# dnscrypt and unbound  questions



## max21 (Jul 30, 2017)

Hello everybody,

This is what I got before installing dnscript-proxy and unbound.

```
(~) drill -S FreeBSD.org @4.2.2.1
;; Number of trusted keys: 2
;; Chasing: freebsd.org. A


DNSSEC Trust tree:
FreeBSD.org. (A)
|---freebsd.org. (DNSKEY keytag: 17253 alg: 8 flags: 256)
    |---freebsd.org. (DNSKEY keytag: 25814 alg: 8 flags: 257)
    |---freebsd.org. (DNSKEY keytag: 37681 alg: 8 flags: 257)
    |---freebsd.org. (DS keytag: 25814 digest type: 2)
        |---org. (DNSKEY keytag: 3947 alg: 7 flags: 256)
            |---org. (DNSKEY keytag: 9795 alg: 7 flags: 257)
            |---org. (DNSKEY keytag: 17883 alg: 7 flags: 257)
            |---org. (DS keytag: 9795 digest type: 1)
            |   |---. (DNSKEY keytag: 15768 alg: 8 flags: 256)
            |       |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
            |---org. (DS keytag: 9795 digest type: 2)
                |---. (DNSKEY keytag: 15768 alg: 8 flags: 256)
                    |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
;; Chase successful
(~)
```
.. . and the full dump

```
(~) tcpdump -netvi em0 host 4.2.2.1
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 262144 bytes
xx:xx:xx:xx:xx:xx > xx:xx:xx:xx:xx:xx, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 64, id 36280, offset 0, flags [none], proto UDP (17), length 68)
    192.168.0.14.50981 > 4.2.2.1.53: 1210+% [1au] A? FreeBSD.org. (40)
xx:xx:xx:xx:xx:xx > xx:xx:xx:xx:xx:xx, ethertype IPv4 (0x0800), length 784: (tos 0x20, ttl 51, id 15295, offset 0, flags [none], proto UDP (17), length 770)
    4.2.2.1.53 > 192.168.0.14.50981:  .  . .
.  . .  .
.  . .  .
```
This is what I got after installing dnscript-proxy and unbound.

```
(~) drill -S FreeBSD.org @127.0.0.2
;; Number of trusted keys: 2
Error: error sending query: Could not send or receive, because of network error
(~)
```
… nothing to dump.

```
(~) tcpdump -netvi em0 host 127.0.0.2
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 262144 bytes
```
I had no firewall running while testing:  Is this the way it suppose to work?  I’m asking because immediately afterwards I ping yahoo with success which made me kind of think all went well.  These days I rather know for sure, and how to fix it if it’s broken.  BTW, this is a standalone FreeBSD desktop that use Comcast-home internet.

Edit:  forgot to clear out some numbers.


----------



## max21 (Jul 30, 2017)

Wozzeck.Live said:


> You may find the answers here, you will probably have to install and use unbound from port system and activate the DNSCRYPT compatibilty option before building
> 
> https://forums.freebsd.org/threads/61694/
> 
> Further you will have to create an alias in your shell environment to link the command drill with the port version, instead of base system.




Wozzeck.Live, it don’t get deeper then that.  I never thought that dnsCrypt would be linked to OpenDNS during operation.  I guest if the Gov control AT&T even today, they would have ties with every major computer, cell and internet company here and aboard, except for Verizon, iPhone and FreeBSD… I hear?  Whatever the case, if my work or privacy comes up stolen or endangered I’ll know not to go to war with my next neighbor or China.   I’ll be a real Rambo!  But it seems like it’s history since I got interested in DNS.

Is this the end already?  It tells me:

```
Not Found
The requested page /_/?q=dnscrypt-proxy is gone.
```
http://www.filewatcher.com/_/?q=dnscrypt-proxy

I know other countries has their laws but is this true for people who live here in the US?

