From: Maciej Soltysiak <maciej@soltysiak.com>
To: Aristar <LeetMiniWheat@gmail.com>
Cc: cerowrt-devel@lists.bufferbloat.net
Subject: Re: [Cerowrt-devel] cerowrt security
Date: Tue, 22 Oct 2013 13:43:31 +0200 [thread overview]
Message-ID: <CAMZR1YCp=zkDFWm7z4uT9HsSiBAjB9xf8w4AZs0MoVsC8-pAgA@mail.gmail.com> (raw)
In-Reply-To: <CAGHZhqHA46s1HcWcMnqOzTMrtr8Qc-7Uw+QdN7RjiUDQp41=vw@mail.gmail.com>
> https://forum.openwrt.org/viewtopic.php?id=36380&p=3 ) on cero 3.7.5, it requires setting dnsmasq to use 127.0.0.1 for dns requests. Perhaps if this makes it into trunk we'd be able to consider it in the future? The full source is available here: https://github.com/opendns/dnscrypt-proxy - notably, it requires libsodium to function.
I can confirm it works as I'm running it on cero 3.8.something.
One comment. You are suggesting to use OpenDNS. Depending on level of
paranoia (which *IS* a virtue) the question whether they keep logs or
not might be an issue. They probably do and would give the data to NSA
gladly. There are 3 other DNSCrypt resolvers which claim not to keep
the logs. They are in Holland, Japan Australia. The last one is
endorsed by prism-break.org, but I have 500ms latency.
Therefore I have bought a VM at a cloud provider in my city and
deployed the same thing they are but 7ms away. DNSCrypt-wrapper with a
default config of unbound to provide recursive, DNSSEC validated NS.
So my humble setup is:
[home.lan] <-> [dnsmasq] <-> [dnscrypt-proxy] <-> [dnscrypt-wrapper]
<-> [recursive unbound]
dnsmaqs and dnscrypt-proxy are on Cero
dnscrypt-wrapper and unbound are controlled by me, sitting on a Debian VM.
Note this leaves home.lan clients still send regular UDP to Cero. Last
mile not protected. There are other ways to configure this, like do it
on the client, and put the wrapper on cero. In any case we should be
able to have both: dnscrypt-proxy and dnscrypt-wrapper. Both need
libsodium, which in turn needs libevent-dev.
If anyone wants to check out my dnscrypt provider, it's at
178.216..201.222:2053.
Connect using:
dnscrypt-proxy -a 127.0.0.1:2053
--provider-name=2.dnscrypt-cert.soltysiak.com -r 178.216.201.222:2053
\
--provider-key=25C4:E188:2915:4697:8F9C:2BBD:B6A7:AFA4:01ED:A051:0508:5D53:03E7:1928:C066:8F21
Test by:
dig -p 2053 google.com 127.0.0.1
Best regards,
Maciej
next prev parent reply other threads:[~2013-10-22 11:43 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-22 1:31 Aristar
2013-10-22 1:59 ` Dave Taht
2013-10-22 3:25 ` Aristar
2013-10-22 11:43 ` Maciej Soltysiak [this message]
2013-10-22 11:59 ` Toke Høiland-Jørgensen
2013-10-22 12:26 ` Richard E. Brown
2013-10-22 12:31 ` David Lang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAMZR1YCp=zkDFWm7z4uT9HsSiBAjB9xf8w4AZs0MoVsC8-pAgA@mail.gmail.com' \
--to=maciej@soltysiak.com \
--cc=LeetMiniWheat@gmail.com \
--cc=cerowrt-devel@lists.bufferbloat.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox