Using Unbound and dnscrypt-proxy in linux ubuntu 14

A validating, recursive, caching DNS server and Prevent from DNS spoofing or man in the middle-attack


DNSCrypt is a protocol that encrypt and authenticate communications between a DNS client and a DNS resolver. Prevent from DNS spoofing or man in the middle-attack. DNSCrypt are available for most operating system, including Linux, Windows, MacOSX android and iOS. And in this tutorial I'm using archlinux with kernel 4.1.

Unbound is a DNS cache server used to resolve any DNS query received. If the user requests a new query, then unbound will store it as a cache, and when the user requests the same query for the second time, then unbound would take from the cache that have been saved. This will be faster than the first request query.

And now I will try to install "DNSCrypt" to secure the dns communication, and make it faster with dns cache "Unbound".

Step 1 
Remove dnsmasq and autoresolv

Disable or remove dnsmasq and resolver in your system,by default ubuntu server using autoresolv and ubuntu desktop using dnsmasq.


Step 2

Install and configure dnscrypt-proxy

Thanks to simon clausen creating autoinstall for dnscrypt for us as ubuntu user, u can take that script at his github,https://github.com/simonclausen/dnscrypt-autoinstall.


this script running on arch linux too.
You can be sure that DNSCrypt had acted correctly by visiting https://dnsleaktest.com/, then click on "Standard Test" or "Extended Test" and wait the process running.

after dnscrypt running well u can edit /etc/init.d/dnscrypt-proxy,add this line --local-address=127.0.0.2:40,
it will looklike 
case "$1" in
  start)
    echo "Starting $NAME"
    $DAEMON --daemonize --ephemeral-keys --user=dnscrypt --resolver-address=$ADDRESS --provider-name=$PNAME --provider-key=$PKEY  --local-address=127.0.0.2:40
    ;;
  stop)
    echo "Stopping $NAME"
    pkill -f $DAEMON
    ;;
  restart)
    $0 stop
    $0 start
    ;;
 

this will make dnscrypt listen on 127.0.0.2 port 40
restart dnscrypt than check in your system

Step 3

Install unbound.

sudo apt-get update

install unbound:

sudo apt-get install unbound
Configure Unbound

Unbound configuration file will be located at /etc/unbound/unbound.conf.
unbound-control-setup
Change owner all file unbound_* in the directory /etc/unbound to (unbound:root = user unbound : group root)

chown unbound:root unbound_*
Change permissions all file unbound_* to 644
edit your unbound.conf

## Authoritative, validating, recursive caching DNS
## unbound.conf -- https://calomel.org
#
server:
  verbosity: 1
  interface: 127.0.0.1
  port: 53
  do-ip4: yes
  do-ip6: no
  do-udp: yes
  do-tcp: yes
  access-control: 127.0.0.0/8 allow
  access-control: 10.0.0.0/16 allow
  root-hints: "/etc/unbound/root.hints"
  hide-identity: yes
  hide-version: yes
  harden-glue: yes
  harden-dnssec-stripped: yes
  use-caps-for-id: yes
  cache-min-ttl: 3600
  cache-max-ttl: 86400
  prefetch: yes
  num-threads: 4
  #fragment memory usage.
  msg-cache-slabs: 8
  rrset-cache-slabs: 8
  infra-cache-slabs: 8
  key-cache-slabs: 8
  rrset-cache-size: 256m
  msg-cache-size: 128m
  so-rcvbuf: 1m
  ## Unbound Optimization and Speed Tweaks ###
  private-address: 192.168.0.0/16
  private-address: 172.16.0.0/12
  private-address: 10.0.0.0/8

  private-domain: "home.lan"
  unwanted-reply-threshold: 10000
  do-not-query-localhost: no
  auto-trust-anchor-file: "/etc/unbound/root.key"
  val-clean-additional: yes

  # Blocking Ad Server domains. Google's AdSense, DoubleClick and Yahoo
  # account for a 70 percent share of all advertising traffic. Block them.
    local-zone: "doubleclick.net" redirect
    local-data: "doubleclick.net A 127.0.0.1"
    local-zone: "googlesyndication.com" redirect
    local-data: "googlesyndication.com A 127.0.0.1"
    local-zone: "googleadservices.com" redirect
    local-data: "googleadservices.com A 127.0.0.1"
    local-zone: "google-analytics.com" redirect
    local-data: "google-analytics.com A 127.0.0.1"
    local-zone: "ads.youtube.com" redirect
    local-data: "ads.youtube.com A 127.0.0.1"
    local-zone: "adserver.yahoo.com" redirect
    local-data: "adserver.yahoo.com A 127.0.0.1"
    local-zone: "ask.com" redirect
    local-data: "ask.com A 127.0.0.1"


    local-zone: "home.lan." static

    local-data: "firewall.home.lan.  IN A 10.0.0.1"
    local-data: "laptop.home.lan.    IN A 10.0.0.2"
    local-data: "xboxone.home.lan.   IN A 10.0.0.3"
    local-data: "ps4.home.lan.       IN A 10.0.0.4"
    local-data: "dhcp5.home.lan.     IN A 10.0.0.5"
    local-data: "dhcp6.home.lan.     IN A 10.0.0.6"
    local-data: "dhcp7.home.lan.     IN A 10.0.0.7"

    local-data-ptr: "10.0.0.1  firewall.home.lan"
    local-data-ptr: "10.0.0.2  laptop.home.lan"
    local-data-ptr: "10.0.0.3  xboxone.home.lan"
    local-data-ptr: "10.0.0.4  ps4.home.lan"
    local-data-ptr: "10.0.0.5  dhcp5.home.lan"
    local-data-ptr: "10.0.0.6  dhcp6.home.lan"
    local-data-ptr: "10.0.0.7  dhcp7.home.lan"

  # Unbound can query your NSD or BIND server for private domain queries too.
  # On our NSD page we have NSD configured to serve the private domain,
  # "home.lan". Here we can tell Unbound to connect to the NSD server when it
  # needs to resolve a *.home.lan hostname or IP.
  #
  # private-domain: "home.lan"
  # local-zone: "0.0.10.in-addr.arpa." nodefault
  # stub-zone:
  #      name: "home.lan"
  #      stub-addr: 10.0.0.111@53

  # If you have an internal or private DNS names the external DNS servers can
  # not resolve, then you can assign domain name strings to be redirected to a
  # seperate dns server. For example, our comapny has the domain
  # organization.com and the domain name internal.organization.com can not be
  # resolved by Google's public DNS, but can be resolved by our private DNS
  # server located at 1.1.1.1. The following tells Unbound that any
  # organization.com domain, i.e. *.organization.com be dns resolved by 1.1.1.1
  # instead of the public dns servers.
  #
  # forward-zone:
  #    name: "organization.com"
  #    forward-addr: 1.1.1.1        # Internal or private DNS

  # Use the following forward-zone to forward all queries to Google DNS,
  # OpenDNS.com or your local ISP's dns servers for example. To test resolution
  # speeds use "drill calomel.org @8.8.8.8" and look for the "Query time:" in
  # milliseconds.
  #
    forward-zone:
       name: "."
       forward-addr: 127.0.0.2@40        # DNScrypt dns
#
download root.hints
wget ftp://FTP.INTERNIC.NET/domain/named.cache -O /var/unbound/etc/root.hints

creating key
unbound-control-setup

After that create file /etc/unbound/root.key
edit root.key and paste . IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5

edit /etc/resolve.conf withe nameserver 127.0.0.1
chattr -i /etc/resolve.conf
try restart unbound