mirrors/dnscrypt-proxy
1
0
Fork 0
mirror of https://github.com/DNSCrypt/dnscrypt-proxy.git synced 2025-03-04 02:14:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Generalize localhost.pem creation instructions

Frank Denis 2020-12-07 17:41:04 +01:00
parent 4f03e410d5
commit e4788005e1
1 changed files with 7 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
Local-DoH.md

@ -4,7 +4,6 @@ In addition to responding to standard DNS queries, `dnscrypt-proxy` can also act
In particular, this means that Firefox can be configured to use it, so that it will accept to enable ESNI without bypassing your DNS proxy.
In order to enable this, the first thing you need is a certificate. Since this is just for local usage, you can use [that example one](https://raw.githubusercontent.com/DNSCrypt/dnscrypt-proxy/master/dnscrypt-proxy/localhost.pem) or create your own with:
```sh
@ -12,11 +11,9 @@ openssl req -x509 -nodes -newkey rsa:2048 -days 5000 -sha256 -keyout \
localhost.pem -out localhost.pem
```
During generating a RSA private key, User will be aksed to answer various questions (vide `Country Name`, `Organization Name`, `Email Address` and so on) - however, mentioned input fields can be empty. Now, `localhost.pem` file should be copied to, placed in `/etc/dnscrypt-proxy/` directory. It's also a good idea to change file owner (only DNSCrypt-Proxy user should have access to such important file etc.):
During generating a RSA private key, you will be aksed to answer various questions (`Country Name`, `Organization Name`, `Email Address` and so on).
```# chown _dnscrypt-proxy localhost.pem```
Please note, that `_dnscrypt-proxy` is a default user - in Debian GNU/Linux - created during DNSCrypt-Proxy installation process (please check `User=` option [in:] `/lib/systemd/system/dnscrypt-proxy.service` file).
However, these input fields can be empty or left to their default value.
Next, edit the configuration file, look for the `local_doh` section and uncomment the relevant lines:
@ -28,16 +25,18 @@ cert_file = "localhost.pem"
cert_key_file = "localhost.pem"
```
The path to the `localhost.pem` file should be set in the `cert_file` and `cert_key_file` properties of the `dnscrypt-proxy.toml` configuration file. Also make sure that `localhost.pem` is readable by the `dnscrypt-proxy` user.
Now, `dnscrypt-proxy` should be restarted. With the settings above, the URL of the local DoH server would be `https://127.0.0.1:3000/dns-query`. Here is a small exception of the system logs:
```
[NOTICE] dnscrypt-proxy 2.0.44
```text
[NOTICE] Now listening to https://127.0.0.1:3000/dns-query [DoH]
[INFO] [cloudflare] TLS version: 304 - Protocol: h2 - Cipher suite: 4865
[NOTICE] [cloudflare] OK (DoH) - rtt: 54ms
[NOTICE] Server with the lowest initial latency: cloudflare (rtt: 54ms)
[NOTICE] dnscrypt-proxy is ready - live servers: 1
```
### Serving external queries
It is possible, but not recommended, to configure `local_doh` to listen to outside queries, for example:
@ -74,7 +73,7 @@ After having set up the `local DoH` feature as documented above, open the DoH se
The first time, the web browser will notice that the certificate is self-signed and complain about it.
This is expected. Click "Advanced" and "I accept the risks". This is okay, you are only going to connect to your own machine. Please note, that without above step - without "accept the risk", using a DNS server to resolve the IP address of any website will be not working and there will be many TLS handshake error messages in system log files, such as - for example:
```
```text
dnscrypt-proxy[13628]: http: TLS handshake error from 127.0.0.1:38984: remote error: tls: bad certificate
```