divzeroweb

2f30.org website
git clone git://git.2f30.org/divzeroweb
Log | Files | Refs | README | LICENSE
commit 7d2994583e0f862b809e46a06b1ec37c57bf812a
parent 57a232ec491c32eb6cad4ee9002e0b0d60c07a2b
Author: sin <sin@2f30.org>
Date:   Tue, 15 Mar 2016 13:55:19 +0000

Add dnscrypt_proxy instructions

Diffstat:

Mguides/openbsd-gateway.md | 42+++++++++++++++++++++++++++++++++++++++++-


1 file changed, 41 insertions(+), 1 deletion(-)

diff --git a/guides/openbsd-gateway.md b/guides/openbsd-gateway.md
@@ -30,7 +30,7 @@ The following topics will be discussed:
 
 * Firewall, routing and NAT configuration
 * DHCP server configuration
-* Split horizon DNS
+* Split horizon DNS + dnscrypt_proxy
 * PXE booting
 * Configuring an IPv6 gif(4) tunnel with Hurricane Electric
 * NetFlow sensor and collector configuration
@@ -149,6 +149,45 @@ and browse the web.
 You should also be able to access $sshbox from the outside over ssh on the default port.
 In my configuration this is a separate machine but could just as well be the router itself.
 
+### Using dnscrypt_proxy with unbound
+
+First install dnscrypt_proxy from packages.
+
+Adjust /etc/rc.conf.local:
+
+	dnscrypt_proxy_flags="-l /dev/null -R dnscrypt.eu-nl -a 127.0.0.1:53"
+	pkg_scripts="dnscrypt_proxy"
+
+Start it:
+
+	/etc/rc.d/dnscrypt_proxy start
+
+Then adjust the unbound configration:
+
+#### /var/unbound/etc/unbound.conf
+
+	server:
+		interface: 10.0.0.1
+		access-control: 10.0.0.0/24 allow
+
+		local-data: "gw.2f30.org. IN A 10.0.0.1"
+		local-data-ptr: "10.0.0.1 gw.2f30.org."
+
+		local-data: "sshbox.2f30.org. IN A 10.0.0.2"
+		local-data-ptr: "10.0.0.2 sshbox.2f30.org."
+
+	forward-zone:
+		name: "."
+		forward-addr: 127.0.0.1		# dnscrypt_proxy is listening here
+		forward-addr: 208.67.220.220
+
+Restart unbound:
+
+	/etc/rc.d/unbound restart
+
+You should use [tcpdump(8)](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/tcpdump.8)
+to confirm that DNS requests are encrypted.
+
 ### PXE booting
 
 I use PXE booting on my laptop to upgrade OpenBSD.  I run a tftp server on my router
@@ -306,3 +345,4 @@ I've found the following references highly informative and useful.
 * [IPv6 for IPv4 Experts](https://sites.google.com/site/yartikhiy/home/ipv6book)
 * [IPv6 Core Protocols Implementation](http://www.amazon.co.uk/Protocols-Implementation-Morgan-Kaufmann-Networking-x/dp/0124477518)
 * [TCP/IP guide](http://www.tcpipguide.com/)
+