 10:23:03 [Preview] No. 8356 del
>>8354
I pretty much don't want to use an init system for this shit. It overcomplicates things when the program already has a daemon mode.


Anonymous 04/19/2017 (Wed) 20:58:07 [Preview] No. 8358 del
(442.22 KB 1280x720 openyoureyes.webm)
>>8356

>I pretty much don't want to use an init system for this shit. It overcomplicates things when the program already has a daemon mode.

dnscrypt-proxy itself provides a systemd unit in the tarball, and Arch includes it, too. What's overcomplicated is finding some hacky alternative way to launch dnscrypt-proxy (which would no doubt not include process supervision) when you can just type

# systemctl enable dnscrypt-proxy


and never have to worry about it again.

Many services that are designed to run as daemons, like sshd and postfix, are typically managed by a distro's init system. Of course, you can use whatever bizarre, hacky method you like. But it's not going to be less "overcomplicated" than just doing what your init system was designed to do, and what the dnscrypt-proxy authors expect you to do (as evidenced by the fact that they provide both systemd files and sysvinit files with their software).


Anonymous 04/20/2017 (Thu) 04:21:36 [Preview] No. 8360 del
does no one know about arch openrc/nosystemd iso?

>wtf


Anonymous 04/20/2017 (Thu) 04:32:41 [Preview] No. 8361 del
>>8308
>>8354

http://systemd-free.org/
All yall mothafuckas need |systemd|


Anonymous 04/20/2017 (Thu) 10:58:10 [Preview] No. 8364 del
>>8358
>Using the software as intented without distro specific init system is hacky.
Great logic there sporty.


Anonymous 04/20/2017 (Thu) 20:50:36 [Preview] No. 8366 del
(11.65 MB 960x540 warhaschanged.webm)
>>8364

>Using the software as intented

It's intended to be managed by the init system, as evidenced by the fact that the dnscrypt-proxy authors provide both systemd files and sysvinit files with their software.

That's the second time I've had to point that out. Learn to read, ace.


Anonymous 04/21/2017 (Fri) 05:54:36 [Preview] No. 8370 del
I don't think this software is intended to be used by Arch ricers who can't read instructions and lack the initiative to even install/learn a service supervisor.


Anonymous 04/21/2017 (Fri) 13:20:17 [Preview] No. 8371 del
>>8366
You're right you know.
>>8370
Did you feel good while writing this ?



Top | Return | Catalog | Post a reply