Help answer threads with 0 replies.
Go Back > Blogs > arniekat
User Name


Rate this Entry


Posted 06-17-2017 at 06:57 PM by arniekat


Source - ArchLinux Wiki and and Unbound Website

DNSCrypt-Proxy is a tool for securing communications between a client and a DNS resolver. It provides a local service which can be used directly as your local resolver or as a DNS forwarder, encrypting and authenticating requests using the DNSCrypt protocol and passing them to an upstream server. By default dnscrypt-proxy is configured to use OpenDNS' servers.

DNSSEC allows a zone (such as a domain) to be signed by its owner, and allows a resolver (for instance, Comcast's DNS servers) to verify the signature, and therefore be sure that the zone data it gets is authentic. It protects the resolver from receiving bad data, but does nothing to prevent MITM or snooping between you and the resolver.

In this tutorial, we will configure unbound with dnssec and dnscrypt-proxy along with Adblocking. What happens is you configure unbound to use 3 (three) instances of dnscrypt-proxy and the DNS Servers. In their turn, the dnscrypt-proxy servers MUST be DNSSEC-Enabled, thus enabling the dnssec extensions. Then you will also create an additional hosts file at /etc/unbound/adblock.nsakey.20170526 which will contain in total approximately 70,000 entries with adservers, webbugs, malicious websites and trackers in the standard hosts format except the address will be which is NXDOMAIN or Non-Existent Domain.

If you are using some sort of Null Server like PixelServ, NullServ or Kwakd, you will need to set the IP Address to

Since Unbound will be listening in at, we will have to make dnscrypt-proxy listen on another port or on another address. I chose different ports located at, and There will be three (3) instances of dnscrypt-proxy running on non-priveleged ports for redundancy.


1) When I first booted dnscrypt-proxy, dmesg warned me that "cisco" keeps dns logs so I changed the default Resolver Name to "fvz-rec-us-lax-01" since it is closer and problably not logged. I then received the following error:

# cat /var/log/dnscrypt-proxy/dnscrypt-proxy.log

[NOTICE] Starting dnscrypt-proxy 1.9.5
[INFO] Generating a new session key pair
[INFO] Done
[ERROR] Unable to retrieve server certificates
[INFO] Refetching server certificates

The dns server names from the source package file dnscrypt-proxy-1.9.5/dnscrypt-resolvers.csv (LibreOffice-Calc will open it) tend to get stale. When they go stale, you will get the error shown above and you will not be able to access the Internet.

Get a fresh file from:

and copy/overwrite it to: /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv

Be sure to use one of the entries from the fresh dnscrypt-resolvers.csv file in your dnscrypt-proxy configuration file!

2) If you are using DNSSEC Security Extensions, try to pick IPv6-Ready Dnssec-Capable Resolvers from the dnscrypt-resolvers.csv list so that it will be 100% Compliant with the test from If you have any IPv4 dns servers in dnscrypt-proxy, the test from WILL NOT BE 100% compliant. I will use three (3) IPv6 DNS Servers.

3) You will also see some dnscrypt-proxy servers in the main list that are listed as "Adguard DNS Family Protection" and "Remove ads and protect your computer from malware". Dnscrypt runs its own DNS Servers with lists of malware and adserver sites, however, they are NOT DNSSEC-Enabled so I did not use them. Also, I will be creating my own list of Malware and Ad Servers List with approximately 70,000 entries which works perfectly for me.

4) You can also use OpenNIC DNS Servers. They have a list of Servers that are Dnscrypt-Capable and Dnssec-Enabled. Use the "ping" (included in Slackware) or "fping" (available in command to test for which one(s) are the fastest and place those in the /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv. Be sure to list them in the configuration file /etc/default/dnscrypt-proxy


DNSCrypt-Proxy secures your communication between your computer and a DNS Resolver. This particular setup caches the DNS entries on-disk with Unbound, which speeds things up for DNS queries.

Compile and install:


The configuration file is setup to use the "dnscrypt" user by default, and to chroot into that user's home directory to maximize security. In order to use the default configuration you should create a dnscrypt user and group with the following commands:

# groupadd -g 293 dnscrypt
# useradd -u 293 -g 293 -c "DNSCrypt" -d /run/dnscrypt -s /bin/false dnscrypt

If you decide to use another user you should edit the CHROOTDIR and USER options in /etc/default/dnscrypt-proxy (there are example settings provided for the user 'nobody'). Compile and install the three applications.

Edit the file /etc/default/dnscrypt-proxy and place three instances of dnscrypt-proxy for redundancy. Since I will be using the DNS Security Extensions, I need to find three different IPv6 servers from the dnscrypt-resolvers.csv file that are DNSSEC enabled. The three I chose are DNS Servers that are dnssec-enabled and do not keep logs.

