Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
This is dnscrypt wrapper (server-side dnscrypt proxy), which helps to add dnscrypt support to any name resolver.
C Makefile Shell

Merge pull request #34 from jedisct1/master

No need to log when recvfrom() returns EAGAIN or EINTR.
latest commit 9e6695abcf
Yecheng Fu authored
Failed to load latest commit information.
argparse @ 2f310ed use argparse as submodule
example example
.gitignore add configure.ac
.gitmodules use external libevent library.
.travis.yml workaround clang not system wide, fail on sudo make install
COPYING dnsmasq and argparse are covered by this terrible viral license calle…
Makefile fix `make install`
README.md Update README.md
TODO support tcp protocol
cert.c Work around what gcc considers an undefined behavior
cert.h Add option to specify certificate expiration (in days)
compat.h fix compatibility on freebsd
config.mak.in add configure.ac
configure.ac add configure.ac
dns-protocol.h check txt query for provider name
dnscrypt.c format code
dnscrypt.h Do not forward unauthenticated queries unless the -u switch is given.
edns.c format code
edns.h format code
gen-version.sh fix crash bug in 1ed67b8
logger.c directly use dnscrypt-proxy source to build libevent/libnacl
logger.h format code
main.c Document -U
pidfile.c format code
pidfile.h format code
rfc1035.c Don't return a valid hash in questions_hash() to signify an error
rfc1035.h Don't return a valid hash in questions_hash() to signify an error
safe_rw.c format code
safe_rw.h format code
tcp_request.c Do not forward unauthenticated queries unless the -u switch is given.
tcp_request.h Reorder TCPRequest and UDPRequest fields to save space due to alignment
test.sh example
tree.h Replace the UDP request queue with a red-black tree
udp_request.c No need to log when recvfrom() returns EAGAIN or EINTR.
udp_request.h Respond to multiple identical queries
version.h bump version to 0.1.15

README.md

Name

dnscrypt-wrapper - A server-side dnscrypt proxy.

(c) 2012-2015 Yecheng Fu

Build Status

Description

This is dnscrypt wrapper (server-side dnscrypt proxy), which helps to add dnscrypt support to any name resolver.

This software is modified from dnscrypt-proxy.

Installation

Install libsodium and libevent2 first.

On Linux:

$ ldconfig # if you install libsodium from source
$ git clone --recursive git://github.com/Cofyc/dnscrypt-wrapper.git
$ make configure
$ ./configure
$ make install

On FreeBSD:

$ pkg_add -r gmake autoconf
$ pkg_add -r libevent2
$ gmake LDFLAGS='-L/usr/local/lib/event2 -L/usr/local/lib' CFLAGS=-I/usr/local/include

On OpenBSD:

$ pkg_add -r gmake autoconf
$ pkg_add -r libevent
$ gmake LDFLAGS='-L/usr/local/lib/' CFLAGS=-I/usr/local/include/

On MacOS:

$ brew install dnscrypt-wrapper # best recommended

Usage

First, generate provider keypair:

# stored in public.key/secret.key in current directory
$ ./dnscrypt-wrapper --gen-provider-keypair

Second, generate crypt keypair:

# stored in crypt_public.key/crypt_secret.key in current directory
$ ./dnscrypt-wrapper --gen-crypt-keypair

Third, generate pre-signed certificate (use pre-generated key pairs):

# stored in dnscrypt.cert in current directory
$ ./dnscrypt-wrapper --crypt-secretkey-file crypt_secret.key --crypt-publickey-file=crypt_public.key --provider-publickey-file=public.key --provider-secretkey-file=secret.key --gen-cert-file

Run the program with pre-signed certificate:

$ ./dnscrypt-wrapper  -r 8.8.8.8:53 -a 0.0.0.0:443  --crypt-secretkey-file=crypt_secret.key --crypt-publickey-file=crypt_public.key --provider-cert-file=dnscrypt.cert --provider-name=2.dnscrypt-cert.yechengfu.com

If you can store generated pre-signed certificate (binary string) in TXT record for your provider name, for example: 2.dnscrypt-cert.yourdomain.com. Then you can omit --provider-cert-file option. Name server will serve this binary certificate data for you.

P.S. We still provide --provider-cert-file option, because it's not convenient to store such long binary data in dns TXT record sometimes. But it's easy to configure it in your own dns servers (such as tinydns, etc). --gen-cert-file will generate example record in stdout.

Run dnscrypt-proxy to test against it:

# --provider-key is public key fingerprint in first step.
$ ./dnscrypt-proxy -a 127.0.0.1:55 --provider-name=2.dnscrypt-cert.yechengfu.com -r 127.0.0.1:443 --provider-key=<provider_public_key_fingerprint>
$ dig -p 55 google.com @127.0.0.1

<provider_public_key_fingerprint> is public key fingerprint generated by ./dnscrypt-wrapper --gen-provider-keypair, e.g. 4298:5F65:C295:DFAE:2BFB:20AD:5C47:F565:78EB:2404:EF83:198C:85DB:68F1:3E33:E952.

Optional, add -d/--daemonize flag to run as daemon.

Run ./dnscrypt-wrapper -h to view command line options.

Running unauthenticated DNS and the dnscrypt service on the same port

By default, and with the exception of records used for the certificates, only queries using the DNSCrypt protocol will be accepted.

If you want to run a service only accessible using DNSCrypt, this is what you want.

If you want to run a service accessible both with and without DNSCrypt, what you usually want is to keep the standard DNS port for the unauthenticated DNS service (53), and use a different port for DNSCrypt. You don't have to change anything for this either.

However, if you want to run both on the same port, maybe because only port 53 is reachable on your server, you can add the -U (--unauthenticated) switch to the command-line. This is not recommended.

See also

Something went wrong with that request. Please try again.