Setting up Personal Resolving DNS with Unbound and DNSCrypt-proxy
Note: If you find serious flaws in this configuration, please write an issue so I can research/fix it. I am still a noob when it comes to network configuration and I take security and privacy seriously, I would like to know if my configuration is flawed.
On my quest for knowledge of Network Administration and Security I thought it would be fun to setup a local DNS Server to better control how I connect to the internet.
Included is my local network setup. I want to point out a few important issues to ensure privacy and security are upheld.
First /etc/resolv.conf is super important. Anything in this file can and will give you away and will be used for your nameserver connection. It is important to ensure this file does not get randomly changed, which any dhscp server will do, including using openresolv. TO ensure this file is never changed, I user the command:
chattr +i /etc/resolv.conf
/etc/resolv.conf the only nameserver that should be in it is your localhost when using Unbound.
# /etc/resolve.conf nameserver 127.0.0.1
Secondly, it is very important to setup dnscrypt-proxy correctly and unbound correctly to ensure you are getting the highest security without leaks.
Arch Linux Wiki is the best wiki out there to reference for setting up just about any type of Linux Software and I use the expertise of the Arch Linux Community to ensure I understand how things work. Arch Linux Unbound Wiki
Please reference my unbound and dnscrypt conf files for an example of how to set these up.
Important things to note.
unbound.conf any ip under
forward-zone is used to resolv your DNS queries
Please ensure only your dnscrypt-proxy ip and port you have setup are listed under the forward-zone in unbound:
#/etc/unbound/unbound.conf forward-zone: name: "." forward-addr: 127.0.0.1@5353 # dnscrypt-proxy dnscrypt.eu-dk forward-addr: 127.0.0.1#5354 # dnscrypt-proxy dnscrypt.eu-nl
This is also very important, if you use anything else in forward-zone, it can bypass your dnscrypt setup and that is not good.
DNSCrypt-proxy is where I had the most trouble setting up.
Follow the Arch Linux DNSCrypt-proxy wiki
Make the systemd files as required, using
/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv as reference.
I have the files created in
etc/systemd/system/ for your reference.
systemctl enable email@example.com systemctl enable firstname.lastname@example.org systemctl enable unbound systemctl start email@example.com systemctl start firstname.lastname@example.org systemctl start unbound
Finally, to ensure NetworkManager does not try to change your
resolv.conf file, change the line
dns=none. Even though we use chattr +i to ensure no other program can change the resolv.conf file, it is good to change the conf files in the other programs to ensure they don’t even try to.
/etc/dhcpcd.conf ensure you also add:
Lastly, I use Private Internet Access VPN to connect as well, so I have a bit more configuration, but ultimately this will ensure dnscrypt-proxy is always used with your local dns server.
Finally ensure you configure your iptables correctly to only allow certain connections.
My iptables rules are included as well.