Difference between revisions of "Dnscrypt-proxy"

From ArchWiki
Jump to navigation Jump to search
m (Disable any services bound to port 53: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/commit/d4eb4cb45f41b1751cacf71da558bf8f0988f383)
m (Disable any services bound to port 53: recomend disable systemd-resolved in nm)
Line 53: Line 53:
   Netid              State                Recv-Q                Send-Q                                Local Address:Port                                  Peer Address:Port
   Netid              State                Recv-Q                Send-Q                                Local Address:Port                                  Peer Address:Port
{{Tip| If [[systemd-resolved]] service is not started, NetworkManager will try to start it using D-Bus, fail and spam the journal. This can be disabled with a configuration file [https://wiki.archlinux.org/index.php/NetworkManager#Unit_dbus-org.freedesktop.resolve1.service_not_found]}}
=== Modify resolv.conf ===
=== Modify resolv.conf ===

Revision as of 17:54, 11 April 2019

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: What is the difference to dnscrypt-wrapper? (Discuss in Talk:Dnscrypt-proxy#)

dnscrypt-proxy is a DNS proxy with support for the encrypted DNS protocols DNS over HTTPS and DNSCrypt, which can be used to prevent man-in-the-middle attacks and eavesdropping. dnscrypt-proxy is also compatible with DNSSEC.


Install the dnscrypt-proxy package.



The service can be started in two mutually exclusive ways (i.e. only one of the two may be enabled):

  • With the .service file.
Note: The listen_addresses option must be configured (e.g. listen_addresses = ['', '[::1]:53']) in the configuration file when using the .service file.
  • Through the .socket activation.
Note: When using socket activation the listen_addresses option must be set to empty (i.e. listen_addresses = [ ]) in the configuration file, since systemd is taking care of the socket configuration.

Select resolver

By leaving server_names commented out in the configuration file /etc/dnscrypt-proxy/dnscrypt-proxy.toml, dnscrypt-proxy will choose the fastest server from the sources already configured under [sources] [1]. The lists will be downloaded, verified, and automatically updated [2]. Thus, configuring a specific set of servers is optional.

To manually set which server is used, edit /etc/dnscrypt-proxy/dnscrypt-proxy.toml and uncomment the server_names variable, selecting one or more of the servers. For example, to use Cloudflare's servers:

server_names = ['cloudflare', 'cloudflare-ipv6']

A full list of resolvers is located at the upstream page or Github. If dnscrypt-proxy has run successfully on the system before, /var/cache/dnscrypt-proxy/public-resolvers.md will also contain a list. Look at the description for servers note which validate DNSSEC, do not log, and are uncensored. These requirements can be configured globally with the require_dnssec, require_nolog, require_nofilter options.

Disable any services bound to port 53

Tip: If using #Unbound as your local DNS cache this section can be ignored, as unbound runs on port 53 by default.

To see if any programs are using port 53, run:

 $ ss -lp 'sport = :domain'

If the output contains more than the first line of column names, you need to disable whatever service is using port 53. One common culprit is systemd-resolved.service[3], but other network managers may have analogous components. You are ready to proceed once the above command outputs nothing more than the following line:

 Netid               State                 Recv-Q                Send-Q                                 Local Address:Port                                   Peer Address:Port
Tip: If systemd-resolved service is not started, NetworkManager will try to start it using D-Bus, fail and spam the journal. This can be disabled with a configuration file [4]

Modify resolv.conf

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Explain what the options mean. (Discuss in Talk:Dnscrypt-proxy#)

Modify the resolv.conf file and replace the current set of resolver addresses with the address for localhost and options [5]:

nameserver ::1
options edns0 single-request-reopen

Other programs may overwrite this setting; see resolv.conf#Overwriting of /etc/resolv.conf for details.

Start systemd service

Finally, start/enable the dnscrypt-proxy.service unit or dnscrypt-proxy.socket, depending on which method you chose above.

Tips and tricks

Local DNS cache configuration

Tip: dnscrypt-proxy can cache entries without relying on another program. This feature is enabled by default with the line cache = true in your dnscrypt-proxy configuration file

It is recommended to run dnscrypt-proxy as a forwarder for a local DNS cache if not using dnscrypt-proxy's cache feature; otherwise, every single query will make a round-trip to the upstream resolver. Any local DNS caching program should work. In addition to setting up dnscrypt-proxy, you must setup your local DNS cache program.

Change port

In order to forward queries from a local DNS cache, dnscrypt-proxy should listen on a port different from the default 53, since the DNS cache itself needs to listen on 53 and query dnscrypt-proxy on a different port. Port number 53000 is used as an example in this section. In this example, the port number is larger than 1024 so dnscrypt-proxy is not required to be run by root.

There are two methods for changing the default port:

Socket method

Edit dnscrypt-proxy.socket with the following contents:


When queries are forwarded from the local DNS cache to 53000, dnscrypt-proxy.socket will start dnscrypt-proxy.service.

Service method

Edit the listen_addresses option in /etc/dnscrypt-proxy/dnscrypt-proxy.toml with the following:

listen_addresses = ['', '[::1]:53000']

Example local DNS cache configurations

The following configurations should work with dnscrypt-proxy and assume that it is listening on port 53000.


Configure Unbound to your liking (in particular, see Unbound#Local DNS server) and add the following lines to the end of the server section in /etc/unbound/unbound.conf:

  do-not-query-localhost: no
  name: "."
  forward-addr: ::1@53000
Tip: If you are setting up a server, add interface: and access-control: your-network/subnet-mask allow inside the server: section so that the other computers can connect to the server. A client must be configured with nameserver address-of-your-server in /etc/resolv.conf.

Restart unbound.service to apply the changes.


Configure dnsmasq as a local DNS cache. The basic configuration to work with dnscrypt-proxy:


If you configured dnscrypt-proxy to use a resolver with enabled DNSSEC validation, make sure to enable it also in dnsmasq:


Restart dnsmasq.service to apply the changes.


Install pdnsd. A basic configuration to work with dnscrypt-proxy is:

global {
    perm_cache = 1024;
    cache_dir = "/var/cache/pdnsd";
    run_as = "pdnsd";
    server_ip =;
    status_ctl = on;
    query_method = udp_tcp;
    min_ttl = 15m;       # Retain cached entries at least 15 minutes.
    max_ttl = 1w;        # One week.
    timeout = 10;        # Global timeout option (10 seconds).
    neg_domain_pol = on;
    udpbufsize = 1024;   # Upper limit on the size of UDP messages.

server {
    label = "dnscrypt-proxy";
    ip =;
    port = 53000;
    timeout = 4;
    proxy_only = on;

source {
    owner = localhost;
    file = "/etc/hosts";

Restart pdnsd.service to apply the changes.


Edit dnscrypt-proxy.service to include the following lines:

RestrictAddressFamilies=AF_INET AF_INET6
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @ipc @module @mount @obsolete @raw-io

See systemd.exec(5) and Systemd#Sandboxing application environments for more information. Additionally see upstream comments[dead link 2018-01-08].

Enable EDNS0

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Name the advantages/motivation for enabling this. (Discuss in Talk:Dnscrypt-proxy#)

Extension Mechanisms for DNS that, among other things, allows a client to specify how large a reply over UDP can be.

Add the following line to your /etc/resolv.conf:

options edns0

Tango-view-refresh-red.pngThis article or section is out of date.Tango-view-refresh-red.png

Reason: dnscrypt-proxy v2 uses different configuration file. (Discuss in Talk:Dnscrypt-proxy#)

You may also wish to append the following to /etc/dnscrypt-proxy.conf:

EDNSPayloadSize <bytes>

Where <bytes> is a number, the default size being 1252, with values up to 4096 bytes being purportedly safe. A value below or equal to 512 bytes will disable this mechanism, unless a client sends a packet with an OPT section providing a payload size.

Test EDNS0

Make use of the DNS Reply Size Test Server, use the drill command line tool to issue a TXT query for the name rs.dns-oarc.net:

$ drill rs.dns-oarc.net TXT

With EDNS0 supported, the "answer section" of the output should look similar to this:

"2a00:d880:3:1::a6c1:2e89 DNS reply size limit is at least 4055 bytes"
"2a00:d880:3:1::a6c1:2e89 sent EDNS buffer size 4096"