search

DNSCrypt / dnscrypt-server-docker

A Docker image for a non-censoring, non-logging, DNSSEC-capable, DNSCrypt-enabled DNS resolver
https://dnscrypt.info
ISC License
670 stars 135 forks source link

Use dynamic external ip in dnscrypt server #70

Closed YanzheL closed 5 years ago

YanzheL commented 5 years ago

Hi,

I tried to set up my own DNSCrypt server using this docker image. But the init command requires me to use a specific external ip instead of 0.0.0.0. (init -N <provider_name> -E <external ip>:<port>)

How can I set up DNSCrypt server in a VPS that has dynamic external IP?

More specifically, the VPS provider has an elastic public IP feature, and it uses NAT to redirect the traffic of external ip to the intranet ip, e.g 10.0.0.1, which is called "Virtual Private Cloud". The VPS can only "see" this intranet ip 10.0.0.1 that bind to its primary network interface.

So in this scenario, I cannot properly initialize dnscrypt server because the real external IP is dynamic.

I wonder why I cannot just use 0.0.0.0 to initialize the server? Is this external IP used in the TLS certificate that will be verified later? If not so, you can just remove the restriction and allow me to use 0.0.0.0.

jedisct1 commented 5 years ago

Does the external IP change after it has been assigned?

You can totally use 0.0.0.0:443, but the printed stamp will be incorrect.

You need to recompute it with the actual external IP (for example using https://dnscrypt.info/stamps/) and use that new value with the clients.

YanzheL commented 5 years ago

If I use 0.0.0.0, the init step will output Do not use 0.0.0.0, use an actual external IP address, and the container remains uninitialized state that prevents server startup.

root@example:~# docker run --name=dnscrypt-server -p 60443:443 jedisct1/dnscrypt-server init -N example.com -E 0.0.0.0:443
Do not use 0.0.0.0, use an actual external IP address

The ip on the network interface won't change after the external ip re-assigned. It is always the intranet IP.

The incorrect stamp doesn't matter because I can just re-generate it on client side. The client can get the correct public IP of server via DNS lookup.

jedisct1 commented 5 years ago

Haha indeed, that check was specifically added to make the distinction between the actual external IP address, and the local address to bind.

You can use anything, then. Locally, 0.0.0.0 will be bound no matter what. The external IP address is only useful to print the stamp.

YanzheL commented 5 years ago

Ok, understood. Thanks.