Join GitHub today
This can probably replace the DNSCrypt page, but leaving it for archive purposes until dnscrypt-proxy 2.0 instructions are fully fleshed out.
DNSCrypt-Proxy 2.0 by jedisct1 drastically simplifies configuration and installation. There are pre-built binaries as well. The main configuration options are now centralized in a .toml file. Server selection and server updates are handled automatically.
Step 1: Install DNSCrypt-Proxy
cd /opt: Move to /opt directory. This is where we will place the dnscrypt-proxy files.
- Download the latest pre-built binary. I'm using Pi-Hole on Linux x86_64 architecture, so I'll use
linux_x86_64. Replace with your system architecture, you can check which you use by running
uname -sm. If you are using Pi-Hole 3, you'll use Linux arm (NOT x64) instead.
tar xzvf dnscrypt-proxy-linux_x86_64-2.*.tar.gz: Extract prebuilt binary
mv linux-x86_64 dnscrypt-proxy: Rename the extracted folder
rm dnscrypt-proxy-linux_x86_64-2.*.tar.gz: Remove the archive
cd dnscrypt-proxy: cd into extracted dir
cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml: Create a configuration file based on the example one
sudo nano dnscrypt-proxy.toml: Edit the toml file. This is where all the fancy configuration happens.
- In the
listen_addressesline, edit port to be something other than
53is being used by Pi-Hole). I'll use port 5300 in this example. You can also change both IPv4 and IPv6 as desired.
- Edit other settings as desired. I set
true. There are a lot of other options, but server selection and more is already done. If you want to specify the server(s) you want to use, look at this site.
sudo ./dnscrypt-proxy -service install: install dnscrypt-proxy service
sudo ./dnscrypt-proxy -service start: start the new service
You can see dnscrypt-proxy 2.0 installation instructions on the wiki.
Warning I did not set
dnscrypt-proxy to run as non-root user yet.
There are instructions on the wiki
sudo setcap cap_net_bind_service=+pe dnscrypt-proxy
Also see the wiki for details on DNS server sources.
Step 2: Modify Pi-Hole
If you're running a new version of Pi-Hole FTLDNS, all custom DNS fields can now take on a port number with the syntax (host#port). Of course, you should remove (uncheck) every other DNS server. Like this:
5300 if this is the port dnscrypt-proxy is listening to, as suggested above)
If you're running an older version of Pi-Hole, then follow these instructions:
sudo nano /etc/dnsmasq.d/02-dnscrypt.conf: Create new or edit existing conf.
dnscrypt-proxyis running. For example, my
listen_addresses = ['127.0.0.1:5300', '[::1]:5300'], so edit the conf file to be
sudo nano /etc/pihole/setupVars.conf: Edit setupVars.conf.
- Comment out all
PIHOLE_DNS=lines. (set a # in the beginning of the line)
sudo nano /etc/dnsmasq.d/01-pihole.conf
- Comment out all
server=...lines. (set a # in the beginning of the line)
sudo service dnsmasq restart: restart dnsmasq
If you configured DNSCrypt to use a resolver with enabled DNSSEC validation, make sure to enable it also in dnsmasq:
echo "proxy-dnssec" >> /etc/dnsmasq.d/02-dnscrypt.conf
Use the built-in client:
./dnscrypt-proxy -resolve google.com
This will display the resolver you are currently using.
- Test site
- Test site -- Note that the output of this test is not enough to confirm the absence of leaks. In particular, Cisco and Google will transparently send a copy of your real network address to companies they partner with (edns-clientsubnet mechanism).
There are more links on the first test site as well.