Dnscrypt-proxy: Difference between revisions

From ArchWiki
(→‎Select resolver: While the package does not have the cache file for the resolvers list initially, it is created later on and is useful for configuration)
(→‎Tips and tricks: add talk item with info to removal template)
 
(56 intermediate revisions by 19 users not shown)
Line 1: Line 1:
{{Lowercase title}}
[[Category:Domain Name System]]
[[Category:Domain Name System]]
[[Category:Encryption]]
[[Category:Encryption]]
[[es:DNSCrypt]]
[[es:Dnscrypt-proxy]]
[[ja:DNSCrypt]]
[[ja:DNSCrypt]]
[[pt:DNSCrypt]]
[[pt:Dnscrypt-proxy]]
[[zh-hans:DNSCrypt]]
[[ru:Dnscrypt-proxy]]
[http://dnscrypt.info/ DNSCrypt] encrypts and authenticates DNS traffic between user and DNS resolver. While IP traffic itself is unchanged, it prevents local spoofing of DNS queries, ensuring DNS responses are sent by the server of choice. [https://www.reddit.com/r/sysadmin/comments/2hn435/dnssec_vs_dnscrypt/ckuhcbu]
[[zh-hans:Dnscrypt-proxy]]
{{Related articles start}}
{{Related|Domain name resolution}}
{{Related articles end}}
 
{{Expansion|What is the difference to {{Pkg|dnscrypt-wrapper}}?}}
 
[https://github.com/jedisct1/dnscrypt-proxy dnscrypt-proxy] is a DNS proxy client with support for the encrypted DNS protocols [[DNS over HTTPS]] and [https://dnscrypt.info/ DNSCrypt], which can be used to prevent man-in-the-middle attacks and eavesdropping. ''dnscrypt-proxy'' is also compatible with [[DNSSEC]].


== Installation ==
== Installation ==
Line 13: Line 21:
== Configuration ==
== Configuration ==


=== Startup ===
The default configuration file referred to is at {{ic|/etc/dnscrypt-proxy/dnscrypt-proxy.toml}}.


The service can be started in two mutually exclusive ways (i.e. only one of the two may be enabled):
{{Tip|While ''dnscrypt-proxy'' has no manual currently, the project maintains an extensive [https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Configuration configuration wiki].}}


* With the {{ic|.service}} file.
=== Startup ===


{{Note|The {{ic|listen_addresses}} option must configured (e.g. {{ic|1=listen_addresses = ['127.0.0.1:53', '[::1]:53']}}) in the configuration file when using the {{ic|.service}} file.}}
{{Note| Even though there are two ways to start the proxy, upstream recommends the {{ic|service}} one.[https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux#systemd-sockets-activation][https://github.com/DNSCrypt/dnscrypt-proxy/wiki/systemd]}}


* Through the {{ic|.socket}} activation.  
The service can be [[start]]ed in two mutually exclusive ways (i.e. only one of the two may be [[enabled]]):


{{Note|When using socket activation the {{ic|listen_addresses}} option must be set to empty (i.e. {{ic|1=listen_addresses = [ ]}}) in the configuration file, since systemd is taking care of the socket configuration.}}
# With the systemd service {{ic|dnscrypt-proxy.service}}.
#* The {{ic|listen_addresses}} option must be configured (e.g. {{ic|1=listen_addresses = ['127.0.0.1:53', '[::1]:53']}}) in the configuration file when using the service.
# Through socket activation using {{ic|dnscrypt-proxy.socket}}.
#* The {{ic|listen_addresses}} option must be set to empty (i.e. {{ic|1=listen_addresses = [ ]}}) in the configuration file, since systemd is taking care of the socket configuration.


=== Select resolver ===
=== Select resolver ===


By leaving {{ic|server_names}} commented out in the configuration file {{ic|/etc/dnscrypt-proxy/dnscrypt-proxy.toml}}, ''dnscrypt-proxy'' will choose the fastest server from the sources already configured under {{ic|[sources]}} [https://github.com/jedisct1/dnscrypt-proxy/wiki/Configuration#an-example-static-server-entry].  The lists will be downloaded, verified, and automatically updated. [https://github.com/jedisct1/dnscrypt-proxy/wiki/Configuration-Sources#what-is-the-point-of-these-lists]. Thus, configuring a specific set of servers is optional.
By leaving {{ic|server_names}} commented out in the configuration file, ''dnscrypt-proxy'' will choose the fastest server from the sources already configured under {{ic|[sources]}} [https://github.com/jedisct1/dnscrypt-proxy/wiki/Configuration#an-example-static-server-entry].  The lists will be downloaded, verified, and automatically updated [https://github.com/jedisct1/dnscrypt-proxy/wiki/Configuration-Sources#what-is-the-point-of-these-lists]. Thus, configuring a specific set of servers is optional.


