A while back I read Alec Muffet’s No Port 53, Who Dis? A Year of DNS over HTTPS over Tor and thought: I wonder if I can make this work with my unbound setup?
I use unbound as a DNS perimeter resolver with rpz and a block list to stop DNS lookups of advertisers/malware/etc. I wanted to see if I could make my DNS requests anonymous by routing them over HTTPS and Tor. I tried Alec’s setup but couldn’t quite get unbound to forward the requests reliably to dnscrypt-proxy, but this evening I got it working.
In this guide I follow most of Alec’s directions, but I’m not really too interested in the extra logging or stats, so my config will diverge slightly.
I do recommend you read his full guide to get an idea of the theory. I did find there is a slight latency in DNS resolution but nothing too horrible.
Installation of packages
You’ll need tor and dnscrypt_proxy to get this running on OpenBSD:
pkg_add dnscrypt-proxy tor
The tor config actually works as-is out of the box. Tor has a SocksProxy that listens on localhost (127.0.0.1) on port 9050. This is fine for our needs.
This is the cut-down dnscrypt-proxy config I have in
/etc/dnscrypt-proxy.toml. I have removed the comments and the log file entries (differences from Alec’s config)
sten_addresses = [ '127.0.0.1:5353' ] disabled_server_names =  cert_refresh_delay = 60 doh_servers = true ipv4_servers = false ipv6_servers = false dnscrypt_servers = false block_ipv6 = true block_unqualified = true block_undelegated = true require_nolog = false require_dnssec = true require_nofilter = true force_tcp = true proxy = 'socks5://127.0.0.1:9050' timeout = 10000 lb_strategy = 'p2' log_level = 2 use_syslog = true log_files_max_size = 64 log_files_max_age = 7 log_files_max_backups = 4 tls_disable_session_tickets = true tls_cipher_suite = [52392, 49199] fallback_resolvers = ['188.8.131.52:53', '184.108.40.206:53'] netprobe_address = '220.127.116.11:53' netprobe_timeout = 60 ignore_system_dns = true cache = true cache_size = 4096 cache_min_ttl = 2400 cache_max_ttl = 86400 cache_neg_min_ttl = 60 cache_neg_max_ttl = 600 [sources] [sources.'public-resolvers'] urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md'] minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' cache_file = 'public-resolvers.md' [sources.'onion-services'] urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/onion-services.md', 'https://download.dnscrypt.info/resolvers-list/v3/onion-services.md'] minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' cache_file = 'onion-services.md'
(Side note: I set my fallback_resolvers and netprobe address to be my ISP’s resolvers, but you can use 18.104.22.168 and 22.214.171.124 if you want.)
Enabling and Starting Services
Running these commands should enable and start up the services for use:
rcctl enable tor rcctl enable dnscrypt_proxy rcctl start tor rcctl start dnscrypt_proxy
Give it a minute or so to bootstrap tor and download the resolver files.
I use unbound as a DNS perimeter resolver. This is the config I added to
unbound.conf to make it all work:
do-not-query-localhost: no forward-zone: name: "." forward-first: no forward-addr: 127.0.0.1@5353
do-not-query-localhost: no added to the config or unbound will never forward DNS requests to dnscrypt-proxy!
Restarted unbound with:
rcctl restart unbound and was able to do DNS lookups just fine.
I also ran tcpdump on my egress network interface to sniff for packets outbound on port 53 and found none. They were all going over Tor.
I hope this guide was helpful!