Anyway, thanks so much for the education.  I would have been blind from here on.  I am going to follow your lead and if I am successful, I’ll post my setup.  I been at it for a few weeks where nothing made any since and googling for answers proved it.  Not much for FreeBSD and most linux people can't get it to work, but still those answer gave me hints.  I hope that others would post any additional information about how-to and/or their experience with dnsCrypt.  It will be appreciated between both of these threads.  To me, gariac link is the dnsCrypt bible for FreeBSD.  Maybe I can find the simplicity with in his more advance endeavor. I'm going to get started on that page right now.  I hope dnscript is not dead yet here in the US!

Thanks again Wozzeck.Live


----------



## max21 (Jul 31, 2017)

OK… It don’t get no easier … The pkg versions works out the box, but you have to setup rc.conf yourself.  The port versions of dnsCrypt will install it automatically for you with everything on one line.  It been a habit of mys using  free dns services such as Comodo Secure DNS.  I did not realize that dnsCrypt requires that you must *use your actual IP DNS*.  Anyway, it’s not such a bad deal.  At least my x-wife Facebook tracker with google and crew can’t invade my plimacy at will.
*
Here is all you need for pkg or port install.  Reboot and you're done.*

```
ifconfig_lo0_alias0="inet 127.0.0.2 netmask 0xffffffff"
dnscrypt_proxy_enable="YES"
dnscrypt_proxy_resolver="ipredator"
dnscrypt_proxy_flags="-a 127.0.0.2:40 --provider-key=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx --provider-name=2.dnscrypt-cert.ipredator.se --resolver-address=194.132.32.32 -T -E -l /dev/null -d"

local_unbound_enable="YES"
```
https://blog.ipredator.se/freebsd-dnscrypt-howto.html

The only problem I had for the past 6 hours was stripting the life out of my pf and this is all it would accept.  I'll try again tomorrow.

```
ext_if="em0"

ob_state = "flags S/SA modulate state"  #  outbound

pass out quick on $ext_if proto {tcp udp} from any to any port 2222  $ob_state
```
https://support.umbrella.com/hc/en-...g-Enabling-DNSCrypt-on-your-Virtual-Appliance


