Cloudflare announced using 1.1.1.1 as the DNS , and emphasize privacy protection. Since Cloudflare DNS support DNS-over-TLS and DNS-over-HTTPS, which makes encryption DNS has become a hot topic .
Because the operating system does not support encryption DNS often, so you want to use encryption to encrypt DNS must use a DNS client, then the client at the same time as a plain text DNS server to provide normal DNS service to the operating system. I can choose to install a DNS client encryption (for iOS, it is NetworkExtension) on every device I'm using, I can also choose to encrypt at home assumption that a DNS client and DNS pointing to the router in the past, after all the family DNS will change along with the device. I chose the latter, because it is more convenient, but also provided me with an excuse to toss a Raspberry Pi - I need to encrypt DNS client deployment on the Raspberry Pi to provide DNS services to make long-term home LAN.
(OpenWRT Why not? Because my family has been in use Eero do the router, and it can provide better coverage through mesh Wi-Fi. If I want to buy a route in front of Eero OpenWRT, then I might as well buy a Raspberry Pi to play it.)
Raspberry Pi
I bought this suit Raspberry Pi , because it comes with the box and power supply. Power is not important, my family has a lot of USB power, but I can not put a board just a bar, it is necessary to buy a box. Then I bought a 64GB of microSD . Because all my 64GB microSD are, so I only buy 64GB of random convenient replacement when necessary.
After receiving the Raspberry Pi, I will follow the official NOOBS guidelines downloaded and ready to install. However, after NOOBS copied to the SD card anyway Raspberry Pi can not start, only red light no video output. It found that there is no green light and read the SD card to boot after a search. I suspect that at the beginning I downloaded NOOBS have a problem, then replaced NOOBS Lite and Raspbian, but they are not. I also doubted the downloaded zip data is not a problem, but sha256 checksum is correct.
It can not find the problem, I began to search in the end how the Raspberry Pi is a guide and found that it must boot from a FAT partition. Raspberry Pi own official documents teach you to use one called SD Association's Formatting Tool software to format the SD card, but the software will use the exFAT silly in the face of more than 32GB of card format. In fact, using the built-in Mac Disk Utility does not like slightly, even more than 32GB SD card can also choose to be formatted as FAT.
After the SD format is FAT, all problems are solved. NOOBS starts correctly, then Raspbian can smoothly installed. Raspberry Pi After installing I try to enable VNC so that I can use Mac remote control, the results of that VNC installed above and comes with Mac Screen Sharing client is not compatible, I had to downgrade to use SSH, but also can perform most of the operations .
Enabling SSH Raspbian will remind you to change the default password, there is no change, then remember to get rid of, or too unsafe. Because Raspbian even digsuch basic commands are not, we need to apt-getbe installed, so we need to update it then diginstalled:
sudo apt-get update
sudo apt-get install dnsutils
DNS-over-HTTPS
I basically follow DNS-over-HTTPS guidelines of Cloudflare to do. At first I think Raspbian Debian system since it is on the downloaded Debian installation package, and found that the installation does not go up. Then try Linuxbrew to install homebrew version, installed after the results of the discovery can not be performed. See "exec format error" and suddenly realize that after the search, Raspberry Pi is not based on x86 / x64 architecture, but based on the ARM architecture. That in the end Raspberry Pi is a 32-bit or 64-bit it? Theoretically Raspberry Pi 3 B + 64-bit CPU, but performed on Raspbian uname -awords will show:
Linux raspberrypi 4.9.80-v7+ #1098 SMP Fri Mar 9 19:11:42 GMT 2018 armv7l GNU/Linux
So in fact, not 64, and if you want to choose the correct version that must choose the 32-bit ARM. Just select the correct version, Cloudflared and Dnscrypt-Proxy can all be used. I installed both, can in localhost: 53 run, the final choice Dnscrypt-Proxy is because it's easy to configure. (Dnscrypt-Proxy has a profile template, you can use the change to change, against the need to write a new document.)
