DNSCrypt 2.0

Frank Denis edited this page Oct 6, 2018 · 25 revisions

This can probably replace the DNSCrypt page, but leaving it for archive purposes until dnscrypt-proxy 2.0 instructions are fully fleshed out.

DNSCrypt-Proxy 2.0

DNSCrypt-Proxy 2.0 by jedisct1 drastically simplifies configuration and installation. There are pre-built binaries as well. The main configuration options are now centralized in a .toml file. Server selection and server updates are handled automatically.

Step 1: Install DNSCrypt-Proxy

  • cd /opt: Move to /opt directory. This is where we will place the dnscrypt-proxy files.
  • Download the latest pre-built binary. I'm using Pi-Hole on Linux x86_64 architecture, so I'll use linux_x86_64. Replace with your system architecture, you can check which you use by running uname -sm. If you are using Pi-Hole 3, you'll use Linux arm (NOT x64) instead.
  • tar xzvf dnscrypt-proxy-linux_x86_64-2.*.tar.gz: Extract prebuilt binary
  • mv linux-x86_64 dnscrypt-proxy: Rename the extracted folder
  • rm dnscrypt-proxy-linux_x86_64-2.*.tar.gz: Remove the archive
  • cd dnscrypt-proxy: cd into extracted dir
  • cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml: Create a configuration file based on the example one
  • sudo nano dnscrypt-proxy.toml: Edit the toml file. This is where all the fancy configuration happens.
  • In the listen_addresses line, edit port to be something other than 53 (since 53 is being used by Pi-Hole). I'll use port 5300 in this example. You can also change both IPv4 and IPv6 as desired.
  • Edit other settings as desired. I set require_dnssec to be true. There are a lot of other options, but server selection and more is already done. If you want to specify the server(s) you want to use, look at this site.
  • sudo ./dnscrypt-proxy -service install: install dnscrypt-proxy service
  • sudo ./dnscrypt-proxy -service start: start the new service

You can see dnscrypt-proxy 2.0 installation instructions on the wiki.

Warning I did not set dnscrypt-proxy to run as non-root user yet.

There are instructions on the wiki

  • sudo setcap cap_net_bind_service=+pe dnscrypt-proxy

Also see the wiki for details on DNS server sources.

Step 2: Modify Pi-Hole

If you're running a new version of Pi-Hole FTLDNS, all custom DNS fields can now take on a port number with the syntax (host#port). Of course, you should remove (uncheck) every other DNS server. Like this:

(replace 5353 with 5300 if this is the port dnscrypt-proxy is listening to, as suggested above)

If you're running an older version of Pi-Hole, then follow these instructions:

  • sudo nano /etc/dnsmasq.d/02-dnscrypt.conf: Create new or edit existing conf.
  • Change server=<IP>#<port> where dnscrypt-proxy is running. For example, my .toml file is listen_addresses = ['', '[::1]:5300'], so edit the conf file to be server=
  • sudo nano /etc/pihole/setupVars.conf: Edit setupVars.conf.
  • Comment out all PIHOLE_DNS= lines. (set a # in the beginning of the line)
  • sudo nano /etc/dnsmasq.d/01-pihole.conf
  • Comment out all server=... lines. (set a # in the beginning of the line)
  • sudo service dnsmasq restart: restart dnsmasq

DNSSEC validation

If you configured DNSCrypt to use a resolver with enabled DNSSEC validation, make sure to enable it also in dnsmasq: echo "proxy-dnssec" >> /etc/dnsmasq.d/02-dnscrypt.conf

Test DNSCrypt

Use the built-in client:

./dnscrypt-proxy -resolve google.com

This will display the resolver you are currently using.

  • Test site
  • Test site -- Note that the output of this test is not enough to confirm the absence of leaks. In particular, Cisco and Google will transparently send a copy of your real network address to companies they partner with (edns-clientsubnet mechanism).

There are more links on the first test site as well.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.