DNS Privacy Project

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

Version 1.0 of getdns offers a daemon mode which can be used to run getdns locally as a DNS-over-TLS stub resolver. The daemon can listen on the loopback address send all outgoing DNS queries over TLS to a DNS Privacy server. Version 1.1 of getdns includes some performance improvements to make this mode more robust, so it is currently recommended to use that code, rather than the 1.0 release. If you want to set this up on your laptop/desktop follow the step-by-step instructions below!

 

1.1. Dependancies

In this mode, the only dependancy is OpenSSL (version 1.0.2 or later is required for hostname authentication to be supported). If this is installed in a non-standard location on your system use the --with-ssl option to configure below to specify where it is. 

1.1.1. Linux

It may be necessary to install 1.02 from source for most Linux distros.

1.1.2. OS X

It is recommended to install OpenSSL using homebrew, in which case use the following in the configure line in 1.3 below:

--with-ssl=/usr/local/opt/openssl/

 

1.2. Download the getdns source

The 1.1 branch will be available any day now. Until then please pick the code up directly from a branch in Sara Dickinson's fork of getdns as shown below!

> git clone https://github.com/saradickinson/getdns.git
> cd getdns
> git checkout feature/upstream_handling

1.3. Build the code

> git submodule update --init
> libtoolize -ci
> autoreconf -fi
> mkdir build
> cd build
> ../configure --prefix=<install_location> --without-libidn --with-getdns_query --enable-stub-only
> make

If you want to see detailed debug information as messages are processed then add the --enable-debug-stub option to the configure line above

1.4. Run the daemon

The command below will run the daemon listening on port 53 of the loopback address and sending queries to the NLnet Labs test DNS Privacy server (at 185.49.141.38 and 2a04:b900:0:100::38) over TLS.

It also specifies an example idle timeout on the TLS connection of 10s with the '-e 10000' option. (Note: the NLnet Labs test server does not support EDNS0 TCP Keepalive yet, so in that case this timeout will always be used.)

IPv4 only

> sudo src/test/getdns_query -s @185.49.141.38 -l L -z 127.0.0.1@53 -e 10000

IPv4 and IPv6

> sudo src/test/getdns_query -s @185.49.141.38 @2a04:b900:0:100::38 -l L -z 127.0.0.1@53 -z ::1@53 -e 10000

Exit the daemon at any time by hitting CTRL-C.

Strict vs Opportunistic

The above command will run the daemon without trying to authenticate the TLS connection (a form of Opportunistic Privacy).

If you have authentication information for the DNS Privacy server and you want to use Strict Privacy then you can specify this when starting the daemon in the following ways:

  • Domain name: append the domain name to the IP address with a tilde '~' e.g. @185.49.141.38~getdnsapi.net and add the '-m' flag
  • SPKI pinset: specify the pinset using the '-K' flag e.g. -K 'pin-sha256="foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S="' and add the '-m' flag

1.5. Test the daemon

A quick test can be done by using dig on the loopback address

> dig @127.0.0.1 www.example.com

1.6. Modify your upstream resolvers

For getdns to re-send outgoing DNS queries over TLS the recursive resolvers configured on your machine must be changed to send all the local queries over the loopback interface on which getdns is listening. This depends on the operating system being run

Linux/Unix systems

  • Edit the /etc/resolv.conf file
  • Comment out the existing nameserver entries
  • Add the following (only add the IPv4 address if you don't have IPv6)

    nameserver 127.0.0.1
    nameserver ::1

OS X

From the command line you can do the following to set the local DNS servers on your Wi-Fi interface, for example (first line clears all servers, second line adds localhost):

 

sudo networksetup -setdnsservers Wi-Fi Empty
sudo networksetup -setdnsservers Wi-Fi 127.0.0.1 ::1

If you want to reset to e.g. the DHCP provided servers then just use the first line above to clear all specified the servers, which will cause the system to use the default DHCP servers. Or use the similar to the above to specify a different server.

 

Or via the GUI:

  • Open System Preferences->Network->Advanced->DNS
  • Use the '-' button to remove the existing nameservers
  • Use the + button to add '127.0.0.1' and '::1' (only add the IPv4 address if you don't have IPv6)
  • Hit 'OK' in the DNS pane and then 'Apply' on the Network pane

Once the change in step 1.6 is made your queries will be re-directed to the getdns daemon and sent over TLS! You can monitor the traffic using Wireshark watching on port 853.

Notes:

  • You may need to restart some applications to have them pick up the network settings
  • If you are using a DNS Privacy server that does not support concurrent processing of TLS queries, you may experience some issues due to timeouts causing subsequent queries on the same connection to fail.

 

 

 


  • No labels