DNSCrypt is a piece of software that encrypts DNS traffic between the user and a DNS resolver, preventing spying, spoofing or man-in-the-middle attacks.
Install official repositories.from the
By default dnscrypt-proxy is pre-configured in
/etc/conf.d/dnscrypt-proxy (read by
dnscrypt-proxy.service) to accept incoming requests on
127.0.0.1 to an OpenDNS resolver. See the list of resolvers for alternatives.
With this setup, it will be necessary to alter your resolv.conf file and replace your current set of resolver addresses with localhost:
You might need to prevent other programs from overwriting it, see resolv.conf#Preserve DNS settings for details.
Available as a systemd service:
Tips and tricks
Using DNSCrypt in combination with Unbound
It is recommended to run DNSCrypt as a forwarder for a local DNS cache, otherwise every single query will make a round-trip to the upstream resolver.
Install official repositories and add the following lines to the end of the
server section in
do-not-query-localhost: no forward-zone: name: "." forward-addr: 127.0.0.1@40
Start the systemd service
unbound.service. Then configure DNScrypt to match Unbound's new
forward-zone IP and port in
Before=line in the
dnscrypt-proxy.service to reread the changes.
Using DNSCrypt in combination with dnsmasq
You can also use DNSCrypt with dnsmasq as a caching proxy.
Assuming you have setup both dnsmasq and dnscrypt on your machine stop their services with
systemctl stop dnsmasq.service systemctl stop dnscrypt-proxy.service
/etc/dnsmasq.conf so that it contains at least the following options:
domain-needed bogus-priv strict-order no-resolv server=127.0.0.2 resolv-file=/etc/resolv.dns.conf listen-address=127.0.0.1 no-dhcp-interface=lo bind-interfaces cache-size=1500 proxy-dnssec
/etc/resolv.dns.conf so that it contains just:
This is where dnsmasq will be sending your dns queries (dnscrypt)
/etc/resolv.conf.tail so that it contains any extra backup dns servers in case your dnscrypt isn't working for some reason. The nameservers listed here will be appended to resolv.conf automatically. In this example you have an Opendns and a Comodo dns server as backup.
nameserver 126.96.36.199 nameserver 188.8.131.52
/etc/conf.d/dnscrypt-proxy so that the DNSCRYPT_LOCALIP listens on 127.0.0.2 (where dnsmasq will be querying).
If you use NetworkManager you might have to append
dnsmasq.service to reread the changes.
Test DNSCrypt and dnsmasq
To check that DNS queries are effectively sent encrypted, you can use tcpdump, and then surf on your computer. Run:
sudo tcpdump -i eth0 dst host 184.108.40.206 or dst host 220.127.116.11 or src host 18.104.22.168 or src host 22.214.171.124 -n
You should only see remote UDP port 443 being used, not 53:
23:00:41.806710 IP 192.168.1.3.58619 > 126.96.36.199.443: UDP, length 260 23:00:41.843235 IP 188.8.131.52.443 > 192.168.1.3.58619: UDP, length 496
Extension Mechanisms for DNS that, among other things, allows a client to specify how large a reply over UDP can be.
Add the following line to your
You may also wish to add the following argument to dnscrypt-proxy:
The default size being 1252 bytes, with values up to 4096 bytes being purportedly safe. A value below or equal to 512 bytes will disable this mechanism, unless a client sends a packet with an OPT section providing a payload size.
$ dig +short rs.dns-oarc.net txt
With EDNS0 supported, the output should look similar to this:
rst.x3827.rs.dns-oarc.net. rst.x4049.x3827.rs.dns-oarc.net. rst.x4055.x4049.x3827.rs.dns-oarc.net. "2a00:d880:3:1::a6c1:2e89 DNS reply size limit is at least 4055 bytes" "2a00:d880:3:1::a6c1:2e89 sent EDNS buffer size 4096"