content(dnscrypt): add tips, reword, reformat

2022-09-01 02:36:58 +02:00 · 2022-09-01 02:36:58 +02:00 · 87138d7b1e
commit 87138d7b1e
parent c88a02c101
1 changed files with 83 additions and 16 deletions
--- a/content/posts/dnscrypt.md
+++ b/content/posts/dnscrypt.md
@ -1,14 +1,14 @@
 ---
 title: "DNSCrypt - running the server"
 date: 2021-08-06T23:38:45+02:00
+author: wanderer - https://git.dotya.ml/wanderer
 draft: false
 toc: true
 enableGitInfo: true
-lastmod: 2022-28-08T17:20:10+02:00
 tags: [dnscrypt, dns, privacy, security, censorship]
 ---

-### why are you doing this?
+## why are you doing this?
 There are many publicly available [open resolvers using DoT, DoH or
 DNSCrypt](https://dnscrypt.info/public-servers) just sitting around the
 interwebs, waiting to secure the DNS traffic and protect it from whoever is
@ -19,32 +19,99 @@ DNS is such a critical piece of infrastructure.

 And now we're offering it for public use.

-### so what is it?
+## so what is it?
 What we're running is a non-censoring, non-logging, DNSSEC-capable, DNSCrypt-enabled DNS
 resolver using
 [dnscrypt-server-docker](https://github.com/dnscrypt/dnscrypt-server-docker) project.
 Of course, our resolver is available over both IPv4 and IPv6.

-### can I haz some plz
-> Since the name servers are not (yet) a part of any listing of public
-> resolvers, entries have to be added manually.
+## can I haz some plz
+Yes! As a matter of fact, you should even be able to get records on
+[OpenNIC](https://www.opennic.org/) domains.
+
+You can try some using the awesome tool [`doggo`](https://github.com/mr-karan/doggo), like so:
+```shell
+doggo --debug --json NS epic. @sdns://AQcAAAAAAAAAETE0NC45MS43MC42Mjo1NDQzIHF-JiN46cNwFXJleEVWGWgrhe2QeysUtZoo9HwzYCMzITIuZG5zY3J5cHQtY2VydC5kbnNjcnlwdC5kb3R5YS5tbA
+```
+example response:
+```shell
+DEBUG[2022-09-01T00:22:23+02:00] initiating DNSCrypt resolver
+
+DEBUG[2022-09-01T00:22:23+02:00] Starting doggo 🐶
+
+DEBUG[2022-09-01T00:22:23+02:00] Attempting to resolve domain=epic. nameserver="144.91.70.62:5443" ndots=0
+[
+    {
+        "answers": [
+            {
+                "name": "epic.",
+                "type": "NS",
+                "class": "IN",
+                "ttl": "86400s",
+                "address": "ns13.opennic.glue.",
+                "status": "",
+                "rtt": "45ms",
+                "nameserver": "144.91.70.62:5443"
+            }
+        ],
+        "authorities": null,
+        "questions": [
+            {
+                "name": "epic.",
+                "type": "NS",
+                "class": "IN"
+            }
+        ]
+    }
+]
+```
+
+### `dnscrypt-proxy` configuration tips
+If you'd, for some reason, like to use exclusively our name servers, simply set
+the `server_names` in the root section of your `dnscrypt-proxy.toml` config
+file:
+```toml
+server_names = ['dotya.ml', 'dotya.ml-ipv6']
+```
+
+By default servers are picked based on latency, which is a sane default and it
+is in fact what we use.
+
+If in need of more granular nameserver selection based on anything other than
+latency they can additionally easily be filtered (without being explicitly
+listed) based on:
+* logging
+* filtering
+* DNSSEC capabilities
+* DoH, ODoH or DNSCrypt capabilities
+* IPv4 or IPv6 availability
+
+Further, we also remove certain players from the equation by simply listing
+them in `disabled_server_names`, like so:
+```toml
+disabled_server_names = ['google-ipv6', 'cloudflare', 'cloudflare-ipv6', 'cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'yandex', 'apple', 'doh.dns.apple.com']
+```
+
+### old news
+> Update 2022-09-01: the servers are now a part of the official listing at
+> https://dnscrypt.info/public-servers/, so there is no point in adding them
+> manually anymore. Keeping this for posterity.

 Paste one or both of the following entries in the `[static]` section of your
 `dnscrypt-proxy.toml` configuration file.

-IPv4 (`144.91.70.62`)
 ```toml
-[static. 'dnscrypt.dotya.ml-ipv4']
-  stamp = 'sdns://AQcAAAAAAAAAETE0NC45MS43MC42Mjo1NDQzIHF-JiN46cNwFXJleEVWGWgrhe2QeysUtZoo9HwzYCMzITIuZG5zY3J5cHQtY2VydC5kbnNjcnlwdC5kb3R5YS5tbA'
+[static]
+  # IPv4 (144.91.70.62, port 5443)
+  [static. 'dnscrypt.dotya.ml-ipv4']
+    stamp = 'sdns://AQcAAAAAAAAAETE0NC45MS43MC42Mjo1NDQzIHF-JiN46cNwFXJleEVWGWgrhe2QeysUtZoo9HwzYCMzITIuZG5zY3J5cHQtY2VydC5kbnNjcnlwdC5kb3R5YS5tbA'
+
+  # IPv6 (2a02:c207:2030:396::1, port 5443)
+  [static. 'dnscrypt.dotya.ml-ipv6']
+    stamp = 'sdns://AQcAAAAAAAAAHFsyYTAyOmMyMDc6MjAzMDozOTY6OjFdOjU0NDMgcX4mI3jpw3AVcmV4RVYZaCuF7ZB7KxS1mij0fDNgIzMhMi5kbnNjcnlwdC1jZXJ0LmRuc2NyeXB0LmRvdHlhLm1s'
 ```

-IPv6 (`2a02:c207:2030:396::1`)
-```toml
-[static. 'dnscrypt.dotya.ml-ipv6']
-  stamp = 'sdns://AQcAAAAAAAAAHFsyYTAyOmMyMDc6MjAzMDozOTY6OjFdOjU0NDMgcX4mI3jpw3AVcmV4RVYZaCuF7ZB7KxS1mij0fDNgIzMhMi5kbnNjcnlwdC1jZXJ0LmRuc2NyeXB0LmRvdHlhLm1s'
-```
-
-### Configuration
+## server configuration
 Files used to set up and run this service can be found here:\
 https://git.dotya.ml/dotya.ml/dnscrypt-server.
 It's a `docker-compose` setup managed with `systemd`, similar to how Drone CI