Last active
October 9, 2015 10:23
-
-
Save mkrasowski/d03329b580db33694ce8 to your computer and use it in GitHub Desktop.
DNS Crypt setup with systemd
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1. Install dnscrypt-proxy (https://dnscrypt.org) and Unbound (https://unbound.net) | |
2. Set up dnscrypt to listen on 127.0.0.1 port 40 | |
# VISUAL=vim systemctl edit dnscrypt-proxy.socket -> paste override.conf | |
3. "Enable" DNS Crypt socket for autostart and start it now | |
# systemctl enable dnscrypt-proxy.socket | |
# systemctl start dnscrypt-proxy.socket | |
4. Edit /etc/unbound/unbound.conf -> paste unbound.conf (adjust to your needs) | |
5. Download root.hints | |
# wget ftp://FTP.INTERNIC.NET/domain/named.cache -O /etc/unbound/root.hints | |
6. "Enable" Unbound service for autostart and start it now | |
# systemctl enable unbound.service | |
# systemctl start unbound.service | |
7. Edit /etc/resolv.conf -> paste resolv.conf (optionally modify domain and search) | |
8. Prevent resolv.conf from being overwritten by any dhcp client | |
# chattr +i /etc/resolv.conf | |
9. Check your DNS IP | |
# ping whoami.akamai.net |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Socket] | |
ListenStream= | |
ListenDatagram= | |
ListenStream=127.0.0.1:40 | |
ListenDatagram=127.0.0.1:40 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
domain local | |
search local | |
nameserver 127.0.0.1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server: | |
verbosity: 1 | |
interface: 127.0.0.1 | |
port: 53 | |
username: "unbound" | |
directory: "/etc/unbound" | |
use-syslog: yes | |
root-hints: "/etc/unbound/root.hints" | |
do-not-query-localhost: no | |
# dnscrypt proxy | |
forward-zone: | |
name: "." | |
forward-addr: 127.0.0.1@40 | |
# intranet | |
forward-zone: | |
name: "local.<company>.pl" | |
forward-addr: <internal DNS ip> | |
forward-zone: | |
name: "clients.<company>.pl" | |
forward-addr: <internal DNS ip> | |
forward-zone: | |
name: "<company>.local" | |
forward-addr: <internal DNS ip> | |
forward-zone: | |
name: "<company>.clients" | |
forward-addr: <internal DNS ip> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment