Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Installation Debian Ubuntu
Installation on Debian and Ubuntu
Debian Stretch and Ubuntu currently ship with old and unsupported
dnscrypt-proxy package (1.9.x). Debian Testing and Unstable have up to date packages.
Generic Linux installation procedure
The generic instructions for Linux work fine on Debian and Ubuntu. The additional instructions below are not required if you are going that route.
However, if you had an old
dnscrypt-proxy 1.x version installed, remove it first with:
apt-get purge dnscrypt-proxy
Ubuntu PPA installation
sudo add-apt-repository ppa:shevchuk/dnscrypt-proxy && \ sudo apt update && \ sudo apt install dnscrypt-proxy
Do not upgrade from v1.x on Ubuntu Xenial. Instead first backup your systemd units (service and socket) then remove the old version and delete the systemd service file (keep the socket), then upgrade (replace artful with xenial in ppa sources.list). If you don't remove the old systemd unit service, the upgrade will not replace it and the new version will attempt to be started using the old systemd unit, which will fail.
Package also configures dnsmasq to use dnscrypt-proxy (see
The same package should also work fine on Debian.
If dnsmasq is already running
Option 1: remove dnsmasq
dnsmasq performs caching, as does dnscrypt-proxy v2. As such, the redundant caching is unnecessary, and dnsmasq can effectively be disabled. To disable
dnsmasq for NetworkManager, make the
/etc/NetworkManager/NetworkManager.conf file look like this:
[main] plugins=ifupdown,keyfile,ofono #dns=dnsmasq [ifupdown] managed=false
Option 2: keep dnsmasq
If you want to continue to use dnsmasq (default on Ubuntu), some configuration is needed:
- dnsmasq listens on
127.0.0.1:53, so configure dnscrypt-proxy to use something different (e.g.
- configure dnsmasq to use dnscrypt-proxy if file not already configured:
$ sudo tee /etc/dnsmasq.d/dnscrypt-proxy << EOF # Redirect everything to dnscrypt-proxy server=127.0.2.1 no-resolv proxy-dnssec EOF
cd /etc/dnscrypt-proxy sudo cp dnscrypt-proxy.toml dnscrypt-proxy.toml.original # non-idempotent
listen_addresses = ['127.0.0.1:53'] with
listen_addresses = . For some reason, the package installs systemd sockets instead of standard sockets.
Further configuration changes can be made later as needed, but in order to help with troubleshooting, keep the changes to a minimum for now.
Using the command line
This is just one way to get the nameserver persistently added to
Create a file
resolv.conf.override as below. Match the permissions and owner. Here, 127.0.0.1 comes from
$ cd /etc $ ll resolv.conf.override -rwxrwxrwx 1 root root 172 Jun 26 20:38 resolv.conf.override* $ cat resolv.conf.override nameserver 127.0.0.1
Create a script
20-resolv-conf-override as below. Match the permissions and owner.
$ cd /etc/NetworkManager/dispatcher.d $ ll 20-resolv-conf-override -rwxr-xr-x 1 root root 101 Jun 26 20:45 20-resolv-conf-override* $ cat 20-resolv-conf-override #!/bin/sh cp -f /etc/resolv.conf.override /run/resolvconf/resolv.conf $ sudo ln -f 20-resolv-conf-override ./pre-up.d/
Using the network configuration applet
- Go to network configuration applet. Click
Wifi Icon> Edit Connections >
Click on Wired Connection 1(if you use wired) or the Wifi name that you currently used and click
- In the
Editing...window, click IPv4 settings, choose
Automatic (DHCP) address onlyon the method. Finally add
If the PPA installer was used, restart the services:
sudo systemctl restart NetworkManager sudo systemctl restart dnscrypt-proxy
The older commands for the same are:
sudo service network-manager restart sudo service dnscrypt-proxy restart
If instead the installation was done manually:
sudo ./dnscrypt-proxy -service install sudo ./dnscrypt-proxy -service start
dnscrypt-proxy -resolve github.com dig dnscrypt.info | grep SERVER # Must show matching nameserver, e.g. 127.0.0.1#53, in resolv.conf ping -c1 google.com # Should show matching IP and ping successfully sudo tcpdump # Should show specific resolver if it is not rotating