For this first project, we will assume that:
- you are a competent Linux user
- who is interested in security and privacy
- who is willing to experiment and break things
- who has control of your home environment
- who has control of your home firewall
- who has control of your home DHCP server
- who understands what "static IP address on the local network" means
- who has a spare RaspberryPi, or similar small Linux instance such as a container that can have a static IP address exposed on the local network
I'm using a RaspberryPi with Raspbian Lite, but Ubuntu or Debian on Linux would also work.
If you're not using RaspberryPi, this might be different; but I just checked my local router non-DHCP address space, picked a suitable free static address, and then followed the process described here:
sudo vi /etc/dhcpcd.conf
...and (assuming wifi networking; adjust the interface name if not) edit or append something like this; see your platform documentation for correct details.
interface wlan0
static ip_address=X.X.X.A/24
static routers=X.X.X.B
static domain_name_servers=X.X.X.C
...and then I did reboot and checked that the static address was in
place and being used by the RaspberryPi.
Obviously we will be revisiting the value of domain_name_servers in
the future. If you're stuck for a temporary value, use 1.1.1.1 or
8.8.8.8 for the moment.
This is easy. I did:
sudo apt install tor
...and on Raspbian, at the time of writing, this provides Tor 0.3.5.8 as shown by tor -v.
Edit /etc/tor/torrc and uncomment the line that says:
SocksPort 9050 # Default: Bind to localhost:9050 for local connections.
DNSCrypt-proxy is a "flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2, DNS-over-HTTPS and Anonymized DNSCrypt"; it's an interesting tool to mess around with, and even references some of what we are about to do, in critical terms:
While the communications themselves are secure, and while the stateless nature of the DNSCrypt protocol helps against fingerprinting individual devices, DNS server operators can still observe client IP addresses.
A common way to prevent this is to use DNSCrypt over Tor or SOCKS proxies. However, Tor significantly increases the latency of DNS responses. And public SOCKS proxies are difficult to operate, as they can easily be abused for purposes unrelated to DNS.
I'm actually okay with this analysis; I consider it to be dated, and since my work for the past few years has largely consisted of disrupting people's prejudices about Tor and its performance and usability, where that document says "Tor significantly increases the latency of DNS responses", I am coming from the perspective of "can we make it 'good enough for most people'?" In truth any extra "hop" is going to add latency to my DNS resolutions, and I am willing to trade a little latency for some extra privacy.
DNSCrypt-proxy is a huge package, but has a pretty comprehensive wiki to help.
Unfortunately the current (Feb 2020) version of dnscrypt-proxy that is
bundled with Raspbian is too old (2.0.19) to be useful; we have to
try to use the precompiled binaries, instead.
Following and abridging the PiHole instructions
sudo -i # get to root; all further commands must run as root
cd /opt
wget https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.0.44/dnscrypt-proxy-linux_arm-2.0.44.tar.gz
tar xzvf dnscrypt-proxy-linux_arm-2.0.44.tar.gz
rm dnscrypt-proxy-linux_arm-2.0.44.tar.gz
mv linux-arm/ dnscrypt-proxy/
cd dnscrypt-proxy/
echo "# test" > dnscrypt-proxy.toml
chown -R root: ./
./dnscrypt-proxy -service install
./dnscrypt-proxy -service start
If you are building on Ubuntu or other platforms, the repositories
(again) seem to be shipping an older version - 2.0.31 on Focal, as
of July 2020; I do not know whether this is recent enough to support
DoHoT, but I can confirm that version 2.0.39 works with some tweaks
to the configuration file, and I now use 2.0.44 as standard.
Please let me know your experiences by logging an issue on Github.
DNSCrypt-Proxy requires a configuration file. And example one is provided, but for DoHot I recommend that you install dnscrypt-proxy.toml and amend if necessary.
Revisiting /etc/dhcpcd.conf, ensure that the DNS configuration line
looks something like:
static domain_name_servers=X.X.X.C
...if you used a temporary, other DNS server.
sudo reboot