To manually set which server is used, edit {{ic|/etc/dnscrypt-proxy/dnscrypt-proxy.toml}} and uncomment the {{ic|server_names}} variable, selecting one or more of the servers. For example, to use Cloudflare's servers:
To manually set which server is used, uncomment the {{ic|server_names}} variable in the configuration file and select one or more of the servers. For example, to use Cloudflare's servers:


  server_names = ['cloudflare', 'cloudflare-ipv6']
  server_names = ['cloudflare', 'cloudflare-ipv6']


A full list of resolvers is located at the [https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md upstream page] or [https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md Github]. If ''dnscrypt-proxy'' has run successfully on the system before, {{ic|/var/cache/dnscrypt-proxy/public-resolvers.md}} will also contain a list. Look at the description for servers note which validate [[DNSSEC]], do not log, and are uncensored. These requirements can be configured globally with the {{ic|require_dnssec}}, {{ic|require_nolog}}, {{ic|require_nofilter}} options.
A full list of resolvers is located at the [https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md upstream page] or [https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md Github]. If ''dnscrypt-proxy'' has run successfully on the system before, {{ic|/var/cache/dnscrypt-proxy/public-resolvers.md}} will also contain a list. Look at the description for servers note which validate [[DNSSEC]], do not log, and are uncensored. These requirements can be configured globally with the {{ic|require_dnssec}}, {{ic|require_nolog}}, {{ic|require_nofilter}} options.


=== Disable any services bound to port 53 ===
=== Disable any services bound to port 53 ===
{{Tip|If using [[#Unbound]] as your local DNS cache this section can be ignored, as ''unbound'' runs on port 53 by default.}}
{{Tip|If using [[#Unbound]] as your local DNS cache this section can be ignored, as ''unbound'' runs on port 53 by default.}}
To see if any programs are using port 53, run
 
To see if any programs are using port 53, run:


   $ ss -lp 'sport = :domain'
   $ ss -lp 'sport = :domain'


If the output contains more than the first line of column names, you need to disable whatever service is using port 53. One common culprit is {{ic|systemd-resolved.service}}, but other network managers may have analogous components. You are ready to proceed once the above command outputs nothing more than the following line:
{{Accuracy|systemd-resolved listens on 127.0.0.53:53, it should not affect dnscrypt-proxy that listens on 127.0.0.1:53.}}
 
If the output contains more than the first line of column names, you need to disable whatever service is using port 53. One common culprit is {{ic|systemd-resolved.service}}([[NetworkManager#Unit dbus-org.freedesktop.resolve1.service not found]]), but other network managers may have analogous components. You are ready to proceed once the above command outputs nothing more than the following line:


   Netid              State                Recv-Q                Send-Q                                Local Address:Port                                  Peer Address:Port
   Netid              State                Recv-Q                Send-Q                                Local Address:Port                                  Peer Address:Port
Line 51: Line 66:
Modify the [[resolv.conf]] file and replace the current set of resolver addresses with the address for ''localhost'' and options [https://github.com/jedisct1/dnscrypt-proxy/wiki/Installation-linux#step-4-change-the-system-dns-settings]:
Modify the [[resolv.conf]] file and replace the current set of resolver addresses with the address for ''localhost'' and options [https://github.com/jedisct1/dnscrypt-proxy/wiki/Installation-linux#step-4-change-the-system-dns-settings]:


nameserver 127.0.0.1
{{hc|/etc/resolv.conf|
options edns0 single-request-reopen
nameserver ::1
nameserver 127.0.0.1
options edns0
}}


Other programs may overwrite this setting; see [[resolv.conf#Preserve DNS settings]] for details.
Other programs may overwrite this setting; see [[resolv.conf#Overwriting of /etc/resolv.conf]] for details.


=== Start systemd service ===
=== Start systemd service ===


Finally, [[start/enable]] the {{ic|dnscrypt-proxy.service}} unit or {{ic|dnscrypt-proxy.socket}}, depending on which method you chose above.
Finally, [[start/enable]] the {{ic|dnscrypt-proxy.service}} unit or {{ic|dnscrypt-proxy.socket}}, depending on which method you chose above.
=== Check if dnscrypt-proxy is working ===
Open the browser and head to [https://dnsleaktest.com DnsLeakTest] and do an extended test, if the results show servers that you have set in the configuration files it means that dnscrypt-proxy is working, otherwise something is wrong.


