drmike
100% Tier-1 Gogent
Part of the ongoing "hardening" of my own environment involves cleaning up DNS. DNS is often leaky these days and many providers are intercepting DNS requests and doing all sorts of unwanted things with the data.
In an effort to starve them, provide a bit more security and generally have a more honest environment, I continue to move to specific DNS providers and did that tutorial recently on how to run encrypted DNS lookups (although only supported at current by OpenDNS ---> http://vpsboard.com/topic/1507-securing-dns-lookups-via-encrypted-dns-dnscrypt/).
I am stuck with my latest proof of concept that builds upon the above.
Since Debian and likely all other Linux OSes do not support ports in /etc/resolv.conf -- that is setting config options for DNS server running non port 53 standard, you are stuck with basically one DNS resolver/daemon per server/IP.
Why do I need more than one daemon to process DNS? Simple, DNSCrypt does the crypto DNS lookup on remote DNS server. It doesn't do caching.
Caching and a central control piece is important ala DNSMasq. Most of you are familiar with DNSMasq and the multitude of features. It's used in all sorts of solutions including the ever popular dd-wrt. It's lightweight and very powerful.
DNSMasq doesn't appear to support DNS lookups on non standard ports either anywhere in it's config. Yes, you can run DNSMasq on any port, but unsure how that truly helps in any way.
Basically, trying to achieve this:
Computer ----> DNSMasq ---> DNSCrypt
127.0.0.1 ---> 127.0.0.1:53 (DNSMasq) ---> 127.0.0.1:530 (DNSCrypt)
Is anyone doing something like this / have recommendation on how to get these working seamlessly?
Yes, possible I am overlooking something obvious. Feel free to make me go Doh!
In an effort to starve them, provide a bit more security and generally have a more honest environment, I continue to move to specific DNS providers and did that tutorial recently on how to run encrypted DNS lookups (although only supported at current by OpenDNS ---> http://vpsboard.com/topic/1507-securing-dns-lookups-via-encrypted-dns-dnscrypt/).
I am stuck with my latest proof of concept that builds upon the above.
Since Debian and likely all other Linux OSes do not support ports in /etc/resolv.conf -- that is setting config options for DNS server running non port 53 standard, you are stuck with basically one DNS resolver/daemon per server/IP.
Why do I need more than one daemon to process DNS? Simple, DNSCrypt does the crypto DNS lookup on remote DNS server. It doesn't do caching.
Caching and a central control piece is important ala DNSMasq. Most of you are familiar with DNSMasq and the multitude of features. It's used in all sorts of solutions including the ever popular dd-wrt. It's lightweight and very powerful.
DNSMasq doesn't appear to support DNS lookups on non standard ports either anywhere in it's config. Yes, you can run DNSMasq on any port, but unsure how that truly helps in any way.
Basically, trying to achieve this:
Computer ----> DNSMasq ---> DNSCrypt
127.0.0.1 ---> 127.0.0.1:53 (DNSMasq) ---> 127.0.0.1:530 (DNSCrypt)
Is anyone doing something like this / have recommendation on how to get these working seamlessly?
Yes, possible I am overlooking something obvious. Feel free to make me go Doh!