DNS-over-HTTPS (trailofbits#875)

Author: jackivanov

algo

@@ -43,7 +43,7 @@ read -p "
 Do you want to install a DNS resolver on this VPN server, to block ads while surfing?
 [y/N]: " -r dns_enabled
 dns_enabled=${dns_enabled:-n}
-if [[ "$dns_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" dns"; fi
+if [[ "$dns_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" dns"; EXTRA_VARS+=" local_dns=true"; fi
 
 read -p "
 Do you want each user to have their own account for SSH tunneling?

config.cfg

@@ -29,13 +29,20 @@ adblock_lists:
  - "https://www.malwaredomainlist.com/hostslist/hosts.txt"
  - "https://hosts-file.net/ad_servers.txt"
 
+# Enalbe DNS encryption. Use dns_encrypted_provider to specify the provider. If false dns_servers should be specified
+dns_encryption: true
+
+# Possible values: google, cloudflare
+dns_encryption_provider: cloudflare
+
+# DNS servers which will be used if dns_encryption disabled
 dns_servers:
   ipv4:
-    - 8.8.8.8
-    - 8.8.4.4
+    - 1.1.1.1
+    - 1.0.0.1
   ipv6:
-    - 2001:4860:4860::8888
-    - 2001:4860:4860::8844
+    - 2606:4700:4700::1111
+    - 2606:4700:4700::1001
 
 # IP address for the local dns resolver
 local_service_ip: 172.16.0.1

deploy.yml

@@ -63,7 +63,7 @@
           tags: always
 
   roles:
-    - { role: dns_adblocking, tags: ['dns', 'adblock' ] }
+    - { role: dns_adblocking, tags: [ 'dns', 'adblock' ] }
     - { role: ssh_tunneling, tags: [ 'ssh_tunneling' ] }
     - { role: vpn, tags: [ 'vpn' ] }
 

docs/client-linux.md

@@ -64,7 +64,7 @@ In this example we'll assume the IP of our Algo VPN server is `1.2.3.4` and the
     * Certificate: `cacert.pem` found at `/path/to/algo/configs/1.2.3.4/cacert.pem`
   * Client:
     * Authentication: *Certificate/Private key*
-    * Certificate: `user-name.crt` found at `/path/to/algo/configs/1.2.3.4/pki/certs/user-name.crt` 
+    * Certificate: `user-name.crt` found at `/path/to/algo/configs/1.2.3.4/pki/certs/user-name.crt`
     * Private key: `user-name.key` found at `/path/to/algo/configs/1.2.3.4/pki/private/user-name.key`
   * Options:
     * Check *Request an inner IP address*, connection will fail without this option

docs/setup-roles.md

@@ -20,6 +20,9 @@
 * **DNS-based Adblocking**
   * Install the [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) local resolver with a blacklist for advertising domains
   * Constrains dnsmasq with AppArmor and cgroups CPU and memory limitations
+* **DNS encryption**
+  * Install [dnscrypt-proxy](https://github.com/jedisct1/dnscrypt-proxy)
+  * Constrains dingo with AppArmor and cgroups CPU and memory limitations
 * **SSH Tunneling**
   * Adds a restricted `algo` group with no shell access and limited SSH forwarding options
   * Creates one limited, local account per user and an SSH public key for each

roles/common/tasks/ubuntu.yml

@@ -2,7 +2,15 @@
 - name: Cloud only tasks
   block:
   - name: Install software updates
-    apt: update_cache=yes upgrade=dist
+    apt:
+      update_cache: true
+      install_recommends: true
+      upgrade: dist
+
+  - name: Upgrade the ca certificates
+    apt:
+      name: ca-certificates
+      state: latest
 
   - name: Check if reboot is required
     shell: >

roles/dns_adblocking/meta/main.yml

@@ -2,3 +2,6 @@
 
 dependencies:
   - { role: common, tags: common }
+  - role: dns_encryption
+    tags: dns_encryption
+    when: dns_encryption == true

roles/dns_adblocking/tasks/freebsd.yml

@@ -2,3 +2,11 @@
 
 - name: FreeBSD / HardenedBSD | Enable dnsmasq
   lineinfile: dest=/etc/rc.conf regexp=^dnsmasq_enable= line='dnsmasq_enable="YES"'
+
+- name: The dnsmasq additional directories created
+  file:
+    dest: "{{ item }}"
+    state: directory
+    mode: '0755'
+  with_items:
+    - "{{ config_prefix|default('/') }}etc/dnsmasq.d"

roles/dns_adblocking/tasks/main.yml

@@ -3,7 +3,7 @@
 
     - name: The DNS tag is defined
       set_fact:
-        local_dns: Y
+        local_dns: true
 
     - name: Dnsmasq installed
       package: name=dnsmasq

roles/dns_adblocking/tasks/ubuntu.yml

@@ -7,13 +7,13 @@
     owner: root
     group: root
     mode: 0600
-  when: apparmor_enabled is defined and apparmor_enabled == true
+  when: apparmor_enabled|default(false)|bool == true
   notify:
     - restart dnsmasq
 
 - name: Ubuntu | Enforce the dnsmasq AppArmor policy
   shell: aa-enforce usr.sbin.dnsmasq
-  when: apparmor_enabled is defined and apparmor_enabled == true
+  when: apparmor_enabled|default(false)|bool == true
   tags: ['apparmor']
 
 - name: Ubuntu | Ensure that the dnsmasq service directory exist