Get Started
The resolvers I run can be used with any client implementing the DNSCrypt protocol without registration and free of charge.
I recommend the following setup which I use at home for several years:
Install dnscrypt-proxy
dnscrypt-proxy is a DNS proxy client with support for the DNSCrypt protocol. Many Linux distributions provide packages for dnscrypt-proxy. If you don't run Linux or your distribution does not ship a package, you can download binaries from Github. Those are available for various platforms: Linux, FreeBSD, MacOS, Windows and even Android and Solaris. If you're using OPNsense, there's a plugin.
Make sure to run version 2.1.2 or higher. Previous versions do not support the current "hashed" signature format I use to sign the resolver list I provide.
Examples
## Debian/Ubuntu
sudo apt install dnscrypt-proxy
## CentOS / RockyLinux / AlmaLinux / RHEL
## Enable the EPEL repo first!
sudo yum install epel-release
sudo yum install dnscrypt-proxy
## Arch Linux
sudo pacman -S dnscrypt-proxy
## OpenSUSE/SUSE Linux
sudo zypper in dnscrypt-proxy
## Fedora
sudo dnf install dnscrypt-proxy
Configure dnscrypt-proxy
Open /etc/dnscrypt-proxy/dnscrypt-proxy.toml with your favourite text editor and modify the following parameters:
listen_addresses- If you just want to use dnscrypt-proxy locally, leave the parameter untouched:
listen_addresses = ['127.0.0.1:53']- Otherwise, set it as follows to allow other devices on the network send requests to dnscrypt-proxy:
listen_addresses = ['[::]:53']- If you plan to set up Pi-hole to block ads and trackers afterwards, set it to:
listen_addresses = ['127.0.0.1:5300']ipv6_servers- Set
ipv6_serversto true if your network and ISP support IPv6. dnscrypt_servers- Make sure
dnscrypt_serversis set to true. [sources]- Add the following block to the
[sources]section of your configuration (change thecache_filedirectory if required!):
[sources.dnscry-pt-resolvers]
urls = ["https://www.dnscry.pt/resolvers.md"]
minisign_key = "RWQM31Nwkqh01x88SvrBL8djp1NH56Rb4mKLHz16K7qsXgEomnDv6ziQ"
cache_file = "/var/cache/dnscrypt-proxy/dnscry.pt-resolvers.md"
refresh_delay = 72
prefix = "dnscry.pt-"
If you only want to use my resolvers, comment out the other blocks referencing other resolver lists.
Start dnscrypt-proxy
To start dnscrypt-proxy and make sure it starts on boot, run:
sudo systemctl enable --now dnscrypt-proxy
Verify it's running:
sudo systemctl status dnscrypt-proxy
You should see something like:
* dnscrypt-proxy.service - DNSCrypt-proxy client
Loaded: loaded (/usr/lib/systemd/system/dnscrypt-proxy.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2023-02-16 21:16:56 CET; 1min 46s ago
Docs: https://github.com/jedisct1/dnscrypt-proxy/wiki
Main PID: 14177 (dnscrypt-proxy)
Tasks: 7 (limit: 845)
CPU: 4.973s
CGroup: /system.slice/dnscrypt-proxy.service
`-14177 /usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
Feb 16 21:16:56 asterisk systemd[1]: Started DNSCrypt-proxy client.
Feb 16 21:16:57 asterisk dnscrypt-proxy[14177]: [2023-02-16 21:16:57] [NOTICE] dnscrypt-proxy 2.1.4
Feb 16 21:17:00 asterisk dnscrypt-proxy[14177]: [2023-02-16 21:17:00] [NOTICE] Network connectivity detected
Feb 16 21:17:00 asterisk dnscrypt-proxy[14177]: [2023-02-16 21:17:00] [NOTICE] Now listening to 127.0.0.1:5300 [UDP]
Feb 16 21:17:00 asterisk dnscrypt-proxy[14177]: [2023-02-16 21:17:00] [NOTICE] Now listening to 127.0.0.1:5300 [TCP]
Feb 16 21:17:00 asterisk dnscrypt-proxy[14177]: [2023-02-16 21:17:00] [NOTICE] Now listening to [::1]:5300 [UDP]
Feb 16 21:17:00 asterisk dnscrypt-proxy[14177]: [2023-02-16 21:17:00] [NOTICE] Now listening to [::1]:5300 [TCP]
Feb 16 21:17:00 asterisk dnscrypt-proxy[14177]: [2023-02-16 21:17:00] [NOTICE] Source [dnscry-pt-resolvers] loaded
Feb 16 21:17:00 asterisk dnscrypt-proxy[14177]: [2023-02-16 21:17:00] [NOTICE] Source [relays] loaded
Feb 16 21:17:00 asterisk dnscrypt-proxy[14177]: [2023-02-16 21:17:00] [NOTICE] Firefox workaround initialized
[...]
Feb 16 21:17:08 asterisk dnscrypt-proxy[14177]: [2023-02-16 21:17:08] [NOTICE] - 214ms dnscry.pt-singapore-ipv6
Feb 16 21:17:08 asterisk dnscrypt-proxy[14177]: [2023-02-16 21:17:08] [NOTICE] - 286ms dnscry.pt-tokyo-ipv6
Feb 16 21:17:08 asterisk dnscrypt-proxy[14177]: [2023-02-16 21:17:08] [NOTICE] - 317ms dnscry.pt-sydney-ipv6
Feb 16 21:17:08 asterisk dnscrypt-proxy[14177]: [2023-02-16 21:17:08] [NOTICE] Server with the lowest initial latency: dnscry.pt-coventry-ipv6 (rtt: 52ms)
Feb 16 21:17:08 asterisk dnscrypt-proxy[14177]: [2023-02-16 21:17:08] [NOTICE] dnscrypt-proxy is ready - live servers: 20
If the service doesn't start, check your configuration file for errors and make sure that no other service is listening on port 53.
To see if any programs are using port 53, run:
sudo $ ss -lp 'sport = :domain'
Send a test request:
$ host www.dnscry.pt ::1
Using domain server:
Name: ::1
Address: ::1#53
Aliases:
www.dnscry.pt has address 193.108.130.21
www.dnscry.pt has IPv6 address 2605:6400:3:fed5:1000:101:0:158
If you get a (similar) result, you've successfully configured your dnscrypt-proxy instance!
Next steps
Configure the devices on your network to use your dnscrypt-proxy installation as DNS resolver. On Linux this can be done by modifying /etc/resolv.conf, but these settings may be overwritten when you reconnect to your network and get other resolvers via DHCP. Consult your OS documentation to see how it's done properly.
Make sure that there's no firewall blocking access to port 53 on the device you installed dnscrypt-proxy on.
The dnscry.pt resolvers do not filter or block any websites. If you'd like to block ads or trackers on your network, I recommend Pi-hole.
You can set up Pi-hole on the same device and configure your dnscrypt-proxy as upstream DNS server:
