From de5ade5c2011040bf56ff9f13c287fdef97755b4 Mon Sep 17 00:00:00 2001
From: unman <unman@thirdeyesecurity.org>
Date: Thu, 20 Mar 2025 12:06:44 +0000
Subject: [PATCH] DNSCrypt - set networking and firewall. Add README

---
 dnscrypt/README.md      | 56 +++++++++++++++++++++++++++++++++++++++++
 dnscrypt/configure.sls  | 44 ++++++++++++++++++++++++++++++++
 dnscrypt/install.sls    | 14 +++++++++++
 dnscrypt/internalise.sh |  2 ++
 dnscrypt/resolv.conf    |  2 ++
 dnscrypt/update_nft.nft | 14 +++++++++++
 dnscrypt/update_nft.sh  |  3 +++
 7 files changed, 135 insertions(+)
 create mode 100644 dnscrypt/README.md
 create mode 100644 dnscrypt/internalise.sh
 create mode 100644 dnscrypt/resolv.conf
 create mode 100644 dnscrypt/update_nft.nft
 create mode 100644 dnscrypt/update_nft.sh

diff --git a/dnscrypt/README.md b/dnscrypt/README.md
new file mode 100644
index 0000000..b773a3d
--- /dev/null
+++ b/dnscrypt/README.md
@@ -0,0 +1,56 @@
+# Introduction
+These files create a template, with dnscrypt-proxy installed.
+An AppVM named sys-dnscrypt, is created from that template.
+
+## Template
+The template, template-dnscrypt, is cloned from the debian-12-minimal template.
+If the debian-12-minimal template is not present, it will be downloaded
+and installed - this may take some time depending on your net connection.
+
+## Usage
+sys-dnscrypt is created with `provides_network` set, so you can attach qubes to it, setting it as netvm.
+
+As with all Debian templates, services are masked in the template.
+This is done in `create.sls`
+
+By default sys-dnscrypt has sys-net as netvm, but you can change this if you wish.
+
+## Installation
+Copy the dnscrypt folder to /srv/salt.
+```
+qubesctl state.apply dnscrypt.clone
+qubesctl --skip-dom0 --targets=template-dnscrypt state.apply dnscrypt.install
+qubesctl state.apply dnscrypt.create
+qubesctl --skip-dom0 --targets=sys-dnscrypt state.apply dnscrypt.configure
+```
+### Template creation
+Clone the debian-12-minimal template - note the use of `qvm.template_installed` which will install the template if it is not already present
+```
+sudo qubesctl state.apply dnscrypt.clone
+```
+
+### Installation
+```
+sudo qubesctl --skip-dom0 --targets=template-dnscrypt state.apply dnscrypt.install
+```
+This state uses `archive.extracted` to extract the tarfile to `/etc/skel`.
+This ensures that the dnscrypt-proxy application will be available in /home/user in all qubes created from the template.
+Note that `archive.extracted` can take the source file specified using `salt://` to target files on the host.
+
+The service is installed with all files in a single source directory, and uses default parameters.
+
+### Qube creation
+`create.sls` is a standard way of creating `sys-dnscrypt` - qvm.present is used to create the qube, and preferences and features are set.
+
+
+### Configuration
+`configure.sls` sets the firewall rules to drop forwarded DNS traffic, to dnat incoming DNS traffic to the service on sys-dnscrypt, and to allow that traffic to reach the server.
+DNAT rules are also set in /rw/config/network-hooks.d to ensure they are not overwritten, and to keep traffic from vif* interfaces set on localnet.
+
+## Notes
+The service is installed from a release tarball, not from a system package.
+This means that updating requires some manual intervention.
+
+The service is to be manually started on sys-dnscrypt, as preferred by the developers.
+The application has not been set to run as a service.
+This could be done with use of `bind-dirs`.
diff --git a/dnscrypt/configure.sls b/dnscrypt/configure.sls
index c2cbda8..f3ae1df 100644
--- a/dnscrypt/configure.sls
+++ b/dnscrypt/configure.sls
@@ -13,5 +13,49 @@ dnscrypt_update_rc.local:
         cp /etc/resolv.conf /etc/resolv.conf.backup
         cp /rw/config/resolv.conf /etc/resolv.conf
   
+/rw/config/qubes-firewall.d/update_nft.sh:
+  file.managed:
+    - source:
+      - salt://dnscrypt/update_nft.sh
+    - user: root
+    - group: root
+    - makedirs: True
+    - mode: 755
+
+/rw/config/qubes-firewall.d/update_nft.nft:
+  file.managed:
+    - source:
+      - salt://dnscrypt/update_nft.nft
+    - user: root
+    - group: root
+    - makedirs: True
+    - mode: 755
+
+/rw/config/network-hooks.d/update_nft.sh:
+  file.managed:
+    - source:
+      - salt://dnscrypt/update_nft.sh
+    - user: root
+    - group: root
+    - makedirs: True
+    - mode: 755
+
+/rw/config/network-hooks.d/internalise.sh:
+  file.managed:
+    - source:
+      - salt://dnscrypt/internalise.sh
+    - user: root
+    - group: root
+    - makedirs: True
+    - mode: 755
+
+dnscrypt-set-localnet:
+  cmd.run:
+    - name: /usr/sbin/sysctl -w net.ipv4.conf.all.route_localnet=1
+
+dnscrypt-configure:
+  file.copy:
+    - name:  /home/user/linux-x86_64/dnscrypt-proxy.toml
+    - source: /home/user/linux-x86_64/example-dnscrypt-proxy.toml
 
 {% endif %}
diff --git a/dnscrypt/install.sls b/dnscrypt/install.sls
index 32742e7..93eee6d 100644
--- a/dnscrypt/install.sls
+++ b/dnscrypt/install.sls
@@ -44,6 +44,20 @@ dnscrypt_extract:
     - user: user
     - group: user
 
+/etc/resolv.conf.backup:
+  file.copy:
+    - source: /etc/resolv.conf
+
+remove_resolv.conf:
+  file.absent:
+    - name: /etc/resolv.conf
+
+new_resolv.conf:
+  file.managed:
+    - name: /etc/resolv.conf
+    - source: salt://dnscrypt/resolv.conf
+
+
 {% endif %}
 {% endif %}
 {% endif %}
diff --git a/dnscrypt/internalise.sh b/dnscrypt/internalise.sh
new file mode 100644
index 0000000..cc17a29
--- /dev/null
+++ b/dnscrypt/internalise.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+find /proc/sys/net/ipv4/conf -name "vif*" -exec bash -c 'echo 1 | sudo tee {}/route_localnet' \;
diff --git a/dnscrypt/resolv.conf b/dnscrypt/resolv.conf
new file mode 100644
index 0000000..12efe6d
--- /dev/null
+++ b/dnscrypt/resolv.conf
@@ -0,0 +1,2 @@
+nameserver 127.0.0.1
+options edns0
diff --git a/dnscrypt/update_nft.nft b/dnscrypt/update_nft.nft
new file mode 100644
index 0000000..338b477
--- /dev/null
+++ b/dnscrypt/update_nft.nft
@@ -0,0 +1,14 @@
+#!/usr/sbin/nft -f
+flush chain qubes dnat-dns
+
+flush chain qubes custom-forward
+insert rule qubes custom-forward tcp dport 53 drop
+insert rule qubes custom-forward udp dport 53 drop
+
+flush chain qubes custom-input
+insert rule qubes custom-input tcp dport 53 accept
+insert rule qubes custom-input udp dport 53 accept
+
+flush chain qubes dnat-dns
+insert rule qubes dnat-dns iifname "vif*" tcp dport 53 dnat to 127.0.0.1
+insert rule qubes dnat-dns iifname "vif*" udp dport 53 dnat to 127.0.0.1
diff --git a/dnscrypt/update_nft.sh b/dnscrypt/update_nft.sh
new file mode 100644
index 0000000..8cffd7f
--- /dev/null
+++ b/dnscrypt/update_nft.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+nft -f /rw/config/qubes-firewall.d/update_nft.nft
+