Difference between revisions of "DNSCrypt"

From ArchWiki
Jump to: navigation, search
m (Capitalisation of Unbound where it's not in direct reference to the package name.)
m (See also: don't link to forked repo; added fragment to the link)
Line 71: Line 71:
*[[Unbound]] - a validating, recursive, and caching DNS resolver.
*[[Unbound]] - a validating, recursive, and caching DNS resolver.
*[https://github.com/jedisct1/dnscrypt-proxy github repository with alterative resolvers]
*[https://github.com/opendns/dnscrypt-proxy#current-list-of-free-dnscrypt-enabled-resolvers List of alternative resolvers]

Revision as of 19:34, 23 February 2014

DNSCrypt is a piece of software that encrypts DNS traffic between the user and a DNS resolver, preventing spying, spoofing or man-in-the-middle attacks.


Install dnscrypt-proxy from the official repositories.


By default dnscrypt-proxy is pre-configured in /etc/conf.d/dnscrypt-proxy to accept incoming requests on to an OpenDNS resolver:


The above file is read by /usr/lib/systemd/system/dnscrypt-proxy.service:

Description=A tool for securing communications between a client and a DNS resolver.
# Only needed if you use pdnsd, other caching DNS servers can go here. Could be ignored too.
ExecStart=/usr/bin/dnscrypt-proxy \
       --local-address=${DNSCRYPT_LOCALIP}:${DNSCRYPT_LOCALPORT} \
   --provider-name=${DNSCRYPT_PROVIDER_NAME} \
   --provider-key=${DNSCRYPT_PROVIDER_KEY} \


With this setup, it will be necessary to alter your /etc/resolv.conf file and replace your current set of resolver addresses with:


To prevent dhcpcd from altering your DNS settings add nohook resolv.conf to /etc/dhcpcd.conf You may also wish to write-protect /etc/resolv.conf by setting the immutable attribute:

# chattr +i /etc/resolv.conf


Available as a systemd service: dnscrypt-proxy.service

Tips and tricks

Using DNSCrypt in combination with Unbound

It is recommended to run DNSCrypt as a forwarder for a local DNS cache, otherwise every single query will make a round-trip to the upstream resolver.
Install unbound from the official repositories and add the following lines to the end of the server section in /etc/unbound/unbound.conf:

do-not-query-localhost: no
  name: "."
Note: Port 40 is given as an example as Unbound by default listens to 53, these must be different.

Start the systemd service unbound.service. Then configure DNScrypt to match Unbound's new forward-zone IP and port in /etc/config.d/dnscrypt-proxy:


Restart dnscrypt-proxy.service to reread the changes.

Enable EDNS0

Extension Mechanisms for DNS that, among other things, allows a client to specify how large a reply over UDP can be. Add the following line to your /etc/resolv.conf:

options edns0

You may also wish to add the following argument to dnscrypt-proxy:


The default size being 1252 bytes, with values up to 4096 bytes being purportedly safe. A value below or equal to 512 bytes will disable this mechanism, unless a client sends a packet with an OPT section providing a payload size.

Test EDNS0

Make use of the DNS Reply Size Test Server, use the dig command line tool available with dnsutils from the official repositories to issue a TXT query for the name rs.dns-oarc.net:

$ dig +short rs.dns-oarc.net txt

With EDNS0 supported, the output should look similar to this:

"2a00:d880:3:1::a6c1:2e89 DNS reply size limit is at least 4055 bytes"
"2a00:d880:3:1::a6c1:2e89 sent EDNS buffer size 4096"

See also