[Cerowrt-devel] cerowrt security

[Maciej Soltysiak]

> https://forum.openwrt.org/viewtopic.php?id=36380&p=3 ) on cero 3.7.5, it  requires setting dnsmasq to use 127.0.0.1 for dns requests. Perhaps if this makes it into trunk we'd be able to consider it in the future? The full source is available here: https://github.com/opendns/dnscrypt-proxy - notably, it requires libsodium to function.

I can confirm it works as I'm running it on cero 3.8.something.
One comment. You are suggesting to use OpenDNS. Depending on level of
paranoia (which *IS* a virtue) the question whether they keep logs or
not might be an issue. They probably do and would give the data to NSA
gladly. There are 3 other DNSCrypt resolvers which claim not to keep
the logs. They are in Holland, Japan Australia. The last one is
endorsed by prism-break.org, but I have 500ms latency.

Therefore I have bought a VM at a cloud provider in my city and
deployed the same thing they are but 7ms away. DNSCrypt-wrapper with a
default config of unbound to provide recursive, DNSSEC validated NS.
So my humble setup is:

[home.lan] <-> [dnsmasq] <-> [dnscrypt-proxy] <-> [dnscrypt-wrapper]
<-> [recursive unbound]

dnsmaqs and dnscrypt-proxy are on Cero
dnscrypt-wrapper and unbound are controlled by me, sitting on a Debian VM.

Note this leaves home.lan clients still send regular UDP to Cero. Last
mile not protected. There are other ways to configure this, like do it
on the client, and put the wrapper on cero. In any case we should be
able to have both: dnscrypt-proxy and dnscrypt-wrapper. Both need
libsodium, which in turn needs libevent-dev.

If anyone wants to check out my dnscrypt provider, it's at
178.216..201.222:2053.
Connect using:
dnscrypt-proxy -a 127.0.0.1:2053
--provider-name=2.dnscrypt-cert.soltysiak.com -r 178.216.201.222:2053
\
  --provider-key=25C4:E188:2915:4697:8F9C:2BBD:B6A7:AFA4:01ED:A051:0508:5D53:03E7:1928:C066:8F21

Test by:
dig -p 2053 google.com 127.0.0.1

Best regards,
Maciej