DNS-over-HTTPS (trailofbits#875)

Author: jackivanov

algo

@@ -43,7 +43,7 @@ read -p "
 Do you want to install a DNS resolver on this VPN server, to block ads while surfing?
 [y/N]: " -r dns_enabled
 dns_enabled=${dns_enabled:-n}
-if [[ "$dns_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" dns"; fi
+if [[ "$dns_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" dns"; EXTRA_VARS+=" local_dns=true"; fi
 
 read -p "
 Do you want each user to have their own account for SSH tunneling?

config.cfg

@@ -29,13 +29,20 @@ adblock_lists:
  - "https://www.malwaredomainlist.com/hostslist/hosts.txt"
  - "https://hosts-file.net/ad_servers.txt"
 
+# Enalbe DNS encryption. Use dns_encrypted_provider to specify the provider. If false dns_servers should be specified
+dns_encryption: true
+
+# Possible values: google, cloudflare
+dns_encryption_provider: cloudflare
+
+# DNS servers which will be used if dns_encryption disabled
 dns_servers:
   ipv4:
-    - 8.8.8.8
-    - 8.8.4.4
+    - 1.1.1.1
+    - 1.0.0.1
   ipv6:
-    - 2001:4860:4860::8888
-    - 2001:4860:4860::8844
+    - 2606:4700:4700::1111
+    - 2606:4700:4700::1001
 
 # IP address for the local dns resolver
 local_service_ip: 172.16.0.1

deploy.yml

@@ -63,7 +63,7 @@
           tags: always
 
   roles:
-    - { role: dns_adblocking, tags: ['dns', 'adblock' ] }
+    - { role: dns_adblocking, tags: [ 'dns', 'adblock' ] }
     - { role: ssh_tunneling, tags: [ 'ssh_tunneling' ] }
     - { role: vpn, tags: [ 'vpn' ] }
 

docs/client-linux.md

@@ -64,7 +64,7 @@ In this example we'll assume the IP of our Algo VPN server is `1.2.3.4` and the
     * Certificate: `cacert.pem` found at `/path/to/algo/configs/1.2.3.4/cacert.pem`
   * Client:
     * Authentication: *Certificate/Private key*
-    * Certificate: `user-name.crt` found at `/path/to/algo/configs/1.2.3.4/pki/certs/user-name.crt` 
+    * Certificate: `user-name.crt` found at `/path/to/algo/configs/1.2.3.4/pki/certs/user-name.crt`
     * Private key: `user-name.key` found at `/path/to/algo/configs/1.2.3.4/pki/private/user-name.key`
   * Options:
     * Check *Request an inner IP address*, connection will fail without this option

docs/setup-roles.md

@@ -20,6 +20,9 @@
 * **DNS-based Adblocking**
   * Install the [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) local resolver with a blacklist for advertising domains
   * Constrains dnsmasq with AppArmor and cgroups CPU and memory limitations
+* **DNS encryption**
+  * Install [dnscrypt-proxy](https://github.com/jedisct1/dnscrypt-proxy)
+  * Constrains dingo with AppArmor and cgroups CPU and memory limitations
 * **SSH Tunneling**
   * Adds a restricted `algo` group with no shell access and limited SSH forwarding options
   * Creates one limited, local account per user and an SSH public key for each

roles/common/tasks/ubuntu.yml

@@ -2,7 +2,15 @@
 - name: Cloud only tasks
   block:
   - name: Install software updates
-    apt: update_cache=yes upgrade=dist
+    apt:
+      update_cache: true
+      install_recommends: true
+      upgrade: dist
+
+  - name: Upgrade the ca certificates
+    apt:
+      name: ca-certificates
+      state: latest
 
   - name: Check if reboot is required
     shell: >

roles/dns_adblocking/meta/main.yml

@@ -2,3 +2,6 @@
 
 dependencies:
   - { role: common, tags: common }
+  - role: dns_encryption
+    tags: dns_encryption
+    when: dns_encryption == true

roles/dns_adblocking/tasks/freebsd.yml

@@ -2,3 +2,11 @@
 
 - name: FreeBSD / HardenedBSD | Enable dnsmasq
   lineinfile: dest=/etc/rc.conf regexp=^dnsmasq_enable= line='dnsmasq_enable="YES"'
+
+- name: The dnsmasq additional directories created
+  file:
+    dest: "{{ item }}"
+    state: directory
+    mode: '0755'
+  with_items:
+    - "{{ config_prefix|default('/') }}etc/dnsmasq.d"

roles/dns_adblocking/tasks/main.yml

@@ -3,7 +3,7 @@
 
     - name: The DNS tag is defined
       set_fact:
-        local_dns: Y
+        local_dns: true
 
     - name: Dnsmasq installed
       package: name=dnsmasq

roles/dns_adblocking/tasks/ubuntu.yml

@@ -7,13 +7,13 @@
     owner: root
     group: root
     mode: 0600
-  when: apparmor_enabled is defined and apparmor_enabled == true
+  when: apparmor_enabled|default(false)|bool == true
   notify:
     - restart dnsmasq
 
 - name: Ubuntu | Enforce the dnsmasq AppArmor policy
   shell: aa-enforce usr.sbin.dnsmasq
-  when: apparmor_enabled is defined and apparmor_enabled == true
+  when: apparmor_enabled|default(false)|bool == true
   tags: ['apparmor']
 
 - name: Ubuntu | Ensure that the dnsmasq service directory exist

roles/dns_adblocking/templates/dnsmasq.conf.j2

@@ -88,9 +88,13 @@ no-resolv
 # You can control how dnsmasq talks to a server: this forces
 # queries to 10.1.2.3 to be routed via eth1
 # server=10.1.2.3@eth1
+{% if dns_encryption|default(false)|bool == true %}
+server={{ local_service_ip }}#5353
+{% else %}
 {% for host in dns_servers.ipv4 %}
 server={{ host }}
 {% endfor %}
+{% endif %}
 
 # and this sets the source (ie local) address used to talk to
 # 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that
@@ -660,7 +664,7 @@ bind-interfaces
 
 # Include another lot of configuration options.
 #conf-file=/etc/dnsmasq.more.conf
-conf-dir=/etc/dnsmasq.d
+conf-dir={{ config_prefix|default('/') }}etc/dnsmasq.d/,*.conf
 
 # Include all the files in a directory except those ending in .bak
 #conf-dir=/etc/dnsmasq.d,.bak

roles/dns_encryption/defaults/main.yml

@@ -0,0 +1,7 @@
+---
+listen_port: "{% if local_dns|d(false)|bool == true %}5353{% else %}53{% endif %}"
+# the version used if the latest unavailable (in case of Github API rate limited)
+dnscrypt_proxy_version: 2.0.10
+apparmor_enabled: true
+dns_encryption: true
+dns_encryption_provider: "*"

roles/dns_encryption/files/apparmor.profile.dnscrypt-proxy

@@ -0,0 +1,23 @@
+#include <tunables/global>
+
+/usr/sbin/dnscrypt-proxy {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/openssl>
+
+  capability chown,
+  capability dac_override,
+  capability net_bind_service,
+  capability setgid,
+  capability setuid,
+  capability sys_resource,
+
+  /etc/dnscrypt-proxy.toml r,
+  /etc/ld.so.cache r,
+  /usr/sbin/dnscrypt-proxy mr,
+  /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv r,
+  /usr/local/lib/{@{multiarch}/,}libldns.so* mr,
+  /usr/local/lib/{@{multiarch}/,}libsodium.so* mr,
+  /run/dnscrypt-proxy.pid rw,
+  /run/systemd/notify rw,
+}

roles/dns_encryption/files/rc.dnscrypt-proxy.sh

@@ -0,0 +1,38 @@
+#!/bin/sh
+
+# PROVIDE: dnscrypt-proxy
+# REQUIRE: LOGIN
+# BEFORE:  securelevel
+# KEYWORD: shutdown
+
+# Add the following lines to /etc/rc.conf to enable `dnscrypt-proxy':
+#
+# dnscrypt_proxy_enable="YES"
+# dnscrypt_proxy_flags="<set as needed>"
+#
+# See rsync(1) for rsyncd_flags
+#
+
+. /etc/rc.subr
+
+name="dnscrypt-proxy"
+rcvar=dnscrypt_proxy_enable
+load_rc_config "$name"
+pidfile="/var/run/$name.pid"
+start_cmd=dnscrypt_proxy_start
+stop_postcmd=dnscrypt_proxy_stop
+
+: ${dnscrypt_proxy_enable="NO"}
+: ${dnscrypt_proxy_flags="-config /usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml"}
+
+dnscrypt_proxy_start() {
+  echo "Starting dnscrypt-proxy..."
+  touch ${pidfile}
+  /usr/sbin/daemon -cS -T dnscrypt-proxy -p ${pidfile} /usr/dnscrypt-proxy/freebsd-amd64/dnscrypt-proxy ${dnscrypt_proxy_flags}
+}
+
+dnscrypt_proxy_stop() {
+  [ -f ${pidfile} ] && rm ${pidfile}
+}
+
+run_rc_command "$1"

roles/dns_encryption/handlers/main.yml

@@ -0,0 +1,9 @@
+---
+- name: daemon reload
+  systemd:
+    daemon_reload: true
+
+- name: restart dnscrypt-proxy
+  service:
+    name: dnscrypt-proxy
+    state: restarted

