My New Recommendation for Adware, Malware, Spyware protection

tsu2 · May 20, 2018, 6:38am

https://github.com/jedisct1/dnscrypt-proxy

And,
The reasons for using this are far more than just as a protection against Adware, Malware and Spyware.
It’s also one of the relatively few ways that sets up an encrypted DNS connection between your machine and the public DNS server.

Strictly speaking,
A DNS proxy isn’t quite the same as setting up a system proxy because your machine could still connect to forbidden Internet sites by IP address, but generally everything on the Internet is accessed by Domain Names and if intrusive apps decided not to use DNS, they would be unable to respond to simple blocks and shutting them down would be much easier than if they could automatically resolve to a new address whenever a resource was taken down.

Installing on openSUSE
Follow the Linux Install instructions… download the latest x64 Linux binary, extract to a suitable location, and follow the instructions.
https://github.com/jedisct1/dnscrypt-proxy/wiki/Installation-linux

Note that the Documentation doesn’t really understand the problems associated with editing /etc/resolv.conf directly, and their solution is to set the file to read-only after you’ve edited it. Better is to follow the instructions embedded in the openSUSE /etc/resolv.conf file to edit the /etc/sysconfig/network/config file appropriately (setting a Static server IP address to 127.0.0.1).

By default, when you start up dnscrypt-proxy, it will automatically test connections to a long list of public DNS servers that support dnscrypt, and select the fastest. No manual configuration needed.

After the above, you’ll have encrypted DNS sessions set up, but not yet blocklists.
You can ignore the section about systemd, AFAICSee those issues are non-existent on openSUSE.
**
Configuring Blocklist support**
You can follow the instructions to configure “blacklist.txt” but to generate current blacklists, you’ll need to run the blacklist file generator at https://github.com/jedisct1/dnscrypt-proxy/blob/master/utils/generate-domains-blacklists/generate-domains-blacklist.py

You can either clone the entire project directory or download/copy the blacklist generator script from the above link.
When you run the generator script, it goes out and downloads the latest versions of more than a couple dozen public blocklists and generates a file you can use. Of course, you can modify the script to add or point to additional blocklists or otherwise modify however you wish. That’s really nice to be given this good a start and the ability to modify granularly.

And, it’s all FOSS.

Enjoy,
TSU

tsu2 · May 20, 2018, 11:34pm

Today,
Thought of a new, important scenario this should be used…

When a VPN is set up, one of the most well known mistakes is to not set up a DNS within the VPN, resulting in “VPN leaks” where someone can sniff your non-tunneled traffic and see all your DNS request and responses. That’s tantamount to actually accessing your traffic, while not seeing the content it’d be easy to see all the sites you want to connect to. That would be similar to inspecting telco metadata, where someone could see all the phone numbers of people you called while not actually listening in on your words.

When you have a DNS proxy set up encrypting your DNS traffic, you’ve vastly improved your privacy.

Of course, this only works for public Internet destinations, if your VPN provides special access to non-public company resources, then you can’t use dnscrypt-proxy, or at least maybe you can experiment with some fallback options in the config file. But, in this case you you’d have to access a DNS within your VPN just to access those resources so your traffic should be secure without dnscrypt-proxy.

TSU

d3vnull · May 22, 2018, 12:01pm

ExpressVPN “open sourced” their tools for checking for VPN leaks. I have not played with them, but did bookmark them for later testing:

https://github.com/expressvpn/expressvpn_leak_testing

Probably overkill for many, but critical for others.