# How to safety use DNScrypt?

## cliffdover88

Hello all,

I want to use DNScrypt to improve my Gentoo security and i want to know the safest way to use it:

I have added the gentoo-zh overlay and emerged the dnscrypt pkg, but I'm not sure if start it using root privileges (as almost every guide) or create a new user with no privileges and no groups as recommended here:

https://github.com/opendns/dnscrypt-proxy

Do you use dnscrypt? how?

Thanks in advance

----------

## gerdesj

If the OpenDNS method works then by default that will almost certainly be more secure.

Cheers

Jon

 *cliffdover88 wrote:*   

> Hello all,
> 
> I want to use DNScrypt to improve my Gentoo security and i want to know the safest way to use it:
> 
> I have added the gentoo-zh overlay and emerged the dnscrypt pkg, but I'm not sure if start it using root privileges (as almost every guide) or create a new user with no privileges and no groups as recommended here:
> ...

 

----------

## khayyam

cliffdover88 ...

dnscrypt-proxy is a proxy between a client and a dnscrypt enabled DNS server (by default opendns) so all it does is sit on 127.0.0.x and proxies requests. You could chroot it, but as its only responding to requests on the loopback there is little need to.

I'm currently running 1.3.0 (built with libsodium) and using net-dns/unbound as a cache. Unbound recieves the DNS request, forwards it to dncrypt, and returns the result to the client. My setup looks like the following:

/etc/conf.d/dnscrypt

```
DNSCRYPT_LOCALIP=127.0.0.2:53
```

... and the section for fowarding in unbound.conf

```
do-not-query-localhost: no

 forward-zone:

   name: "."

   forward-addr: 127.0.0.2@53
```

/etc/conf.d/net

```
dns_servers_wlan0="127.0.0.1"

dns_options_wlan0='edns0'
```

Ubound is running on 127.0.0.1:53 and dnscrypt-proxy is running on 127.0.0.2:53. Note that because dnscrypt-proxy doesn't cache you will need some caching dns server otherwise each request will be forwarded, and this will be slower, 

```
# dig gentoo.org |grep "time"

;; Query time: 47 msec

# dig gentoo.org |grep "time"

;; Query time: 0 msec
```

... the second lookup is instantanious as its cached.

I haven't had much time to tweek either dnscrypt-proxy or unbound, but even with forwarding there is no noticable delay ... infact it seems to have improved from pdnsd which I was using previously.

Also, like pdnsd you can use unbound to change A records, and so block adservers via this method ... if you so wish.

best ... khay

----------

## kernelOfTruth

just needed it & running with pdnsd instead of unbound,

thanks khay !

more information on the possible DNS caching options and configuration:

https://wiki.archlinux.org/index.php/DNSCrypt

obligatory security check via dig:

```
dig txt debug.opendns.com
```

 *Quote:*   

> ;; ANSWER SECTION:
> 
> debug.opendns.com.	900	IN	TXT	"actype 0"
> 
> ...
> ...

 

or, if you filter with wireshark for dns:

http://askubuntu.com/questions/105366/how-to-check-if-dns-is-encrypted

for me it wound up empty

----------

