DNScrypt-proxy

trailofbits · Apr 25, 2018 · b55fb4f · b55fb4f
1 parent c92ede5
commit b55fb4f
Show file tree

Hide file tree

Showing 22 changed files with 654 additions and 349 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -44,7 +44,7 @@ before_install:
 install:
   - sudo tar xf $HOME/lxc/cache.tar -C / || echo "Didn't extract cache."
   - export LXC_ROOTFS=/var/lib/lxc/$LXC_NAME/rootfs
-  - 'sudo lxc-create -n $LXC_NAME -t ubuntu -- -r $LXC_RELEASE --packages python || true'
+  - 'sudo lxc-create -n $LXC_NAME -t ubuntu -- -r $LXC_RELEASE --mirror http://mirrors.us.kernel.org/ubuntu --packages python || true'
   - 'sudo lxc-start -n $LXC_NAME && until (sudo lxc-info -n $LXC_NAME | grep -q ^IP:); do printf . && sleep 1; done && sleep 2'
   - export LXC_IP="$(sudo lxc-info -Hin $LXC_NAME)"
   - sudo /bin/bash -c "printf '\n$LXC_IP test.lxc\n' >> /etc/hosts"

diff --git a/config.cfg b/config.cfg
@@ -33,8 +33,6 @@ adblock_lists:
 dns_encryption: true
 
 # Possible values: google, cloudflare
-# google: DNS over HTTPS. Dingo will be used
-# cloudflare: DNS over TLS. Unbound will be used
 dns_encryption_provider: cloudflare
 
 # DNS servers which will be used if dns_encryption disabled

diff --git a/docs/setup-roles.md b/docs/setup-roles.md
@@ -21,8 +21,7 @@
   * Install the [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) local resolver with a blacklist for advertising domains
   * Constrains dnsmasq with AppArmor and cgroups CPU and memory limitations
 * **DNS encryption**
-  * Google DNS over HTTPS: Install the [dingo](https://github.com/pforemski/dingo) dns client
-  * CloudFlare DNS over TLS: Install [unbound](http://www.unbound.net/) resolver
+  * Install [dnscrypt-proxy](https://github.com/jedisct1/dnscrypt-proxy)
   * Constrains dingo with AppArmor and cgroups CPU and memory limitations
 * **SSH Tunneling**
   * Adds a restricted `algo` group with no shell access and limited SSH forwarding options

diff --git a/roles/dns_adblocking/templates/dnsmasq.conf.j2 b/roles/dns_adblocking/templates/dnsmasq.conf.j2
@@ -664,7 +664,7 @@ bind-interfaces
 
 # Include another lot of configuration options.
 #conf-file=/etc/dnsmasq.more.conf
-conf-dir={{ config_prefix|default('/') }}etc/dnsmasq.d
+conf-dir={{ config_prefix|default('/') }}etc/dnsmasq.d/,*.conf
 
