DNSCrypt

BadAss.Sx advices everyone to use DNSCrypt on his system (Mac & Windows). This little tool encrypts all your DNS queries submitted to DNS servers and replaces your ISP DNS servers for the DNS servers from OpenDNS.

For the tools you can use on Mac or Windows you can simply go here and download the version for your OS. If you are on Linux or a BSD version I will give you the instructions down below:

If you are on Linux

$ ldconfig # if you install libsodium from source
$ git clone –recursive git://github.com/Cofyc/dnscrypt-wrapper.git
$ make configure
$ ./configure
$ make install

If you are on freeBSD

$ pkg_add -r gmake autoconf
$ pkg_add -r libevent2
$ gmake LDFLAGS=’-L/usr/local/lib/event2 -L/usr/local/lib’ CFLAGS=-I/usr/local/include

If you are on OpenBSD

$ pkg_add -r gmake autoconf
$ pkg_add -r libevent
$ gmake LDFLAGS=’-L/usr/local/lib/’ CFLAGS=-I/usr/local/include/

And finally if you want to install it on a Mac OSX version

$ brew install dnscrypt-wrapper # best recommended

And here are the instructions how to use it

You need to generate a provider keypair:

# stored in public.key/secret.key in current directory
$ ./dnscrypt-wrapper –gen-provider-keypair

After that, you need to generate a crypt keypair:

# stored in crypt_public.key/crypt_secret.key in current directory
$ ./dnscrypt-wrapper –gen-crypt-keypair

When that is done, you must generate a pre-signed certificate with the pre-generated key pairs:

# stored in dnscrypt.cert in current directory
$ ./dnscrypt-wrapper –crypt-secretkey-file crypt_secret.key –crypt-publickey-file=crypt_public.key –provider-publickey-file=public.key –provider-secretkey-file=secret.key –gen-cert-file

And then it is time to run the program:

$ ./dnscrypt-wrapper -r 8.8.8.8:53 -a 0.0.0.0:443 –crypt-secretkey-file=crypt_secret.key –crypt-publickey-file=crypt_public.key –provider-cert-file=dnscrypt.cert –provider-name=2.dnscrypt-cert.yechengfu.com

If you can store generated pre-signed certificate (binary string) in TXT record for your provider name, for example: 2.dnscrypt-cert.yourdomain.com. Then you can omit –provider-cert-file option. Name server will serve this binary certificate data for you.

Run the dnscrypt-proxy to test it:

# –provider-key is public key fingerprint in first step.
$ ./dnscrypt-proxy -a 127.0.0.1:55 –provider-name=2.dnscrypt-cert.yechengfu.com -r 127.0.0.1:443 –provider-key=<provider_public_key_fingerprint>
$ dig -p 55 google.com @127.0.0.1

Optionally you can add “-d/–daemonize” to let it run as a daemon