Using DNSCrypt Resolvers on Linux

This tutorial will guide you through the steps to set up DNSCrypt resolvers on a Linux system. You may have to adapt some steps slightly depending on the distribution you use.

Step 1: Install dnscrypt-proxy

First, you need to install dnscrypt-proxy, which is a DNS proxy client with support for the DNSCrypt protocol. The installation process varies depending on your Linux distribution:

  • Debian/Ubuntu:
  sudo apt install dnscrypt-proxy
  • CentOS/RHEL:
  sudo yum install epel-release
  sudo yum install dnscrypt-proxy
  • Arch Linux:
  sudo pacman -S dnscrypt-proxy
  • Fedora:
  sudo dnf install dnscrypt-proxy
  • OpenSUSE/SUSE Linux:
  sudo zypper in dnscrypt-proxy

Make sure to run version 2.1.2 or higher. Previous versions do not support the current "hashed" signature format I use to sign the resolver list I provide. If your distribution doesn't ship a recent package, you may fetch a binary from the dnscrypt-proxy Github page oder compile yourself if you feel adventurous.

Step 2: Configure DNSCrypt-Proxy

After installing dnscrypt-proxy, you need to configure it to use the DNSCrypt resolvers from dnscry.pt. Open the configuration file with your favorite text editor:

sudo vim /etc/dnscrypt-proxy/dnscrypt-proxy.toml

Modify the following parameters:

  • listen_addresses: If you want to use dnscrypt-proxy locally, leave it as:
  listen_addresses = ['127.0.0.1:53']

If you want other devices on your network to use it, set it to:

  listen_addresses = ['[::]:53']

You may run into issues if another service already uses port 53 on your system. In that case, try to set port 5353, for example, and make sure to point your network configuration to that port in step 4.

  • ipv6_servers: Set this to true if your network and ISP support IPv6:
  ipv6_servers = true
  • dnscrypt_servers: Ensure this is set to true:
  dnscrypt_servers = true
  • sources: Add the following block to the [sources] section:
  [sources.dnscry-pt-resolvers]
  urls = ["https://www.dnscry.pt/resolvers.md"]
  minisign_key = "RWQM31Nwkqh01x88SvrBL8djp1NH56Rb4mKLHz16K7qsXgEomnDv6ziQ"
  cache_file = "/var/cache/dnscrypt-proxy/dnscry.pt-resolvers.md"
  refresh_delay = 72
  prefix = "dnscry.pt-"

Step 3: Start DNSCrypt-Proxy

To start dnscrypt-proxy and ensure it starts on boot, run:

sudo systemctl enable --now dnscrypt-proxy

Verify that it's running:

sudo systemctl status dnscrypt-proxy

You should see something like this:

* dnscrypt-proxy.service - DNSCrypt-proxy client
   Loaded: loaded (/usr/lib/systemd/system/dnscrypt-proxy.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2023-02-16 21:16:56 CET; 1min 46s ago
   Docs: https://github.com/jedisct1/dnscrypt-proxy/wiki
 Main PID: 14177 (dnscrypt-proxy)
   Tasks: 7 (limit: 845)
   CPU: 4.973s
   CGroup: /system.slice/dnscrypt-proxy.service
           `-14177 /usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml

Step 4: Configure Your Network

Finally, configure the devices on your network to use your dnscrypt-proxy installation as the DNS resolver. On Linux, this can be done by modifying /etc/resolv.conf, but these settings may be overwritten when you reconnect to your network and get other resolvers via DHCP. Consult your OS documentation for the proper way to set DNS resolvers permanently.