Country Name
Poland soltysiak-ipv6

# vi /etc/default/dnscrypt-proxy




Save the file and exit.

Here is the format for dnscrypt-proxy if you were using different IP Addresses instead of different Ports. The Port will default to Port 53


Make sure the file /etc/rc.d/rc.dnscrypt-proxy is executable. If is not, then use the following command:

# chmod +x /etc/rc.d/rc.dnscrypt-proxy

Now, edit the file /etc/rc.d/rc.local and add these lines:

# Start DNSCrypt-Proxy
if [ -x /etc/rc.d/rc.dnscrypt-proxy ]; then
/etc/rc.d/rc.dnscrypt-proxy start

To properly stop dnscrypt-proxy on system shutdown, add the following to /etc/rc.d/rc.local_shutdown

# vi /etc/rc.d/rc.local_shutdown

# Stop DNSCrypt-Proxy
if [ -x /etc/rc.d/rc.dnscrypt-proxy ]; then
/etc/rc.d/rc.dnscrypt-proxy stop

Save the file and exit.


You need to make two changes to system files in order to use Dnscrypt-Proxy and Unbound.

Here is the flow of information:
DNS Request > Unbound > Dnscrypt-Proxy (With DNSSEC Vefification)

In order to send all DNS requests through, then out to dnscrypt-proxy, you will need to update /etc/resolv.conf to point to localhost. DHCP will overwrite this file on every reboot, so you need to enter the information and make the /etc/resolv.conf file immutable. I enabled EDNS by using the "options edns0" directive.

# vi /etc/resolv.conf

options edns0

Save the file and exit. Change the immutable attribute to make this file immutable so your DHCP System does not change this at the next reboot.

# chattr +i /etc/resolv.conf
# lsattr /etc/resolv.conf
----i---------e---- /etc/resolv.conf

NOTE - If your /etc/resolv.conf file keeps changing back to your old setting even after editing it, the reason is that the networking system is locking the file. When my computer did this, I turned off the wicd script (or NetworkManager)

# chmod -x /etc/rc.d/rc.wicd
# chmod -x /etc/rc.d/rc.networkmanager

and rebooted so that my Wireless Network was not turned on. Then I edited the file /etc/resolv.conf and made it immutable. After that I changed the rc.wicd or rc.networkmanager script to executable

# chmod +x /etc/rc.d/rc.wicd
# chmod +x /etc/rc.d/rc.networkmanager

and rebooted. The file /etc/resolv.conf accepted the changes and became immutable and everything worked fine.

If you need to edit this file again, remove the executable bit from the file:

# chattr -i /etc/resolv.conf

then edit the file, save and set the immutable bit again.

Open and edit the file /etc/dhclient.conf and add the following line:

# vi /etc/dhclient.conf

prepend domain-name-servers;

Save the file and exit.


Compile and install the application/dependencies in the following order:


Create the UID/GID for Slackware before running the unbound.SlackBuild The current SlackBuild Framework (Unbound-1.5.10) works fine except you will need to add the the compile flag --enable-dnscrypt to the SlackBuild before compiling the package! You must use Unbound-1.6.2 or greater to have support for dnscrypt-proxy!

# groupadd -g 304 unbound
# useradd -r -u 304 -g 304 -d /etc/unbound/ -s /sbin/nologin -c 'Unbound DNS resolver' unbound

Now, compile and install the Unbound Package.

Move the default configuration file and create a new configuration file. The last five lines in the server section (num-threads, msg-cache-slabs, rrset-cache-slabs, infra-cache-slabs and key-cache-slabs) are tuning settings to increase throughput on a dual-core system. You can look here to see more information on tuning Unbound.

# mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default
# vi /etc/unbound/unbound.conf

access-control: allow
root-hints: /etc/unbound/root.hints
do-not-query-localhost: no
include: /etc/unbound/adblock.nsakey.20170526
username: unbound
verbosity: 1
num-threads: 2
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2

name: "."
forward-addr: # DNSCrypt-Proxy-0
forward-addr: # DNSCrypt-Proxy-1
forward-addr: # DNSCrypt-Proxy-2

control-enable: yes

Save the configuration file and exit. If you are using different IP Addresses, this will be the format of the forward-zone section.

name: "."
forward-addr: # DNSCrypt-Proxy-0
forward-addr: # DNSCrypt-Proxy-1
forward-addr: # DNSCrypt-Proxy-2


Root-hints: is the file which contains the listing of primary root DNS servers. Unbound does have a listing of root DNS servers in its code, but if you want to make sure you are completely up to date we should obtain our own. Update root-hints every couple of months.

