A while back I read Alec Muffet’s No Port 53, Who Dis? A Year of DNS over HTTPS over Tor and thought: I wonder if I can make this work with my unbound setup?

I use unbound as a DNS perimeter resolver with rpz and a block list to stop DNS lookups of advertisers/malware/etc. I wanted to see if I could make my DNS requests anonymous by routing them over HTTPS and Tor. I tried Alec’s setup but couldn’t quite get unbound to forward the requests reliably to dnscrypt-proxy, but this evening I got it working.

In this guide I follow most of Alec’s directions, but I’m not really too interested in the extra logging or stats, so my config will diverge slightly.

I do recommend you read his full guide to get an idea of the theory. I did find there is a slight latency in DNS resolution but nothing too horrible.

Installation of packages

You’ll need tor and dnscrypt_proxy to get this running on OpenBSD:

pkg_add dnscrypt-proxy tor

Configuration

The tor config actually works as-is out of the box. Tor has a SocksProxy that listens on localhost (127.0.0.1) on port 9050. This is fine for our needs.

This is the cut-down dnscrypt-proxy config I have in /etc/dnscrypt-proxy.toml. I have removed the comments and the log file entries (differences from Alec’s config)

sten_addresses = [ '127.0.0.1:5353' ]
disabled_server_names = []
cert_refresh_delay = 60
doh_servers = true
ipv4_servers = false
ipv6_servers = false
dnscrypt_servers = false
block_ipv6 = true
block_unqualified = true
block_undelegated = true
require_nolog = false
require_dnssec = true
require_nofilter = true
force_tcp = true
proxy = 'socks5://127.0.0.1:9050'
timeout = 10000
lb_strategy = 'p2'
log_level = 2
use_syslog = true
log_files_max_size = 64
log_files_max_age = 7
log_files_max_backups = 4
tls_disable_session_tickets = true
tls_cipher_suite = [52392, 49199]
fallback_resolvers = ['1.1.1.1:53', '8.8.8.8:53']
netprobe_address = '8.8.8.8:53'
netprobe_timeout = 60
ignore_system_dns = true
cache = true
cache_size = 4096
cache_min_ttl = 2400
cache_max_ttl = 86400
cache_neg_min_ttl = 60
cache_neg_max_ttl = 600
[sources]

[sources.'public-resolvers']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
cache_file = 'public-resolvers.md'

[sources.'onion-services']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/onion-services.md', 'https://download.dnscrypt.info/resolvers-list/v3/onion-services.md']
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
cache_file = 'onion-services.md'

(Side note: I set my fallback_resolvers and netprobe address to be my ISP’s resolvers, but you can use 1.1.1.1 and 8.8.8.8 if you want.)

Enabling and Starting Services

Running these commands should enable and start up the services for use:

rcctl enable tor
rcctl enable dnscrypt_proxy
rcctl start tor
rcctl start dnscrypt_proxy

Give it a minute or so to bootstrap tor and download the resolver files.

Configuring Unbound

I use unbound as a DNS perimeter resolver. This is the config I added to unbound.conf to make it all work:

do-not-query-localhost: no

forward-zone:
    name: "."
    forward-first: no
    forward-addr: 127.0.0.1@5353

You need do-not-query-localhost: no added to the config or unbound will never forward DNS requests to dnscrypt-proxy!

Restarted unbound with: rcctl restart unbound and was able to do DNS lookups just fine.

I also ran tcpdump on my egress network interface to sniff for packets outbound on port 53 and found none. They were all going over Tor.

I hope this guide was helpful!