Name
dnscrypt-wrapper - A server-side dnscrypt proxy.
(c) 2012-2015 Yecheng Fu <cofyc.jackson at gmail dot com>
Description
This is dnscrypt wrapper (server-side dnscrypt proxy), which helps to add dnscrypt support to any name resolver.
This software is modified from dnscrypt-proxy.
Installation
Install libsodium and libevent2 first.
On Linux:
$ ldconfig # if you install libsodium from source
$ git clone --recursive git://github.com/Cofyc/dnscrypt-wrapper.git
$ make configure
$ ./configure
$ make install
On FreeBSD:
$ pkg_add -r gmake autoconf
$ pkg_add -r libevent2
$ gmake LDFLAGS='-L/usr/local/lib/event2 -L/usr/local/lib' CFLAGS=-I/usr/local/include
On OpenBSD:
$ pkg_add -r gmake autoconf
$ pkg_add -r libevent
$ gmake LDFLAGS='-L/usr/local/lib/' CFLAGS=-I/usr/local/include/
On MacOS:
$ brew install dnscrypt-wrapper # best recommended
Usage
First, generate provider keypair:
# stored in public.key/secret.key in current directory
$ ./dnscrypt-wrapper --gen-provider-keypair
Second, generate crypt keypair:
# stored in crypt_public.key/crypt_secret.key in current directory
$ ./dnscrypt-wrapper --gen-crypt-keypair
Third, generate pre-signed certificate (use pre-generated key pairs):
# stored in dnscrypt.cert in current directory
$ ./dnscrypt-wrapper --crypt-secretkey-file crypt_secret.key --crypt-publickey-file=crypt_public.key --provider-publickey-file=public.key --provider-secretkey-file=secret.key --gen-cert-file
Run the program with pre-signed certificate:
$ ./dnscrypt-wrapper -r 8.8.8.8:53 -a 0.0.0.0:443 --crypt-secretkey-file=crypt_secret.key --crypt-publickey-file=crypt_public.key --provider-cert-file=dnscrypt.cert --provider-name=2.dnscrypt-cert.yechengfu.com
If you can store generated pre-signed certificate (binary string) in TXT record for your provider name, for example: 2.dnscrypt-cert.yourdomain.com. Then you can omit --provider-cert-file option. Name server will serve this binary certificate data for you.
P.S. We still provide --provider-cert-file option, because it's not convenient to store such long binary data in dns TXT record sometimes. But it's easy to configure it in your own dns servers (such as tinydns, etc). --gen-cert-file will generate example record in stdout.
Run dnscrypt-proxy to test against it:
# --provider-key is public key fingerprint in first step.
$ ./dnscrypt-proxy -a 127.0.0.1:55 --provider-name=2.dnscrypt-cert.yechengfu.com -r 127.0.0.1:443 --provider-key=<provider_public_key_fingerprint>
$ dig -p 55 google.com @127.0.0.1
<provider_public_key_fingerprint> is public key fingerprint generated by ./dnscrypt-wrapper --gen-provider-keypair, e.g. 4298:5F65:C295:DFAE:2BFB:20AD:5C47:F565:78EB:2404:EF83:198C:85DB:68F1:3E33:E952.
Optional, add -d/--daemonize flag to run as daemon.
Run ./dnscrypt-wrapper -h to view command line options.
Running unauthenticated DNS and the dnscrypt service on the same port
By default, and with the exception of records used for the certificates, only queries using the DNSCrypt protocol will be accepted.
If you want to run a service only accessible using DNSCrypt, this is what you want.
If you want to run a service accessible both with and without DNSCrypt, what you usually want is to keep the standard DNS port for the unauthenticated DNS service (53), and use a different port for DNSCrypt. You don't have to change anything for this either.
However, if you want to run both on the same port, maybe because only
port 53 is reachable on your server, you can add the -U
(--unauthenticated) switch to the command-line. This is not
recommended.
中文文档
- CentOS 下编译 dnscrypt-wrapper: http://03k.org/centos-make-dnscrypt-wrapper.html
- dnscrypt-wrapper 使用方法: http://03k.org/dnscrypt-wrapper-usage.html