To query a hostname Unbound has to start at the top at the root DNS servers and work its way down to the authoritative servers. Download a copy of the root hints from Internic and place it in the /etc/unbound/root.hints file. This file will be called by the root-hints: directive in the unbound.conf file. To obtain this file we will use wget! Must run as root or use sudo!

The last current update is April 11, 2017

wget ftp://FTP.INTERNIC.NET/domain/named.cache -O /etc/unbound/root.hints

--2017-04-30 11:23:30--
=> 'named.cache'
Resolving ( 2620:0:2d0:200::9,
Connecting to (|2620:0:2d0:200::9|:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD (1) /domain ... done.
==> SIZE named.cache ... 3289
==> EPSV ... done. ==> RETR named.cache ... done.
Length: 3289 (3.2K) (unauthoritative)

named.cache 100%[===================>] 3.21K --.-KB/s in 0.004s

2017-04-30 11:23:32 (820 KB/s) - '/etc/unbound/root.hints' saved [3289]


Next the auto-trust-anchor! This file which contains the key for the root server so DNSSEC can be validated. We need to tell Unbound that we trust the root server so it can start to develop a chain of trust down to the hostname we want resolved and validated using DNSSEC. Again this command must be run with root privileges! Unbound has a tool to get a trust anchor just run:

# unbound-anchor

Change the file /etc/rc.d/rc.unbound to make it executable.

# chmod +x /etc/rc.d/rc.unbound

Add the following to /etc/rc.d/rc.local Be sure Unbound starts AFTER Dnscrypt-Proxy.

# vi /etc/rc.d/rc.local

# Start DNSCrypt-Proxy
if [ -x /etc/rc.d/rc.dnscrypt-proxy ]; then
/etc/rc.d/rc.dnscrypt-proxy start

# Start Unbound DNS Cache Server
if [ -x /etc/rc.d/rc.unbound ]; then
/etc/rc.d/rc.unbound start

Save the file and exit.

After everything is configured and setup, change the ownership of the unbound configuration files.

# chown -R unbound:unbound /etc/unbound

Now, run the unbound-control-setup command to generate the TLS Key Files.

# unbound-control-setup
setup in directory /etc/unbound
generating unbound_server.key
Generating RSA private key, 3072 bit long modulus
e is 65537 (0x10001)
generating unbound_control.key
Generating RSA private key, 3072 bit long modulus
e is 65537 (0x10001)
create unbound_server.pem (self signed certificate)
create unbound_control.pem (signed client certificate)
Signature ok
Getting CA Private Key
Setup success. Certificates created. Enable in unbound.conf file to use


A script to convert Dan Pollock's ad blocking hosts file into Unbound local-data format. The IP that is used is which goes to localhost. You can covert it to which means MXDOMAIN or "No Domain". There are approximately 70,000 entries. It gets several hosts files from 6 different websites and combines/sorts them into one big list.

When you run it, it will create a "tmp" and "lists" folder that can be deleted. The two files in the current directory are "block.conf" and "hosts". The "hosts" file can be appended to /etc/hosts if you want to adblock by that method. The "block.conf" is for use by Unbound. Edit the Unbound Configuration File /etc/unbound/unbound.conf and add the following in the server: section:

include: /etc/unbound/adblock.nsakey.20170526

Save the file and exit. Here are the first 5 entries from this file so you can see the format.

local-data: " A"
local-data: " A"
local-data: " A"
local-data: " A"
local-data: " A"

When you first start Unbound, you may get errors in formatting of the hosts file. I just delete the lines and try to start Unbound. The hosts script has been averaging 4 errors per run everytime I create a new unbound hosts file.

# /etc/rc.d/rc.unbound start


Let's say you want to unblock a domain that is getting blocked by your adblocker. The domain for this example is ""

$ grep -insr "" /etc/unbound/adblock.nsakey.20170526
34495:local-data: " A"
37497:local-data: " A"
43140:local-data: " A"
44260:local-data: " A"
50575:local-data: " A"
51942:local-data: " A"
53883:local-data: " A"
54546:local-data: " A"
65140:local-data: " A"
68473:local-data: " A"
68538:local-data: " A"

I want to unblock Line 43140 of that file. Use vi and the goto feature to find and delete the line.

# vi /etc/unbound/adblock.nsakey.20170526

Hit ESC two times. Type the line number, and then press Shift-g . If you press Esc and then Shift-g without specifying a line number, it will take you to the last line in the file.

43140:local-data: " A"

You will be placed at Line 43140. Press dd to delete the line and :wq to save the file and exit.
Posted in Uncategorized
Views 140 Comments 0
« Prev     Main     Next »
Total Comments 0




All times are GMT -5. The time now is 07:21 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration