Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dnscrypt and VPN #24

Couto opened this issue Sep 3, 2015 · 4 comments


None yet
3 participants
Copy link

commented Sep 3, 2015

I've been a long time user of the streisand project.
I'm also an user of dnsmasq for development purposes (to redirect all *.dev domains to localhost)
So, reading about dnscrypt on your guide, it seemed like an easy addiction to get some extra level of privacy.

Your instructions were crystal clear, and after the setup, everything worked fine... Until the moment that I connected to my VPN using tunnelblick.

Most VPNs override the DNS settings, and therefore they break with dnscrypt.
Has something like this happened to you before? If so, how did you fix it?


This comment has been minimized.

Copy link

commented Sep 3, 2015

@Couto I have the same problem with some VPN, I have subscribed to 3 VPN by very cheap temporary deal/bundles.
For one of them, I must start the VPN then DNSCrypt.

For another VPN, I have extracted some country-servers settings and insert them in Apple Network and activate the 'country' I want through apple vpn icon in the menu bar.

For another VPN, don't use it often, I think it does not change the DNS, so DNSCrypt is launched then the VPN.

You can check your IP and DNS used on


This comment has been minimized.

Copy link

commented Sep 4, 2015

It sounds like the VPN software is setting DNS settings, which makes sense. I'm not familiar with tunnelblick but will check it out. You'll probably want to edit the scripts or commands it uses to set DNS to localhost, so your packets take this route:

browser > dnsmasq > dnscrypt client > vpn server > dnscrypt server > upstream resolver(s)

instead of

browser > vpn dns server > upstream resolver(s)

This comment has been minimized.

Copy link

commented Sep 4, 2015

Most VPN are using google DNS which is not a good idea for privacy without mentionning censorship. and
2001:4860:4860::8888 & 2001:4860:4860::8844

Some VPN have their own, providing an extra level of privacy.
Up to you to choose another free or paying DNS services but try before to see if it can work along with your VPN.

Up to you to choose another free or paying DNS services.

Perhaps adding a list of alternative of (free) DNS would be helpful.
And all the different commands to flush DNS cache:

Find the fastest DNS around you with:

To get your IP and DNS IP:

To check your DNS:

To learn DNS:

DNS alternatives:

More here:


This comment has been minimized.

Copy link

commented Sep 4, 2015

Ok, so I was able to figure out my (specific) problem:

  1. dnscrypt requires the computer to use as DNS server (which makes sense)
  2. OpenVPN says that I should use a specific DNS server (and actually pushes the configuration to the client)
    So far, no apparent problem, except that, at least Tunnelblick won't actually change the system DNS settings, if they've been manually changed before (to set dnscrypt)

My solution was simply to manually add the VPN's preferred DNS server to my nameservers list, after the dnscrypt address.

I hope I was clear on my solution, just in case someone needs it.

@TraderStf Thanks a lot for the links. Specially, which was quite valuable
@drduh Thanks for the explanation, your diagram actually pointed me to the right direction.

Feel free to close, if you wish so :)

@drduh drduh closed this in e9bc603 Sep 4, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.