content(dnscrypt): add tips, reword, reformat
All checks were successful
continuous-integration/drone/push Build is passing

This commit is contained in:
surtur 2022-09-01 02:36:58 +02:00
parent c88a02c101
commit 87138d7b1e
Signed by: wanderer
GPG Key ID: 19CE1EC1D9E0486D

@ -1,14 +1,14 @@
--- ---
title: "DNSCrypt - running the server" title: "DNSCrypt - running the server"
date: 2021-08-06T23:38:45+02:00 date: 2021-08-06T23:38:45+02:00
author: wanderer - https://git.dotya.ml/wanderer
draft: false draft: false
toc: true toc: true
enableGitInfo: true enableGitInfo: true
lastmod: 2022-28-08T17:20:10+02:00
tags: [dnscrypt, dns, privacy, security, censorship] tags: [dnscrypt, dns, privacy, security, censorship]
--- ---
### why are you doing this? ## why are you doing this?
There are many publicly available [open resolvers using DoT, DoH or There are many publicly available [open resolvers using DoT, DoH or
DNSCrypt](https://dnscrypt.info/public-servers) just sitting around the DNSCrypt](https://dnscrypt.info/public-servers) just sitting around the
interwebs, waiting to secure the DNS traffic and protect it from whoever is interwebs, waiting to secure the DNS traffic and protect it from whoever is
@ -19,32 +19,99 @@ DNS is such a critical piece of infrastructure.
And now we're offering it for public use. And now we're offering it for public use.
### so what is it? ## so what is it?
What we're running is a non-censoring, non-logging, DNSSEC-capable, DNSCrypt-enabled DNS What we're running is a non-censoring, non-logging, DNSSEC-capable, DNSCrypt-enabled DNS
resolver using resolver using
[dnscrypt-server-docker](https://github.com/dnscrypt/dnscrypt-server-docker) project. [dnscrypt-server-docker](https://github.com/dnscrypt/dnscrypt-server-docker) project.
Of course, our resolver is available over both IPv4 and IPv6. Of course, our resolver is available over both IPv4 and IPv6.
### can I haz some plz ## can I haz some plz
> Since the name servers are not (yet) a part of any listing of public Yes! As a matter of fact, you should even be able to get records on
> resolvers, entries have to be added manually. [OpenNIC](https://www.opennic.org/) domains.
You can try some using the awesome tool [`doggo`](https://github.com/mr-karan/doggo), like so:
```shell
doggo --debug --json NS epic. @sdns://AQcAAAAAAAAAETE0NC45MS43MC42Mjo1NDQzIHF-JiN46cNwFXJleEVWGWgrhe2QeysUtZoo9HwzYCMzITIuZG5zY3J5cHQtY2VydC5kbnNjcnlwdC5kb3R5YS5tbA
```
example response:
```shell
DEBUG[2022-09-01T00:22:23+02:00] initiating DNSCrypt resolver
DEBUG[2022-09-01T00:22:23+02:00] Starting doggo 🐶
DEBUG[2022-09-01T00:22:23+02:00] Attempting to resolve domain=epic. nameserver="144.91.70.62:5443" ndots=0
[
{
"answers": [
{
"name": "epic.",
"type": "NS",
"class": "IN",
"ttl": "86400s",
"address": "ns13.opennic.glue.",
"status": "",
"rtt": "45ms",
"nameserver": "144.91.70.62:5443"
}
],
"authorities": null,
"questions": [
{
"name": "epic.",
"type": "NS",
"class": "IN"
}
]
}
]
```
### `dnscrypt-proxy` configuration tips
If you'd, for some reason, like to use exclusively our name servers, simply set
the `server_names` in the root section of your `dnscrypt-proxy.toml` config
file:
```toml
server_names = ['dotya.ml', 'dotya.ml-ipv6']
```
By default servers are picked based on latency, which is a sane default and it
is in fact what we use.
If in need of more granular nameserver selection based on anything other than
latency they can additionally easily be filtered (without being explicitly
listed) based on:
* logging
* filtering
* DNSSEC capabilities
* DoH, ODoH or DNSCrypt capabilities
* IPv4 or IPv6 availability
Further, we also remove certain players from the equation by simply listing
them in `disabled_server_names`, like so:
```toml
disabled_server_names = ['google-ipv6', 'cloudflare', 'cloudflare-ipv6', 'cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'yandex', 'apple', 'doh.dns.apple.com']
```
### old news
> Update 2022-09-01: the servers are now a part of the official listing at
> https://dnscrypt.info/public-servers/, so there is no point in adding them
> manually anymore. Keeping this for posterity.
Paste one or both of the following entries in the `[static]` section of your Paste one or both of the following entries in the `[static]` section of your
`dnscrypt-proxy.toml` configuration file. `dnscrypt-proxy.toml` configuration file.
IPv4 (`144.91.70.62`)
```toml ```toml
[static]
# IPv4 (144.91.70.62, port 5443)
[static. 'dnscrypt.dotya.ml-ipv4'] [static. 'dnscrypt.dotya.ml-ipv4']
stamp = 'sdns://AQcAAAAAAAAAETE0NC45MS43MC42Mjo1NDQzIHF-JiN46cNwFXJleEVWGWgrhe2QeysUtZoo9HwzYCMzITIuZG5zY3J5cHQtY2VydC5kbnNjcnlwdC5kb3R5YS5tbA' stamp = 'sdns://AQcAAAAAAAAAETE0NC45MS43MC42Mjo1NDQzIHF-JiN46cNwFXJleEVWGWgrhe2QeysUtZoo9HwzYCMzITIuZG5zY3J5cHQtY2VydC5kbnNjcnlwdC5kb3R5YS5tbA'
```
IPv6 (`2a02:c207:2030:396::1`) # IPv6 (2a02:c207:2030:396::1, port 5443)
```toml
[static. 'dnscrypt.dotya.ml-ipv6'] [static. 'dnscrypt.dotya.ml-ipv6']
stamp = 'sdns://AQcAAAAAAAAAHFsyYTAyOmMyMDc6MjAzMDozOTY6OjFdOjU0NDMgcX4mI3jpw3AVcmV4RVYZaCuF7ZB7KxS1mij0fDNgIzMhMi5kbnNjcnlwdC1jZXJ0LmRuc2NyeXB0LmRvdHlhLm1s' stamp = 'sdns://AQcAAAAAAAAAHFsyYTAyOmMyMDc6MjAzMDozOTY6OjFdOjU0NDMgcX4mI3jpw3AVcmV4RVYZaCuF7ZB7KxS1mij0fDNgIzMhMi5kbnNjcnlwdC1jZXJ0LmRuc2NyeXB0LmRvdHlhLm1s'
``` ```
### Configuration ## server configuration
Files used to set up and run this service can be found here:\ Files used to set up and run this service can be found here:\
https://git.dotya.ml/dotya.ml/dnscrypt-server. https://git.dotya.ml/dotya.ml/dnscrypt-server.
It's a `docker-compose` setup managed with `systemd`, similar to how Drone CI It's a `docker-compose` setup managed with `systemd`, similar to how Drone CI