Dnscrypt-Proxy installation follow official guidelines do it, choose Linux version to download. Remember downloadable version of Linux ARM, do not use or Android version of ARM64. (Although Dnscrypt-Proxy can be installed in Pi-Hole above, but I do not want to install Pi-Hole to filter ads so I chose non-Pi-Hole version.) Although the official guidelines tell you to check whether there are other DNS service is use port 53, but the newly installed Raspbian should not be occupied by any service port 53 so this step can be skipped.
Dnscrypt-Proxy download and decompress after a good start can be configured. Suppose we have extracted a good directory in Dnscrypt-Proxy:
cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml
sudo ./dnscrypt-proxy
This time Dnscrypt-Proxy should be able to run up on the Raspberry Pi using digverification will know:
dig +short @127.0.0.1 cloudflare.com AAAA
This verification must be done on the Raspberry Pi, because the default configuration Dnscrypt-Proxy only listens localhost: 53 ports, from another machine even up port 53 is not acceptable. If Dnscrypt-Proxy working well, we can start to change the configuration. Open dnscrypt-proxy.toml, then server_names, and listen_addressesget rid of. (In the above SSH, with nanoor vican be edited dnscrypt-proxy.toml.)
First find server_names, the comment in front of this line #deleted, and then put behind the content you want to change service. Because Google Cloudflare and support DNS-over-HTTPS, and are a reliable big company, so I choose between the two. Because Google does not emphasize privacy, it is possible to record data, so I only use Cloudflare, and changed like this document in accordance with Cloudflare this line:
server_names = ['cloudflare', 'cloudflare-ipv6']
Then find listen_addresses, you'll find it only listens localhost IPv6 and IPv4, so other machines can not do with the Raspberry Pi DNS. At this time you find a way to Raspberry Pi tied to the IP. My approach is like this: my family because IP router is 192.168.0.1, and DHCP range is 192.168.0.10-192.168.0.199, so 192.168.0.2-192.168.0.9 will not be dynamically allocated out. I put the Raspberry Pi wired network IP-coded as 192.168.0.2, then add it to the list of ports listen address:
listen_addresses = ['127.0.0.1:53', '[::1]:53', '192.168.0.2:53']
After so much so, you can then start clicking Dnscrypt-Proxy:
sudo ./dnscrypt-proxy
Then from another machine digtest:
dig +short @192.168.0.2 cloudflare.com AAAA
If not, then it can be installed when the system Dnscrypt-Proxy service starts:
sudo ./dnscrypt-proxy -service install
sudo ./dnscrypt-proxy -service start
sudo systemctl enable dnscrypt-proxy
After logging in to the router, the router is 192.168.0.2 DNS changed on it at home all the equipment will have been Dnscrypt-Proxy DNS on the Raspberry Pi walk DNS-over-HTTPS connection Cloudflare server. Although the DNS client on the official guidelines Dnscrypt-Proxy should also say Linux points to localhost, but I do not because Raspberry Pi on to do something else so the DNS requests sent care Raspberry Pi itself is encrypted. As long as it is good DNS server service other devices in my house on the line.
Known Issues
These practices are some known issues. First, if we request the use of SNI 's HTTPS service, we will still transmitted in the clear domain name, even if encrypted DNS domain name or will the presence of a leak. If a number of different certificates HTTPS domain to coexist on a single IP, you must use the SNI or can not decide which key certificate handshake with SSL. Therefore SNI common platform to run on cloud services, cloud platforms because often shared among multiple IP services, but each service from different customers have different certificate. For larger sites this is not common, because no matter how much of a large site's domain name, it can choose to put all the domain names on the same certificate inside.
Secondly, I did not do IPv6 configuration, just let Dnscrypt-Proxy bound to an IPv4 address. This time if IPv6 is assigned a different DNS, IPv6 DNS that use or will go plaintext query. If you are in the network do not use IPv6, that's no problem. I know that Comcast will allocate IPv6 addresses and IPv6 DNS, so if you set IPv6 DNS (or not set), then the router is not on, that there may be IPv6 DNS Comcast allocation down, it is expressly DNS. (Other ISP is the same.)
Finally, if you like my article, welcomed the adoption subscribe to e-mail my blog.