 # Include all the files in a directory except those ending in .bak
 #conf-dir=/etc/dnsmasq.d,.bak

diff --git a/roles/dns_encryption/defaults/main.yml b/roles/dns_encryption/defaults/main.yml
@@ -1,15 +1,7 @@
 ---
 listen_port: "{% if local_dns|d(false)|bool == true %}5353{% else %}53{% endif %}"
-dingo_flags: -gdns:auto -port {{ listen_port }} -bind {{ local_service_ip }}
+# the version used if the latest unavailable (in case of Github API rate limited)
+dnscrypt_proxy_version: 2.0.10
 apparmor_enabled: true
-dingo_version_if_latest_unavailable: 0.13
 dns_encryption: true
-dns_encryption_provider: default
-dns_encryption_servers:
-  cloudflare:
-    ipv4:
-      - 1.1.1.1@853
-      - 1.0.0.1@853
-    ipv6:
-      - 2606:4700:4700::1111@853
-      - 2606:4700:4700::1001@853
+dns_encryption_provider: "*"
diff --git a/roles/dns_encryption/files/apparmor.profile.dnscrypt-proxy b/roles/dns_encryption/files/apparmor.profile.dnscrypt-proxy
@@ -0,0 +1,23 @@
+#include <tunables/global>
+
+/usr/sbin/dnscrypt-proxy {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/openssl>
+
+  capability chown,
+  capability dac_override,
+  capability net_bind_service,
+  capability setgid,
+  capability setuid,
+  capability sys_resource,
+
+  /etc/dnscrypt-proxy.toml r,
+  /etc/ld.so.cache r,
+  /usr/sbin/dnscrypt-proxy mr,
+  /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv r,
+  /usr/local/lib/{@{multiarch}/,}libldns.so* mr,
+  /usr/local/lib/{@{multiarch}/,}libsodium.so* mr,
+  /run/dnscrypt-proxy.pid rw,
+  /run/systemd/notify rw,
+}
diff --git a/roles/dns_encryption/files/rc.dingo.sh b/roles/dns_encryption/files/rc.dingo.sh
diff --git a/roles/dns_encryption/files/rc.dnscrypt-proxy.sh b/roles/dns_encryption/files/rc.dnscrypt-proxy.sh
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+# PROVIDE: dnscrypt-proxy
+# REQUIRE: LOGIN
+# BEFORE:  securelevel
+# KEYWORD: shutdown
+
+# Add the following lines to /etc/rc.conf to enable `dnscrypt-proxy':
+#
+# dnscrypt_proxy_enable="YES"
+# dnscrypt_proxy_flags="<set as needed>"
+#
+# See rsync(1) for rsyncd_flags
+#
+
+. /etc/rc.subr
+
+name="dnscrypt-proxy"
+rcvar=dnscrypt_proxy_enable
+load_rc_config "$name"
+pidfile="/var/run/$name.pid"
+start_cmd=dnscrypt_proxy_start
+stop_postcmd=dnscrypt_proxy_stop
+
+: ${dnscrypt_proxy_enable="NO"}
+: ${dnscrypt_proxy_flags="-config /usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml"}
+
+dnscrypt_proxy_start() {
+  echo "Starting dnscrypt-proxy..."
+  touch ${pidfile}
+  /usr/sbin/daemon -cS -T dnscrypt-proxy -p ${pidfile} /usr/dnscrypt-proxy/freebsd-amd64/dnscrypt-proxy ${dnscrypt_proxy_flags}
+}
+
+dnscrypt_proxy_stop() {
+  [ -f ${pidfile} ] && rm ${pidfile}
+}
+
+run_rc_command "$1"
diff --git a/roles/dns_encryption/files/usr.local.bin.dingo b/roles/dns_encryption/files/usr.local.bin.dingo
diff --git a/roles/dns_encryption/files/usr.sbin.unbound b/roles/dns_encryption/files/usr.sbin.unbound
diff --git a/roles/dns_encryption/handlers/main.yml b/roles/dns_encryption/handlers/main.yml
@@ -3,12 +3,7 @@
   systemd:
     daemon_reload: true
 
-- name: restart dingo
+- name: restart dnscrypt-proxy
   service:
-    name: dingo
-    state: restarted
-
-- name: restart unbound
-  service:
-    name: unbound
+    name: dnscrypt-proxy
     state: restarted
diff --git a/roles/dns_encryption/tasks/dingo/freebsd.yml b/roles/dns_encryption/tasks/dingo/freebsd.yml
diff --git a/roles/dns_encryption/tasks/dingo/main.yml b/roles/dns_encryption/tasks/dingo/main.yml
diff --git a/roles/dns_encryption/tasks/dingo/ubuntu.yml b/roles/dns_encryption/tasks/dingo/ubuntu.yml
diff --git a/roles/dns_encryption/tasks/freebsd.yml b/roles/dns_encryption/tasks/freebsd.yml
@@ -0,0 +1,51 @@
+---
+- name: FreeBSD | Ensure that the required directories exist
+  file:
+    path: "{{ item }}"
+    state: directory
+  with_items:
+    - "{{ config_prefix|default('/') }}etc/dnscrypt-proxy/"
+    - /usr/dnscrypt-proxy/
+
+- name: Required tools installed
+  package:
+    name: gtar
+
+- name: FreeBSD | Retrive the latest versions
+  uri:
+    url: https://api.github.com/repos/jedisct1/dnscrypt-proxy/releases/latest
+  register: dnscrypt_proxy_latest
+  ignore_errors: true
+
+- name: FreeBSD | Set default dnscrypt-proxy assets
+  set_fact:
+    dnscrypt_proxy_latest:
+      json:
+        assets:
+          - name: "dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz"
+            browser_download_url: "https://github.com/jedisct1/dnscrypt-proxy/releases/download/{{ dnscrypt_proxy_version }}/dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz"
+  when: dnscrypt_proxy_latest.failed
+
+- name: FreeBSD | Download the latest archive
+  get_url:
+    url: "{{ item['browser_download_url'] }}"
+    dest: "/tmp/dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz"
+    mode: '0755'
+    force: true
+  with_items: "{{ dnscrypt_proxy_latest['json']['assets'] }}"
+  no_log: true
+  when: '"freebsd_amd64" in item.name'
+  notify: restart dnscrypt-proxy
+
+- name: FreeBSD | Extract the latest archive
+  unarchive:
+    remote_src: true
+    src: /tmp/dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz
+    dest: /usr/dnscrypt-proxy
+
+- name: FreeBSD | Configure rc script
+  copy:
+    src: rc.dnscrypt-proxy.sh
+    dest: /usr/local/etc/rc.d/dnscrypt-proxy
+    mode: "0755"
+  notify: restart dnscrypt-proxy