----------



## max21 (Jul 31, 2017)

According to the link I posted above, it made me feel like I had to choose between dnsCrypt or my firewall.  I would give up dnsCrypt before I cash-in my packet filter.  Read my comments inside pf.conf below and you know why … then test for yourself using pftop.  It’s a real shocker.  About my first attempt, it was mate read errors from running massive pf-build, browsers, typos to fast, to the point I had to reboot to test each line just to be sure.  It’s just one of the many things we do when we got time to silently to say *Thank God I’m learning FreeBSD*.



```
########################################################################

#  Mostly taken FreeBSD Release 8.2 Install Guide           My FreeBSD Bible

########################################################################

ext_if="em0"

dns1 = "127.0.0.1"      #  194.132.32.23 | I’m not sure I now see 10.0.0.1 as DNS.

dhcp = "192.168.0.225"  #  192.168.0.225 | 192.168.0.254

icmp_A = "{ 8 }"        #  { 0, 3, 4, 8, 11, 12 }

ob_state = "flags S/SA modulate state"  #  outbound

#ib_state = "flags S/SA synproxy state"  #  inbound

table <sshguard> persist

set optimization aggressive
set block-policy drop
set state-policy if-bound
set loginterface $ext_if

scrub in on $ext_if all fragment reassemble

nat on $ext_if from !($ext_if) -> ($ext_if:0)   # this location works

antispoof quick for $ext_if                     #  first filter rule after the nat rule

# Drop Skip all loopback traffic spoof is outside not intereal.

set skip on lo0
#
###########################################################

# TRANSLATIONS

###########################################################

#

# remove the log-keyword if im getting ganked by crackers ddossed

#block drop in quick inet6 .......................................  another big NO GO

#block in on $ext_if all .........................................  the worse NO GO

#block out on $ext_if all ........................................  the worse NO GO


#block in all ....................................................  A TOTAL LOST

#block out all ...................................................  A TOTAL LOST

#            but the lines between the *** will take care of most or all of this.

#            without it you get switch from being the SRC to DEST (pftop told me)

#####################################################################################

#####################################################################################


# Try a fake return scan on me….HA!

block return-rst out on $ext_if proto tcp all #...................  a big NO GO

block return-rst in on $ext_if proto tcp all #....................  a big NO GO


#block return-icmp out on $ext_if proto udp all #.................. a tricky NO GO

#block return-icmp in on $ext_if proto udp all #................. a tricky NO GO

#Try to block nmap scans GO

block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP


# screw with nmap - try to block OS detection

block in quick proto tcp flags FUP/WEUAPRSF

block in quick proto tcp flags WEUAPRSF/WEUAPRSF

block in quick proto tcp flags SRAFU/WEUAPRSF

block in quick proto tcp flags /WEUAPRSF

block in quick proto tcp flags SR/SR

block in quick proto tcp flags SF/SF


# silently drop broadcasts (cable modem noise)

block in quick on $ext_if from any to 255.255.255.255


block in quick on $ext_if proto tcp from <sshguard> to any label "ssh bruteforce" # sirdice

########################################################################################

########################################################################################

pass out quick on $ext_if inet proto tcp from any to any port 80 $ob_state              #  NO GO

pass out quick on $ext_if inet proto tcp from any to 127.0.0.1 port 80 $ob_state


pass out quick on $ext_if inet proto tcp from any to any port 443 $ob_state

pass out quick on $ext_if inet proto tcp from any to 127.0.0.1 port 443 $ob_state

########################################################################################

########################################################################################

pass out quick on $ext_if proto udp from any to $dhcp port 67 keep state        # dhcp

pass out quick on $ext_if proto {tcp udp} from any to $dns1 port 53             # dns

pass out quick on $ext_if inet proto icmp from any to any icmp-type $icmp_A     # ping



# ********************************************************************

# ********************************************************************


# Block all inbound traffic from non-routable or reserved address spaces

block in quick on $ext_if from 192.168.0.0/16 to any  #RFC 1918 private IP

block in quick on $ext_if from 172.16.0.0/12 to any  #RFC 1918 private IP

block in quick on $ext_if from 10.0.0.0/8 to any      #RFC 1918 private IP

block in quick on $ext_if from 127.0.0.0/8 to any    #loopback

block in quick on $ext_if from 0.0.0.0/8 to any      #loopback

block in quick on $ext_if from 169.254.0.0/16 to any  #DHCP auto-config

block in quick on $ext_if from 192.0.2.0/24 to any    #reserved for doc's

block in quick on $ext_if from 204.152.64.0/23 to any #Sun cluster connect

block in quick on $ext_if from 224.0.0.0/3 to any    #Class D $ E multicast


# Block all Netbios service. 137=name, 138=datagram, 139=session

# Netbios is MS/Windows sharing services.

# Block MS/Windows hosts2 name server requests 81

block in log quick on $ext_if proto tcp from any to any port 137

block in log quick on $ext_if proto udp from any to any port 137

block in log quick on $ext_if proto tcp from any to any port 138

block in log quick on $ext_if proto udp from any to any port 138

block in log quick on $ext_if proto tcp from any to any port 139

block in log quick on $ext_if proto udp from any to any port 139

block in log quick on $ext_if proto tcp from any to any port 81

block in log quick on $ext_if proto udp from any to any port 81


# ********************************************************************

# ********************************************************************


#  Now logging is the problem because block don't work here either.  If someone knows
#  why I would like to know too.  Other than that, we can live without it. Reading
#  pftop proved this configuration to be flawless; but still there are a few
#  things that still need to be done.  Like, I just wonder if the dns1
#  setting above is correct. From there I can picture the code flow
#  then learn the proper way. Btw; I don’t write the code, I
#  keep the code and add to the great work of this community.
#  It’s the only way I can learn, other than that no one know what the heck I’m taking about.

###########################################
# ****End of Rules for PF on dnsCrypt****
###########################################

# ............
# ............
# STUDY:
# scrub all no-df random-id min-ttl 5 max-mss 1440 reassemble tcp
# scrub out on $ext_if no-df random-id
```

