How to install DNSCrypt and unbound in Arch Linux

DNSCrypt is a protocol used to encrypt and authenticate communications between DNS clients and DNS resolvers. It can block DNS spoofing or man-in-the-middle attacks. DNSCrypt is available for most operating systems, including LINUX,WINDOWS,MACOSX, Android and IOS. And in this tutorial I'm using ArchLinux with kernel 4.1.

Unbound is the DNS cache server used to resolve any DNS queries received. If a user requests a new query, unbound stores it in the cache, and when the user requests the same request again, Unbound takes the saved cache. This will be faster than requesting queries for the first time.

Now I will try to install "DNSCrypt" to ensure the security of DNS communication and accelerate with "unbound".

First Step-Install Yaourt

Yaourt is one of the ancillary tools for the Aur (ARCH user repository), which allows users to easily install programs from the Aur. Yaourt and Pacman Use the same syntax, and you can use Yaourt to install the program. Here's an easy way to install Yaourt:

1, with Nano or VI editing Arch warehouse configuration file, stored in the "/etc/pacman.conf".

$ nano/etc/pacman.conf

2, add the bottom of the Yaourt warehouse, paste the following script:

[ARCHLINUXFR]

Siglevel = Never

Server = http://repo.archlinux.fr/$arch

3. Use "Ctrl + x" and then save with "Y".

4. Then upgrade the warehouse database and install Yaourt with Pacman:

$ sudo pacman-sy yaourt

Step Two-install DNSCrypt and unbound

DNSCrypt and Unbound are in the ArchLinux warehouse, you can install it with the following Pacman command:

$ sudo pacman-s dnscrypt-proxy Unbound

Then press "Y" during the installation process.

Step three-Install Dnscrypt-autoinstall

Dnscrypt-autoinstall is a script that automatically installs and configures Dnscrypt on Linux-based systems. DNSCrypt is in the AUR, so you must use the "Yaourt" command to install it.

$ yaourt-s Dnscrypt-autoinstall

Attention:

-S = This is the same as the PACMAN-S Setup program.

Fourth Step-run Dnscrypt-autoinstall

Run "Dnscrypt-autoinstall" with root privileges to configure Dnscrypt automatically.

$ sudo dnscrypt-autoinstall

In the next step, press "enter" and enter "Y" to select the DNS provider you want to use, I use dnscrypt.eu without log and DNSSEC.

Fifth Step-configuring DNSCrypt and Unbound

1, open Dnscrypt "/etc/conf.d/dnscrypt-config", confirm the configuration file "Dnscryptlocalip" point to the local IP, "dnscryptlocalport" according to your own wishes to configure, I'm using the 40 port.

$ nano/etc/conf.d/dnscrypt-config

dnscrypt_localip=127.0.0.1

dnscrypt_localip2=127.0.0.2

Dnscrypt_localport=40

Save and exit.

2. Now you use the Nano Editor to edit the unbound configuration file under "/etc/unbound/":

$ nano/etc/unbound/unbound.conf

3. Add the following line at the end of the script:

Do-not-query-localhost:no

Forward-zone:

Name: "."

FORWARD-ADDR: [Email protected]

Ensure that the "Dnscrypt_localport" in forward-addr and DNSCRYPT are consistent. As you can see, 40 ports are used.

Then save and exit.

Sixth step-run DNSCrypt and Unbound, then add to boot

Run DNSCrypt and unbound with root privileges, which you can run with the SYSTEMCTL command:

$ sudo systemctl start Dnscrypt-proxy Unbound

Add the service to the startup. You can run "systemctl enable":

$ sudo systemctl enable Dnscrypt-proxy Unbound

The command creates a service that is soft-linked to the "/usr/lib/systemd/system/" directory.

Seventh Step-Configure resolv.conf and restart all services

Resolv.conf is a file that is used in Linux to configure the DNS resolver. It is a plain text created by an administrator, so you must edit it with root permission and let it not be modified by someone else.

Edit with Nano Editor:

$ nano/etc/resolv.conf

and add the local IP "127.0.0.1". Now use the "chattr" command to make him read only:

$ chattr +i/etc/resolv.conf

Attention:

If you want to re-edit, use "Chattr-i/etc/resolv.conf" to add Write permissions.

Now you need to restart DNSCrypt and unbound and the network;

$ sudo systemctl restart Dnscrypt-proxy unbound netctl

If you see an error, check the configuration file.

Test

1. Test DNSCrypt

You can confirm the DNSCrypt by dnsleaktest, click "Standard Test" or "extended test", and wait for the program to finish running.

Now you can see that dnscrypt.eu has worked with DNSCrypt as a DNS provider.

Testing DNSCrypt

Testing DNSCrypt

2. Test unbound

Now you should make sure that unbound can work correctly with the "Dig" and "drill" commands.

This is the result of the dig command:

$ dig linoxide.com

We now look at the result, "Query time" is "533 msec":

;; Query time:533 msec

;; server:127.0.0.1#53 (127.0.0.1)

;; When:sun 14:48:19 WIB 2015

;; MSG SIZE rcvd:188

To enter the command again, we see "Query time" is "0 msec".

;; Query time:0 msec

;; server:127.0.0.1#53 (127.0.0.1)

;; When:sun 14:51:05 WIB 2015

;; MSG SIZE rcvd:188

Unbound Test

Unbound Test

DNSCrypt does a good job of encrypting the communication between the DNS client and the parsing end, and unbound makes the same request faster at the same request at the same time through caching.

Summarize

brother Lian it education original linux OPS engineer / In detail linux tutorials, more information on the official website customer service: http://www.lampbrother.net/linux/

or hooking up with Q2430675018.

Welcome to the Linux Communication Group 478068715

How to install DNSCrypt and unbound in Arch Linux