Skip to content

Install DNScrypt proxy (DoH)(oDoH)(Anonymized DNS)

Jump to bottom
☣┌͜∩͜┐͜(͜◣͜_͜◢͜)͜┌͜∩͜┐☣ edited this page Feb 22, 2024 · 32 revisions


DNScrypt is a flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2, DNS-over-HTTPS, Anonymized DNSCrypt and Oblivious DoH

Download DNSCrypt

(Currently using package for arm platforms in this guide. If using amd(currently named linux_x86_64-2.1.2.tar.gz) or a other platform, please download correct package)
(Check: dpkg --print-architecture)

For 32bit OS

Switch to opt directory:

cd /opt

Download package:

Go to https://github.com/DNSCrypt/dnscrypt-proxy/releases/, right click on dnscrypt-proxy-linux_arm-x.x.x.tar.gz and copy link. In terminal type "sudo wget copiedlink". For example:

sudo wget https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.1.1/dnscrypt-proxy-linux_arm-2.1.1.tar.gz

Extract(use ls command to see name of package):

sudo tar -xvf dnscrypt-proxy-linux_arm-x.x.x.tar.gz

Go to the package directory and create dnscrypt-proxy configuration file:

cd linux-arm && sudo nano dnscrypt-proxy.toml
For 64bit OS

Switch to opt directory:

cd /opt

Download package:

Go to https://github.com/DNSCrypt/dnscrypt-proxy/releases/, right click on dnscrypt-proxy-linux_arm64-x.x.x.tar.gz and copy link. In terminal type "sudo wget copiedlink". For example:

sudo wget https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.1.1/dnscrypt-proxy-linux_arm64-2.1.1.tar.gz

Extract(use ls command to see name of package):

sudo tar -xvf dnscrypt-proxy-linux_arm64-x.x.x.tar.gz

Go to the package directory and create dnscrypt-proxy configuration file:

cd linux-arm64 && sudo nano dnscrypt-proxy.toml

With Unbound

If using with Unbound, run DNScrypt-proxy as a forwarder for a local DNS cache if not using it's cache feature, otherwise, every single query will make a round-trip to the upstream resolver which is redundant caching.

In order to forward queries from a local DNS cache, it should listen on a port different from the default 53, DNS cache itself needs to listen on 53(using by Unbound) and query DNScrypt-proxy on a different port.
For example:

listen_addresses = ['127.0.0.1:5353', '[::1]:5353']

(can also try ports 5335, 6053, 53000)

Some ways of usage:

  • DNS-over-HTTPS[CloudflareServer] (connections to this specific server cannot be anonymized)
  • DNS-over-HTTPS[DNScryptServer]+Anonymized DNS Server (dnscrypt's servers supports Anonymized feature but not all do)
  • DNS-over-HTTPS[DNScrypt&Cloudflare]+Anonymized DNS (using more than 1 server)
  • Oblivious DNS-over-HTTPS)[oDoH-CloudflareServer] (anonymized by default)
  • [Oblivious DNS-over-HTTPS][Parental-control] - Servers filtering some websites not suitable for children. Use in coordination with cloaking rules in order to also sanitize search results : Discussions#30

This example is using 1 to 2 servers and relays, you can add more and extra features.
For more info: DNScrypt wiki

Copy and paste the following settings to dnscrypt-proxy.toml file
(it is currently set for DoH[Cloudflare] only, please read info provided in file and edit to suit):

### More info about dnscrypt-proxy configuration settings
##go to: https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml

### List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
### Example with both IPv4 and IPv6:
## listen_addresses = ['127.0.0.1:53', '[::1]:53']
## To listen to all IPv4 addresses, use `listen_addresses = ['0.0.0.0:53']`
## To listen to all IPv4+IPv6 addresses, use `listen_addresses = ['[::]:53']`
listen_addresses = ['127.0.0.1:5353', '[::1]:5353']
 
### Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
ipv6_servers = true
block_ipv6 = false

### Enable a DNS cache to reduce latency and outgoing traffic(set false if using Unbound)
cache = false

### Use servers implementing the specific protocol
dnscrypt_servers = false
odoh_servers = false
doh_servers = true

### You can choose other servers from public resolver list that is fastest for you
##go to: https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
#or for easier readable & searchable server database: https://theummahentrepreneur.notion.site/DNScrypt-DOH-servers-75553dc433194fd1a4e641f4918611ab
##(not all servers support anonymized DNS feature). Using dnscrypt.ca-1 as example that supports it