Just one more time for the road J

```
(~)
(~) drill -S FreeBSD.org @127.0.0.1
;; Number of trusted keys: 2
;; Chasing: freebsd.org. A
DNSSEC Trust tree:
FreeBSD.org. (A)
|---freebsd.org. (DNSKEY keytag: 17253 alg: 8 flags: 256)
    |---freebsd.org. (DNSKEY keytag: 25814 alg: 8 flags: 257)
    |---freebsd.org. (DNSKEY keytag: 37681 alg: 8 flags: 257)
    |---freebsd.org. (DS keytag: 25814 digest type: 2)
        |---org. (DNSKEY keytag: 3947 alg: 7 flags: 256)
            |---org. (DNSKEY keytag: 9795 alg: 7 flags: 257)
            |---org. (DNSKEY keytag: 17883 alg: 7 flags: 257)
            |---org. (DS keytag: 9795 digest type: 1)
            |  |---. (DNSKEY keytag: 15768 alg: 8 flags: 256)
            |       |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
            |---org. (DS keytag: 9795 digest type: 2)
                |---. (DNSKEY keytag: 15768 alg: 8 flags: 256)
                    |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
;; Chase successful
(~)
```


----------



## Deleted member 30996 (Jul 31, 2017)

max21 said:


> ```
> scrub all no-df random-id min-ttl 5 max-mss 1440 reassemble tcp
> scrub out on $ext_if no-df random-id
> ```



Is it necessary to use those scrub rules in your application?

All I use is:


```
scrub in on $ext_if all fragment reassemble
```


----------



## max21 (Aug 1, 2017)

Trihexagonal said:


> Is it necessary to use those scrub rules in your application?
> 
> All I use is:
> 
> ...



Replacement done!  Thanks Trihexagonal


----------



## Deleted member 30996 (Aug 1, 2017)

I'm glad that worked for you. My ruleset is set up to severely block inbound, and probably uses rules some people might not feel necessary, but this is what I use on the machine I'm on now FYI:


```
### Macro name for external interface
ext_if = "bge0"
netbios_tcp = "{ 22, 23, 25, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 512, 513, 514, 515, 5353, 6000, 6010 }"

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Default deny everything
block log all

### Pass loopback
set skip on lo0

### Block spooks
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### Block all IPv6
block in quick inet6 all
block out quick inet6 all

### Block to and from port 0
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

### Block specific ports
block in log quick on $ext_if proto tcp from any to any port $netbios_tcp
block in log quick on $ext_if proto udp from any to any port $netbios_udp

### Keep and modulate state of outbound tcp, udp and icmp traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
```

This is the output from `pfctl -s rules`:


```
root@seiryuto:/ # pfctl -s rules
scrub in on bge0 all fragment reassemble
block drop log all
block drop in on ! lo0 inet from 127.0.0.0/8 to any
block drop in on ! bge0 inet from 192.168.1.0/24 to any
block drop in inet from 192.168.1.5 to any
block drop in on ! lo0 inet6 from ::1 to any
block drop in from no-route to any
block drop in from urpf-failed to any
block drop in quick on bge0 inet from any to 255.255.255.255
block drop in log quick on bge0 inet from 10.0.0.0/8 to any
block drop in log quick on bge0 inet from 172.16.0.0/12 to any
block drop in log quick on bge0 inet from 192.168.0.0/16 to any
block drop in log quick on bge0 inet from 255.255.255.255 to any
block drop in quick inet6 all
block drop out quick inet6 all
block drop quick proto tcp from any port = 0 to any
block drop quick proto tcp from any to any port = 0
block drop quick proto udp from any port = 0 to any
block drop quick proto udp from any to any port = 0
block drop in log quick on bge0 proto tcp from any to any port = ssh
block drop in log quick on bge0 proto tcp from any to any port = telnet
block drop in log quick on bge0 proto tcp from any to any port = smtp
block drop in log quick on bge0 proto tcp from any to any port = pop3
block drop in log quick on bge0 proto tcp from any to any port = sunrpc
block drop in log quick on bge0 proto tcp from any to any port = ntp
block drop in log quick on bge0 proto tcp from any to any port = exec
block drop in log quick on bge0 proto tcp from any to any port = login
block drop in log quick on bge0 proto tcp from any to any port = shell
block drop in log quick on bge0 proto tcp from any to any port = printer
block drop in log quick on bge0 proto tcp from any to any port = x11
block drop in log quick on bge0 proto tcp from any to any port = x11-ssh
block drop in log quick on bge0 proto udp from any to any port = biff
block drop in log quick on bge0 proto udp from any to any port = who
block drop in log quick on bge0 proto udp from any to any port = syslog
block drop in log quick on bge0 proto udp from any to any port = printer
block drop in log quick on bge0 proto udp from any to any port = mdns
block drop in log quick on bge0 proto udp from any to any port = x11
block drop in log quick on bge0 proto udp from any to any port = x11-ssh
pass out on bge0 proto tcp all flags S/SA modulate state
pass out on bge0 proto udp all keep state
pass out on bge0 proto icmp all keep state
```

