Arch Linux

ferrum

Member

Registered: 2020-07-07

Posts: 5

DNSCrypt - a few questions.

Hello.

I would like to ask a few questions about DNSCrypt (various aspects), So, should I ask all of my questions here - in one thread or do something oposite: one question per thread?

By the way: that forum is one of the best on the network :- )

Thanks, best regards.

Last edited by ferrum (2020-07-15 13:36:24)

ewaller

Administrator

From: Pasadena, CA

Registered: 2009-07-13

Posts: 19,774

Re: DNSCrypt - a few questions.

Generally, we prefer one question per thread; but if all the questions are related, and are all about DNSCrypt, let's keep them all together in one thread.  We will play it by ear.

---

Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

ferrum

Member

Registered: 2020-07-07

Posts: 5

Re: DNSCrypt - a few questions.

Hi ewaller. Thanks for an answer.

I also thought, that it's better to ask one question per thread. I think you are also right. One more thing: some of my questions are really naive and simply... stupid but they seems to be important (I also think that for many not so exeperienced Users - that I'm - as well). So, let's start.

---[ 1. systemd sockets.
I know, that there are plenty of informations, discussions (even on an official DNSCrypt GitHub and so on) on this topic etc. However, I would like to ask what is more secure: systemd socket or DNSCrypt listening on its own "sockets" (vide 'listen_addresses' option [in:] dnscrypt-proxy.toml file)?

Even if systemd socket will be disabled, various hardening options - added to dnscrypt-proxy.service file - still remains active, right? Mentioned options are used even with systemd sockets disabled. Am I right?

---[ 2. Port change.
By default, DNSCrypt uses port #53 (vide dnscrypt-proxy.socket file). Various Users are changing this port, for example, because of Unbound, Stubby and so on. But what about situation where User don't have any of the mentioned applications? Should port #53 be also changed - in such situation - to something above 1024 (so it is not required to be run by root etc.)? I'm asking from a security point of view, of course.

---[ 3. EDNS0.
EDNS0 is an extensions mechanism for DNS. We all know what this mechanism is responsible for. Additionally, EDNS0 is mentioned on Arch Linux [1] and DNSCrypt [2] installation Wiki. So, should this extension be used? If yes, adding "options edns0" to the /etc/resolv.conf file is sufficient or it's better to use EDNSPayloadSize option as it's described on Arch Linux Wiki (see [1])?

Okay ewaller, I decided to ask three questions, for now. (There are also another three, four of them). What do You think about asking questions this way? (Should I wait for Users answers and then ask next question/s?). If this method is wrong, please let me know and I will add my other questions here, in first post. Then User will be able to refer to each question in his own post, instead of answering question, then wait for a next one and answer by creating a new post and so on. Pretty complicated and unnecessary.

Thanks, best reagards.
_______________________
[1] https://wiki.archlinux.org/index.php/Dn … able_EDNS0
[2] https://github.com/DNSCrypt/dnscrypt-pr … tion-linux

Last edited by ferrum (2020-07-16 05:59:15)

ferrum

Member

Registered: 2020-07-07

Posts: 5

Re: DNSCrypt - a few questions.

Hello.

I'm so, so sorry for such a long time without any activity, from my side, but I was in a Hospital. Never mind. Since there is not any answer, I have to do it by myself. If someone could verify my point of view on above issues, it would be amazing.

So, if it's about systemd socket: I think, that socket activation is somewhat better, mainly because of capabilities - they have to be added to the .service file, right? Socket activation, doesn't need additional privileges. With sockets, capabilities aren't needed, right? (By the way: hardening options added to the dnscrypt-proxy.service file are still tolerated and used by the OS even when systemd sockets are disabled, right?)

Port change: it's only needed when User want to run - for example - dnsmasq or unbound in conjunction with DNSCrypt, right? Or, it's preferable to change default port (which is 53) to something above 1024? (Of course, I'm thinking about situation where DNSCrypt is the only one application used etc.)

EDNS0: I think, here, situation is less complex. Because this mechanism, supports a UDP query response larger than 512 bytes -  the original restriction (e.g. allows DNS clients to expand up to 4096 bytes of UDP packets, and so on), it's possible to use DNSSEC extension, that needs a large packet size etc. So, User who want to use DNSSEC, probably should add the EDNS0 to the /etc/resolv.conf. It's also worth to note, that "DNSSEC strengthens authentication in DNS using digital signatures based on public key cryptography."

So, what do you think? It's all okay or there are mistakes, bad advices etc.? (Sorry for such a naive questions).

All the best, thanks.

Last edited by ferrum (2020-07-29 18:14:14)