User Tools

Site Tools


linux:raspberry

Raspberry Pi

Configuration

Networking

  • Disable IPv6:
echo "install ipv6 /bin/true" >> /etc/modprobe.d/blacklist.conf
  • Enable IPv4 and set static IP

Modify file /etc/network/interfaces:

# iface eth0 inet dhcp
iface eth0 inet static
address 192.168.x.x
netmask 255.255.x.x
gateway 192.168.x.x
  • Restart service
# service networking restart

DNS Crypt Proxy

Prerequisites

  • Install needed packages:
# apt-get install bind9 dnsutils tcpdump

Install DNS Crypt Proxy

wget https://raw.githubusercontent.com/simonclausen/dnscrypt-autoinstall/master/dnscrypt-autoinstall.sh
chmod +x dnscrypt-autoinstall.sh
./dnscrypt-autoinstall.sh

This will take some time on Raspberry Pi, so go grab a cuppa.

wget https://raw.githubusercontent.com/mapkyca/dnscrypt-proxy/master/packages/debian/dnscrypt-proxy
sudo cp dnscrypt-proxy /etc/init.d/
sudo chmod +x /etc/init.d/dnscrypt-proxy
  • This is my dnscrypt-proxy init script
dnscrypt-proxy
#! /bin/sh
### BEGIN INIT INFO
# Provides:          dnscrypt-proxy
# Required-Start:    $local_fs $network
# Required-Stop:     $local_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: dnscrypt-proxy
# Description:       dnscrypt-proxy secure DNS client
### END INIT INFO
 
# Authors: https://github.com/simonclausen/dnscrypt-autoinstall/graphs/contributors
# Project site: https://github.com/simonclausen/dnscrypt-autoinstall
 
PATH=/usr/sbin:/usr/bin:/sbin:/bin
DAEMON=/usr/local/sbin/dnscrypt-proxy
NAME=dnscrypt-proxy
ADDRESS1=113.20.6.2
ADDRESS2=113.20.8.17
PNAME1=2.dnscrypt-cert.cloudns.com.au
PNAME2=2.dnscrypt-cert-2.cloudns.com.au
PKEY1=1971:7C1A:C550:6C09:F09B:ACB1:1AF7:C349:6425:2676:247F:B738:1C5A:243A:C1CC:89F4
PKEY2=67A4:323E:581F:79B9:BC54:825F:54FE:1025:8B4F:37EB:0D07:0BCE:4010:6195:D94F:E330
 
case "$1" in
  start)
    echo "Starting $NAME"
    $DAEMON --daemonize --ephemeral-keys --user=dnscrypt --local-address=127.0.0.1:5553 --resolver-address=$ADDRESS1 --provider-name=$PNAME1 --provider-key=$PKEY1
    $DAEMON --daemonize --ephemeral-keys --user=dnscrypt --local-address=127.0.0.2:5553 --resolver-address=$ADDRESS2 --provider-name=$PNAME2 --provider-key=$PKEY2
    ;;
  stop)
    echo "Stopping $NAME"
    pkill -f $DAEMON
    ;;
  restart)
    $0 stop
    $0 start
    ;;
  *)
    echo "Usage: /etc/init.d/dnscrypt-proxy {start|stop|restart}"
    exit 1
    ;;
esac
exit 0

Configure Bind9

  • Create file /etc/bind/named.conf.options:
named.conf.options
options {
  directory "/var/cache/bind";
 
  forwarders {
    127.0.0.1 port 5553;
    127.0.0.2 port 5553;
  };
 
  dnssec-validation yes;
 
  auth-nxdomain no;
  listen-on-v6 { any; };
};
  • Restart Bind
# /etc/init.d/bind9 restart

Test your DNS Crypt Proxy

  • On the raspberry DNS Crypt Proxy
tcpdump -i eth0 -vvv 'port 53'
  • Change your local DNS server to the raspberry DNS Crypt Proxy
  • Try to resolve something
dig www.amazon.co.jp
  • You should get similar output on the raspberry's console:
18:04:37.742215 IP (tos 0x0, ttl 64, id 61587, offset 0, flags [none], proto UDP (17), length 73)
    192.168.1.xxx.53628 > 192.168.1.xxx.domain: [udp sum ok] 65104+% [1au] A? www.amazon.co.jp. ar: . OPT UDPsize=4096 OK (45)
18:04:37.812989 IP (tos 0x0, ttl 64, id 37599, offset 0, flags [none], proto UDP (17), length 974)
    192.168.1.xxx.domain > 192.168.1.xxx.53628: [bad udp cksum 0x8913 -> 0x6b47!] 65104 
    q: A? www.amazon.co.jp. 1/14/25 www.amazon.co.jp. [6s] A 54.240.250.0 
    ns: . [5d21h7m27s] NS l.root-servers.net., . [5d21h7m27s] 
    NS a.root-servers.net., . [5d21h7m27s] 
    NS f.root-servers.net., . [5d21h7m27s] 
    NS d.root-servers.net., . [5d21h7m27s] 
    NS b.root-servers.net., . [5d21h7m27s] 
    NS c.root-servers.net., . [5d21h7m27s] 
    NS h.root-servers.net., . [5d21h7m27s] 
    NS e.root-servers.net., . [5d21h7m27s] 
    NS i.root-servers.net., . [5d21h7m27s] 
    NS g.root-servers.net., . [5d21h7m27s] 
    NS j.root-servers.net., . [5d21h7m27s]
    NS k.root-servers.net., . [5d21h7m27s] 
    NS m.root-servers.net., . [5d21h23m29s] 
    RRSIG ar: a.root-servers.net. [5d21h21m51s] A 198.41.0.4, 
    a.root-servers.net. [5d21h21m51s] AAAA 2001:503:ba3e::2:30, 
    b.root-servers.net. [5d21h21m51s] A 192.228.79.201, 
    b.root-servers.net. [5d21h21m51s] AAAA 2001:500:84::b, 
    c.root-servers.net. [5d21h21m51s] A 192.33.4.12, 
    c.root-servers.net. [5d21h21m51s] AAAA 2001:500:2::c, 
    [...]
    m.root-servers.net. [5d21h21m51s] AAAA 2001:dc3::35, . 
    OPT UDPsize=4096 OK (946)
  • Similar, check the connection on port 443
tcpdump -i eth0 -vvv 'port 443'

Consider this

  • Anonymity

A DNS server may claim not to keep logs of DNS requests and queries but you have to take that on trust. For greater assurance of anonymity, it may be possible to tunnel DNS requests over Tor or I2P using Onioncat. Some OpenNIC servers claim to support Tor/OnionCat.

linux/raspberry.txt · Last modified: 2016/05/07 05:41 by abadonna