P.S. You have duplicates of the rule

```
scrub in on $ext_if all fragment reassemble
```


----------



## max21 (Aug 2, 2017)

Trihexagonal,  I removed the duplicate entry but I’m not going to waste more time trying to get my version to do logging now that you prove logging is possible on dnsCrypt.  Your rules are cleaner and so brutal to the inbound-world.  How lucky can one be?  Thank you.  I’m sure this is totally unnecessary but the only change I might make is adding sshguard just to know he is safely tucked in there.


max21 said:


> ...  ... I did not realize that dnsCrypt requires that you must *use your actual IP DNS*. ..


I been wondering if my presumption is correct, telling people you must use your IP dns in order to get dnsCrypt to work on FreeBSD.  Just because that was what I had to do doesn't mean it’s required unless it’s true.  Would anyone know is it possible to use a free or paid third party dns before or after dnsCrypt installation; or was my presumption correct?


----------



## Deleted member 30996 (Aug 2, 2017)

max21 said:


> Trihexagonal...the only change I might make is adding sshguard just to know he is safely tucked in there.



I just posted it so you could get an idea how I do things.

It's totally up to you but the one thing I suggest you take from mine is the use of macros. You have separate rules to block specific ports in your rule set, 80/81/137/138/139/443. My netbios maco (silly name but the first I came up with) lists all the ports I want to block and does it with two lines of code, one for TCP and UDP:


```
### Block specific ports
block in log quick on $ext_if proto tcp from any to any port $netbios_tcp
block in log quick on $ext_if proto udp from any to any port $netbios_udp
```
You can always remove the log variable.


----------



## max21 (Aug 4, 2017)

Trihexagonal said:


> I just posted it so you could get an idea how I do things.



Trihexagonal, now I understand the power of macros.  It not there just to avoid repeating input, it can also open up some doors for the programmer.  I’m going to rebuild Hermelito complete Desktop Firewall and include your example and the `.. tcp flags FUP/WEUAPRSF`, etc stuff that I use.  It's probably for servers, but I like his dialogue.  I already know it’s going to replace quite a few things.

When calling `pfctl -s rules` your example list things the way it should be seen, a separate lines for nearly every rule.  The marco name is not silly.  I assume when Windows and the MAC were improving in the 80’s, the internet conversation transformed to let it be known.   The main thing is you got it to do logging with dnsCrypt/unbound running on FreeBSD.  After this, my struggles with pf will be history.

About my other questions: So the answer was in the details.  But where are the details?  Details are below.  I was wrong to conclude that using your ISP dns was required.  An out-of-the-box install, dnsCrypt will use your IP dns, which may points to openDNS using something called dns2.  At least that is what I think was going on when I was viewing  with pftop.

However, I found two additional links to Wozzeck.Live link above, which also prove very helpful.  The first one I already posted but I did not  get it right.  If you follow the instructions properly your IP dns will be completely removed, and from there its pure-internet, dnscrypt and you.  What I get is so quiet and lonely I can hear a pin drop.

https://blog.ipredator.se/freebsd-dnscrypt-howto.html

https://forums.freebsd.org/threads/51152/

https://github.com/jedisct1/dnscrypt-proxy/issues/161


----------

