mirror of
https://github.com/Ponce/slackbuilds
synced 2024-11-28 10:02:43 +01:00
56819171bc
Signed-off-by: David Spencer <idlemoor@slackbuilds.org>
66 lines
2.8 KiB
Text
66 lines
2.8 KiB
Text
Setup
|
|
|
|
An init script and configuration file have been provided to run
|
|
dnscrypt-wrapper as a daemon. To configure dnscrypt-wrapper, edit
|
|
/etc/default/dnscrypt-wrapper with the desired settings. By default
|
|
dnscrypt-wrapper will run on 0.0.0.0 (all interfaces), port 53, forwarding DNS
|
|
queries to 8.8.8.8:53 (Google's DNS server).
|
|
|
|
The configuration file is setup to use a dnscrypt user by default, and to
|
|
chroot into that user's home directory to maximize security. In order to use
|
|
the default configuration you should create a dnscrypt user and group with the
|
|
following commands:
|
|
|
|
groupadd -g 293 dnscrypt
|
|
useradd -u 293 -g 293 -c "DNSCrypt" -d /run/dnscrypt -s /bin/false dnscrypt
|
|
|
|
If you decide to use another user you should edit the CHROOTDIR and USER
|
|
options in /etc/default/dnscrypt-wrapper (there are example settings provided
|
|
for the user 'nobody').
|
|
|
|
dnscrypt-wrapper requires both provider and cryptographic public and secret
|
|
keys, and a provider certificate. These can all be generated manually (see
|
|
/usr/doc/dnscrypt-wrapper-@VERSION@/README.md ), or they can be generated
|
|
automatically by configuring /etc/default/dnscrypt-wrapper and running
|
|
|
|
/etc/rc.d/rc.dnscrypt-wrapper generate-keys
|
|
/etc/rc.d/rc.dnscrypt-wrapper generate-cryptkeys
|
|
/etc/rc.d/rc.dnscrypt-wrapper generate-cert
|
|
|
|
You will need to note the provider key fingerprint(s) and/or stamp(s) when
|
|
running that command, since clients will need them for
|
|
identification/verification. Automatically generated keys have a 24-hour expiry
|
|
period by default. Unless you change this to something longer in
|
|
/etc/default/dnscrypt-wrapper, you will almost certainly need a key rotation
|
|
mechanism to automatically update the encryption key and certificate. This can
|
|
be done by running
|
|
|
|
/etc/rc.d/rc.dnscrypt-wrapper rotate-keys
|
|
|
|
This command backs up the old key/cert, creates a new key/cert, and restarts a
|
|
running server to support both old and new key/cert. Since clients typically
|
|
fetch new certificates hourly, support for the old key/cert should be removed
|
|
an hour after the keys are rotated by restarting the server:
|
|
|
|
/etc/rc.d/rc.dnscrypt-wrapper restart
|
|
|
|
Typically one cron job, run daily, would rotate the keys, and another, run an
|
|
hour later, would restart the server.
|
|
|
|
In order for clients to forward queries through dnscrypt-wrapper, they will
|
|
need to run dnscrypt-proxy configured to connect to the server running
|
|
dnscrypt-wrapper.
|
|
|
|
To start dnscrypt-wrapper automatically at system start, add the following to
|
|
/etc/rc.d/rc.local:
|
|
|
|
if [ -x /etc/rc.d/rc.dnscrypt-wrapper ]; then
|
|
/etc/rc.d/rc.dnscrypt-wrapper start
|
|
fi
|
|
|
|
To properly stop dnscrypt-wrapper on system shutdown, add the following to
|
|
/etc/rc.d/rc.local_shutdown:
|
|
|
|
if [ -x /etc/rc.d/rc.dnscrypt-wrapper ]; then
|
|
/etc/rc.d/rc.dnscrypt-wrapper stop
|
|
fi
|