### For oDoH, REMOVE 'cloudflare' + 'cloudflare-ipv6' & ADD 'odoh-cloudflare'
### For DoH(dnscrypt) and anonymized dns, REMOVE 'cloudflare' + 'cloudflare-ipv6' & ADD 'dnscrypt.ca-1'
### For DoH(dnscrypt) and anonymized dns with Cloudflare, only ADD 'dnscrypt.ca-1' to server_names
server_names = ['cloudflare', 'cloudflare-ipv6']
### Example of Quad9 DNS servers with Quad9_DNScrypt anonymized servers:
#server_names = ['quad9-doh-ip4-port5053-filter-ecs-pri', 'quad9-doh-ip6-port5053-filter-ecs-pri', 'quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip6-filter-pri']

### Servers ###
### For more sources and resolver lists: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/DNS-server-sources
[sources]
  [sources.'public-resolvers']
  url = 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md'
  cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 72
  prefix = ''

### Anonymized DNS relays ####
  [sources.'relays']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md']
  cache_file = '/var/cache/dnscrypt-proxy/relays.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 72
  prefix = ''

### oDoH server and relay is already set here. For more servers and relays 
##go to: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Oblivious-DoH
### For DoH(dnscrypt) server with anonymized DNS, replace odoh-cloudflare with 'dnscrypt.ca-1'
### For DoH(dnscrypt) relays set to ['*'] for random server(could get a slow 1) 
##or choose a relay server that is fastest for you: https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/relays.md
[anonymized_dns]
routes = [
    { server_name='odoh-cloudflare', via=['odohrelay-koki-ams', 'odohrelay-crypto-sx']}
]

### ODoH (Oblivious DoH) servers and relays ###
  [sources.'odoh-servers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md']
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  cache_file = '/var/cache/dnscrypt-proxy/odoh-servers.md'
  refresh_delay = 72
  prefix = ''
  [sources.'odoh-relays']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md']
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  cache_file = '/var/cache/dnscrypt-proxy/odoh-relays.md'
  refresh_delay = 72
  prefix = ''

[query_log]
  file = '/var/log/dnscrypt-proxy/query.log'

[nx_log]
  file = '/var/log/dnscrypt-proxy/nx.log'

Save file after editing (control+x then y then enter)

Create dnscrypt-proxy folder in cache if not already there:

sudo mkdir –p /var/cache/dnscrypt-proxy

Check status:

sudo ./dnscrypt-proxy

FIX:If the port you're using shows already in use(for example on the current Raspberry OS avahi-daemon is installed and using port 5353 by default), check what is using it and stop&disable or uninstall it's service:

Check port:

sudo netstat -anp | grep 5353 
or
sudo lsof -i :53


sudo systemctl stop avahi-daemon && sudo systemctl disable avahi-daemon or sudo apt-get remove avahi-daemon


Install and start the DNScrypt proxy as a system service:

sudo ./dnscrypt-proxy -service install && sudo ./dnscrypt-proxy -service start && cd

Reboot if necessary

Check service status:

sudo systemctl status dnscrypt-proxy.service

Example for oDoH(Oblivious DoH):

Preview

Configure Unbound and DNScrypt

If not done already, download unbound configuration file with DNS over TLS settings and move it to unbound folder.

sudo wget https://raw.githubusercontent.com/trinib/AdGuard-WireGuard-Unbound-Cloudflare/main/unbound.conf && sudo mv unbound.conf /etc/unbound/unbound.conf.d/

Forward DNScrypt address in Unbound upstreams. Open sudo nano /etc/unbound/unbound.conf.d/unbound.conf and uncomment DNScrypt address(remove # infront of line):
Or do it from command line:

sudo awk '{sub(/[#]forward-addr: 127.0.0.1@5353/,"forward-addr: 127.0.0.1@5353") || sub(/[#]forward-addr: ::1@5353/,"forward-addr: ::1@5353")}1' /etc/unbound/unbound.conf.d/unbound.conf > unbound.conf && sudo mv unbound.conf /etc/unbound/unbound.conf.d/

Restart Unbound

sudo systemctl restart unbound

DONE !

Warning

DNScrypt and Stubby cannot be used together when both are set to run as a forwarder, else redundant caching will occur.

Tip

Optional

Load Balancing

DNScrypt-proxy comes with a load balancing algorithm. It will send consecutive DNS queries to different DNS servers randomly choosen from a sorted (fastest to slowest) set of a choosen option size.

Use one of the 4 values of the "lb_strategy" parameter. Just add your choosen setting to dnscrypt-proxy.toml.

Always pick the fastest server in the list

lb_strategy = 'first'

Randomly choose between the top 2 fastest servers

lb_strategy = 'p2'

Randomly choose between the top fastest half of all servers

lb_strategy = 'ph'

Just picks any random server from the list

lb_strategy = 'random'

Note

If you enable logging and have a look at the dnscrypt-proxy log, you will see the response times of all your servers when the proxy starts

Auto-update DNScrypt proxy package🔗click here🔗.

Clone this wiki locally