roles/dns_encryption/meta/main.yml

@@ -0,0 +1,4 @@
+---
+dependencies:
+  - role: common
+    tags: common

roles/dns_encryption/tasks/freebsd.yml

@@ -0,0 +1,51 @@
+---
+- name: FreeBSD | Ensure that the required directories exist
+  file:
+    path: "{{ item }}"
+    state: directory
+  with_items:
+    - "{{ config_prefix|default('/') }}etc/dnscrypt-proxy/"
+    - /usr/dnscrypt-proxy/
+
+- name: Required tools installed
+  package:
+    name: gtar
+
+- name: FreeBSD | Retrive the latest versions
+  uri:
+    url: https://api.github.com/repos/jedisct1/dnscrypt-proxy/releases/latest
+  register: dnscrypt_proxy_latest
+  ignore_errors: true
+
+- name: FreeBSD | Set default dnscrypt-proxy assets
+  set_fact:
+    dnscrypt_proxy_latest:
+      json:
+        assets:
+          - name: "dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz"
+            browser_download_url: "https://github.com/jedisct1/dnscrypt-proxy/releases/download/{{ dnscrypt_proxy_version }}/dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz"
+  when: dnscrypt_proxy_latest.failed
+
+- name: FreeBSD | Download the latest archive
+  get_url:
+    url: "{{ item['browser_download_url'] }}"
+    dest: "/tmp/dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz"
+    mode: '0755'
+    force: true
+  with_items: "{{ dnscrypt_proxy_latest['json']['assets'] }}"
+  no_log: true
+  when: '"freebsd_amd64" in item.name'
+  notify: restart dnscrypt-proxy
+
+- name: FreeBSD | Extract the latest archive
+  unarchive:
+    remote_src: true
+    src: /tmp/dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz
+    dest: /usr/dnscrypt-proxy
+
+- name: FreeBSD | Configure rc script
+  copy:
+    src: rc.dnscrypt-proxy.sh
+    dest: /usr/local/etc/rc.d/dnscrypt-proxy
+    mode: "0755"
+  notify: restart dnscrypt-proxy

roles/dns_encryption/tasks/main.yml

@@ -0,0 +1,23 @@
+---
+- name: Include tasks for Ubuntu
+  include_tasks: ubuntu.yml
+  when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
+
+- name: Include tasks for FreeBSD
+  include_tasks: freebsd.yml
+  when: ansible_distribution == 'FreeBSD'
+
+- name: dnscrypt-proxy configured
+  template:
+    src: dnscrypt-proxy.toml.j2
+    dest: "{{ config_prefix|default('/') }}etc/dnscrypt-proxy/dnscrypt-proxy.toml"
+  notify:
+    - restart dnscrypt-proxy
+
+- name: dnscrypt-proxy enabled and started
+  service:
+    name: dnscrypt-proxy
+    state: started
+    enabled: true
+
+- meta: flush_handlers

roles/dns_encryption/tasks/ubuntu.yml

@@ -0,0 +1,48 @@
+---
+- name: Add the repository
+  apt_repository:
+    state: present
+    codename: artful
+    repo: ppa:shevchuk/dnscrypt-proxy
+
+- name: Install dnscrypt-proxy
+  apt:
+    name: dnscrypt-proxy
+    state: latest
+    update_cache: true
+
+- block:
+  - name: Ubuntu | Unbound profile for apparmor configured
+    copy:
+      src: apparmor.profile.dnscrypt-proxy
+      dest: /etc/apparmor.d/usr.sbin.dnscrypt-proxy
+      owner: root
+      group: root
+      mode: 0600
+    notify: restart dnscrypt-proxy
+
+  - name: Ubuntu | Enforce the dnscrypt-proxy AppArmor policy
+    command: aa-enforce usr.sbin.dnscrypt-proxy
+    changed_when: false
+  tags: apparmor
+  when: apparmor_enabled|default(false)|bool == true
+
+- name: Ubuntu | Ensure that the dnscrypt-proxy service directory exist
+  file:
+    path: /etc/systemd/system/dnscrypt-proxy.service.d/
+    state: directory
+    mode: 0755
+    owner: root
+    group: root
+
+- name: Ubuntu | Setup the cgroup limitations for dnscrypt-proxy
+  copy:
+    dest: /etc/systemd/system/dnscrypt-proxy.service.d/100-CustomLimitations.conf
+    content: |
+      [Service]
+      MemoryLimit=16777216
+      CPUAccounting=true
+      CPUQuota=5%
+  notify:
+    - daemon-reload
+    - restart dnscrypt-proxy