Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
userdoc:tt_dnscrypt_proxy [2018/04/07 16:02]
abelbeck [DNSCrypt Proxy server list]
userdoc:tt_dnscrypt_proxy [2018/05/26 07:48] (current)
droemel
Line 1: Line 1:
 ====== DNSCrypt Proxy Server ====== ====== DNSCrypt Proxy Server ======
 +
 +!!DNSCrypt is deprecated in favor of DNS-TLS!!\\
 +Go to: **[[userdoc:​tt_dns_tls_proxy|DNS-TLS Proxy Server]]**
  
 AstLinux now supports the [[https://​github.com/​dyne/​dnscrypt-proxy/​blob/​master/​README.markdown|DNSCrypt]] (dnscrypt-proxy) package, a tool for securing communications between a client and a DNS resolver. AstLinux now supports the [[https://​github.com/​dyne/​dnscrypt-proxy/​blob/​master/​README.markdown|DNSCrypt]] (dnscrypt-proxy) package, a tool for securing communications between a client and a DNS resolver.
Line 11: Line 14:
 !!Note: AstLinux 1.3.3 or later is required for Import sdns: Stamp support!! !!Note: AstLinux 1.3.3 or later is required for Import sdns: Stamp support!!
  
-==== DNSCrypt Proxy Configuration ====+===== DNSCrypt Proxy Configuration ​=====
  
 Configuring DNSCrypt is as simple as it gets. Configuring DNSCrypt is as simple as it gets.
Line 39: Line 42:
 using the OpenDNS defaults for the remaining fields. using the OpenDNS defaults for the remaining fields.
  
-==== DNSCrypt Proxy server list ====+===== DNSCrypt Proxy server list =====
  
 Alternatively,​ there is a growing number of DNSCrypt providers around the world, some of which may be closer to you. Alternatively,​ there is a growing number of DNSCrypt providers around the world, some of which may be closer to you.
  
-Old, legacy List\\+New, current list, using ''​sdns:''​ stamps\\ 
 +[[https://​download.dnscrypt.info/​dnscrypt-resolvers/​v2/​public-resolvers.md|Public DNS resolvers supporting DNSCrypt]] 
 + 
 +Using !!AstLinux 1.3.3 or later!! your can directly import an ''​sdns:''​ stamp to automatically fill in the three fields. 
 + 
 +Old, legacy List //(possibly out of date)//\\
 [[https://​github.com/​dyne/​dnscrypt-proxy/​blob/​master/​dnscrypt-resolvers.csv|Public DNS resolvers supporting DNSCrypt]] [[https://​github.com/​dyne/​dnscrypt-proxy/​blob/​master/​dnscrypt-resolvers.csv|Public DNS resolvers supporting DNSCrypt]]
  
Line 56: Line 64:
 Reminder, no need to enter the above values, since that is the default used automatically. Reminder, no need to enter the above values, since that is the default used automatically.
  
-New, current list, using ''​sdns:''​ stamps\\ +!!Tip ->!! Some of you //(you know who you are)// may even want to be your own DNSCrypt provider.  ​[[https://github.com/Cofyc/dnscrypt-wrapper/|DNSCrypt-Wrapper]] is a server-side DNSCrypt proxy that works with any name resolver.
-[[https://download.dnscrypt.info/dnscrypt-resolvers/v2/​public-resolvers.md|Public DNS resolvers supporting ​DNSCrypt]]+
  
-!!Tip ->!! Some of you //(you know who you are)// may even want to be your own DNSCrypt provider. ​ [[https://​github.com/​Cofyc/​dnscrypt-wrapper/​|DNSCrypt-Wrapper]] is a server-side DNSCrypt proxy that works with any name resolver. +===== Display DNSCrypt Status ​=====
-==== Display DNSCrypt Status ====+
  
 A quick glance of the Status tab's **DNS** entry will show if DNSCrypt is enabled. A quick glance of the Status tab's **DNS** entry will show if DNSCrypt is enabled.
Line 76: Line 82:
 or or
   dig debug.opendns.com txt +short   dig debug.opendns.com txt +short
-==== Restricting DNS ====+   
 +===== Restricting DNS =====
  
 By default, no changes to the Firewall settings are necessary for DNSCrypt to function. ​ By default, no changes to the Firewall settings are necessary for DNSCrypt to function. ​
Line 102: Line 109:
 The ''​SRC=''​ entry will identify which LAN device is misconfigured. The ''​SRC=''​ entry will identify which LAN device is misconfigured.
  
-==== Possible Startup Issues ====+===== Possible Startup Issues ​=====
  
 In order to validate the DNSCrypt provider'​s certificate,​ the DNSCrypt client'​s system must have it's clock set to a reasonable time.  Fortunately most AstLinux boards have a real time clock with battery backup so this is not a common problem, but if your board'​s CMOS battery is dead or such, and the system time is not reasonable at startup, this can be a problem when enabling DNSCrypt. ​ Regardless, one of the first things AstLinux does at startup is to accurately set the system clock using the NTP protocol. ​ If the specified NTP server is a numeric IP address or a locally resolved DNS name (via local ''/​etc/​hosts''​),​ no problem. ​ But, if the specified NTP server was, say "​us.pool.ntp.org",​ we have the classic chicken-egg problem. In order to validate the DNSCrypt provider'​s certificate,​ the DNSCrypt client'​s system must have it's clock set to a reasonable time.  Fortunately most AstLinux boards have a real time clock with battery backup so this is not a common problem, but if your board'​s CMOS battery is dead or such, and the system time is not reasonable at startup, this can be a problem when enabling DNSCrypt. ​ Regardless, one of the first things AstLinux does at startup is to accurately set the system clock using the NTP protocol. ​ If the specified NTP server is a numeric IP address or a locally resolved DNS name (via local ''/​etc/​hosts''​),​ no problem. ​ But, if the specified NTP server was, say "​us.pool.ntp.org",​ we have the classic chicken-egg problem.