From ArchWiki
Jump to: navigation, search

DNSCrypt encrypts and authenticates DNS traffic between user and DNS resolver. While IP traffic itself is unchanged, it prevents local spoofing of DNS queries, ensuring DNS responses are sent by the server of choice. [1]


Install the dnscrypt-proxy package.


Select a resolver from /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv and edit dnscrypt-proxy.service, using the first column as the name of the resolver with the -R flag. For example, to select dnscrypt.eu-nl as the resolver, the drop-in file would look like this:

ExecStart=/usr/bin/dnscrypt-proxy -R dnscrypt.eu-nl
Tip: A potentially more up-to-date list is available directly on the upstream page.

After selecting a dnscrypt resolver, modify the resolv.conf file and replace the current set of resolver addresses with address for localhost:


Other programs may overwrite this setting; see resolv.conf#Preserve DNS settings for details.

Finally, start and enable the dnscrypt-proxy.service.

Tips and tricks

DNSCrypt as a forwarder for local DNS cache

It is recommended to run DNSCrypt as a forwarder for a local DNS cache, otherwise every single query will make a round-trip to the upstream resolver. Any local DNS caching program should work, examples below show configuration for Unbound, dnsmasq, and pdnsd.

First configure dnscrypt-proxy to listen on a port different from the default 53, since the DNS cache needs to listen on 53 and query dnscrypt-proxy on a different port. Port number 40 is used as an example in this section:

# systemctl edit dnscrypt-proxy.socket
Note: The ListenStream and ListenDatagram options need to be cleared with empty assignment before overriding, otherwise the new address would be added to the list of sockets. See systemd#Editing provided units for details.

Then restart dnscrypt-proxy.socket and stop dnscrypt-proxy.service if already running to let it be started by the .socket unit.

Example: configuration for Unbound

Configure Unbound to your liking (in particular, see Unbound#Local DNS server) and add the following lines to the end of the server section in /etc/unbound/unbound.conf:

do-not-query-localhost: no
  name: "."
Tip: If you are setting up a server, add interface: and access-control: your-network/subnet-mask allow inside the server: section so that the other computers can connect to the server. A client must be configured with nameserver address-of-your-server in /etc/resolv.conf.

Restart unbound.service to apply the changes.

Example: configuration for dnsmasq

Configure dnsmasq as a local DNS cache. The basic configuration to work with DNSCrypt:


If you configured DNSCrypt to use a resolver with enabled DNSSEC validation, make sure to enable it also in dnsmasq:


Restart dnsmasq.service to apply the changes.

Example: configuration for pdnsd

Install pdnsd. A basic configuration to work with DNSCrypt is:

global {
    perm_cache = 1024;
    cache_dir = "/var/cache/pdnsd";
    run_as = "pdnsd";
    server_ip =;
    status_ctl = on;
    query_method = udp_tcp;
    min_ttl = 15m;       # Retain cached entries at least 15 minutes.
    max_ttl = 1w;        # One week.
    timeout = 10;        # Global timeout option (10 seconds).
    neg_domain_pol = on;
    udpbufsize = 1024;   # Upper limit on the size of UDP messages.

server {
    label = "dnscrypt-proxy";
    ip =;
    port = 40;
    timeout = 4;
    proxy_only = on;

source {
    owner = localhost;
    file = "/etc/hosts";

Restart pdnsd.service to apply the changes.

Enable EDNS0

Extension Mechanisms for DNS that, among other things, allows a client to specify how large a reply over UDP can be.

Add the following line to your /etc/resolv.conf:

options edns0

You may also wish to add the following argument to dnscrypt-proxy:


The default size being 1252 bytes, with values up to 4096 bytes being purportedly safe. A value below or equal to 512 bytes will disable this mechanism, unless a client sends a packet with an OPT section providing a payload size.

Test EDNS0

Make use of the DNS Reply Size Test Server, use the dig command line tool from the bind-tools package to issue a TXT query for the name rs.dns-oarc.net:

$ dig +short rs.dns-oarc.net txt

With EDNS0 supported, the output should look similar to this:

"2a00:d880:3:1::a6c1:2e89 DNS reply size limit is at least 4055 bytes"
"2a00:d880:3:1::a6c1:2e89 sent EDNS buffer size 4096"

Redundant DNSCrypt providers

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements.Tango-edit-clear.png

Reason: Needs some tweaks to comply with Help:Style, e.g avoid writing in first person and link to enable, start and similar instead of explicit systemctl commands. (Discuss in Talk:DNSCrypt#)

Add new forward address

Note: Obtaining redundancy requires a simple edit to the above Unbound example and the addition of a second instance of the dnscrypt-proxy and service. Please be sure that the above Unbound example is working prior to proceeding, as this tip extends the previous example.

Extend the previous Unbound configuration in /etc/unbound/unbound.conf to include an additional forward address that uses a different port. Port 41 is used in the below example:

do-not-query-localhost: no
  name: "."

Create instanced systemd service

We will use an instanced systemd service to accomplish this. This will use one dnscrypt-proxy@.service systemd service to handle as many distinct DNSCrypt resolves as we want.

First, we need /etc/systemd/system/dnscrypt-proxy@.service containing:

 Description=DNSCrypt client proxy

 ExecStart=/usr/sbin/dnscrypt-proxy \

This specifies an instanced systemd service that starts a dnscrypt-proxy using the service name specified after the @ symbol of a corresponding .socket file.

Add first dnscrypt-socket

You can now create two (or more!) socket files, specifying different DNSCrypt providers.

For the first dnscrypt-proxy socket, listening on and connecting to the example dnscrypt.eu-nl provider, copy /lib/systemd/system/dnscrypt-proxy.socket to /etc/systemd/system/dnscrypt-proxy@dnscrypt.eu-nl.socket.

Add additional dyscrypt-sockets

For the second (or more) dnscrypt-proxy socket, copy /lib/systemd/system/dnscrypt-proxy.socket to eg. /etc/systemd/system/dnscrypt-proxy@cloudns-syd.socket

Here you can replace the socket instance name to eg. cloudns-syd as one of those listed in providers name column in /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv and edit it to eg. port 41 and so forth.

 Description=dnscrypt-proxy-secondary listening socket



Apply new systemd configuration

Now we need to reload the systemd configuration.

# systemctl daemon-reload

Since we are replacing the default service with a different name, we need to explicitly stop and disable dnscrypt-proxy and dnscrypt-proxy.socket.

Now start/enable the new sockets, dnscrypt-proxy@dnscrypt.eu-nl.socket and dnscrypt-proxy@cloudns-syd.socket.

Finally restart unbound.service

Known issues

dnscrypt runs with root privileges

See FS#49881. To work around this, create an unprivileged user manually.

Create the user as follows:

# useradd -r -d /var/dnscrypt -m -s /sbin/nologin dnscrypt

Edit dnscrypt-proxy.service, pointing --user to the new user:

ExecStart=/usr/bin/dnscrypt-proxy -R dnscrypt.eu-nl --user=dnscrypt