== Tips and tricks ==
== Tips and tricks ==
=== Enabling, downloading and auto-updating filter lists / block lists  ===
{{Remove|Overwriting files in {{ic|/usr/share/dnscrypt-proxy/utils/generate-domains-blocklist/}} that are owned by the {{pkg|dnscrypt-proxy}} package is not a good idea.|section=automatic blocklist updates}}
Configure filter list sources in /usr/share/dnscrypt-proxy/utils/generate-domains-blocklist/domains-blocklist.conf. For example:
# NextDNS CNAME cloaking list
https://raw.githubusercontent.com/nextdns/cname-cloaking-blocklist/master/domains
# AdGuard Simplified Domain Names filter
https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
# OISD.NL Big:
https://big.oisd.nl/domainswild
# HaGeZi Multi Pro
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/pro-onlydomains.txt
# HaGeZi Thread Intelligence Feeds
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/tif-onlydomains.txt
Create a service to download & combine filter lists.
/etc/systemd/system/dnscrypt-filterlist-update.service:
[Unit]
Description=DNSCrypt Filterlist Update
[Service]
Type=oneshot
User=root
WorkingDirectory=/usr/share/dnscrypt-proxy/utils/generate-domains-blocklist/
ExecStart=generate-domains-blocklist -a domains-allowlist.txt -o blocklist.txt ; sleep 2 ; systemctl restart dnscrypt-proxy.service
[Install]
WantedBy=multi-user.target
Create a time to run on boot but also every 5 hours.
/etc/systemd/system/dnscrypt-filterlist-update.timer:
[Unit]
Description=Run 15min after boot and every 5 hours (DNSCrypt Filterlist Update)
[Timer]
OnBootSec=15min
OnUnitActiveSec=5h
[Install]
WantedBy=timers.target
Enable the timer:
systemctl daemon-reload
systemctl enable dnscrypt-filterlist-update.timer
Configure DNSCrypt to apply the created filter rules.
/etc/dnscrypt-proxy/dnscrypt-proxy.toml:
blocked_names_file = '/usr/share/dnscrypt-proxy/utils/generate-domains-blocklist/blocklist.txt'
log_file = '/var/log/dnscrypt-proxy/blocked-names.log'


=== Local DNS cache configuration ===
=== Local DNS cache configuration ===


{{Tip|''dnscrypt'' can cache entries without relying on another program. This feature is enabled by default with the line {{ic|1=cache = true}} in your dnscrypt configuration file}}
{{Tip|''dnscrypt-proxy'' can cache entries without relying on another program. This feature is enabled by default with the line {{ic|1=cache = true}} in the configuration file.}}


It is recommended to run DNSCrypt as a forwarder for a local DNS cache if not using ''dnscrypt's'' cache feature; otherwise, every single query will make a round-trip to the upstream resolver. Any local DNS caching program should work. In addition to setting up ''dnscrypt-proxy'', you must setup your local DNS cache program.  
It is recommended to run ''dnscrypt-proxy'' as a forwarder for a local DNS cache if not using ''dnscrypt-proxy's'' cache feature; otherwise, every single query will make a round-trip to the upstream resolver. Any local DNS caching program should work. In addition to setting up ''dnscrypt-proxy'', you must setup your local DNS cache program.


==== Change port ====
==== Change port ====
Line 82: Line 159:
  ListenDatagram=
  ListenDatagram=
  ListenStream=127.0.0.1:53000
  ListenStream=127.0.0.1:53000
ListenStream=[::1]:53000
  ListenDatagram=127.0.0.1:53000
  ListenDatagram=127.0.0.1:53000
ListenDatagram=[::1]:53000


When queries are forwarded from the local DNS cache to {{ic|53000}}, {{ic|dnscrypt-proxy.socket}} will start {{ic|dnscrypt-proxy.service}}.
When queries are forwarded from the local DNS cache to {{ic|53000}}, {{ic|dnscrypt-proxy.socket}} will start {{ic|dnscrypt-proxy.service}}.
Line 92: Line 171:
  listen_addresses = ['127.0.0.1:53000', '[::1]:53000']
  listen_addresses = ['127.0.0.1:53000', '[::1]:53000']


==== Example local DNS cache configurations====
==== Example local DNS cache configurations ====


The following configurations should work with ''dnscrypt-proxy'' and assume that it is listening on port {{ic|53000}}.
The following configurations should work with ''dnscrypt-proxy'' and assume that it is listening on port {{ic|53000}}.
Line 103: Line 182:
  forward-zone:
  forward-zone:
   name: "."
   name: "."
  forward-addr: ::1@53000
   forward-addr: 127.0.0.1@53000
   forward-addr: 127.0.0.1@53000


Line 111: Line 191:
===== dnsmasq =====
===== dnsmasq =====


Configure dnsmasq as a [[dnsmasq#DNS cache setup|local DNS cache]]. The basic configuration to work with DNSCrypt:
Configure dnsmasq as a [[dnsmasq#DNS server|local DNS cache]]. The basic configuration to work with ''dnscrypt-proxy'':


{{hc|/etc/dnsmasq.conf|2=
{{hc|/etc/dnsmasq.conf|2=
no-resolv
no-resolv
server=::1#53000
server=127.0.0.1#53000
server=127.0.0.1#53000
listen-address=127.0.0.1
listen-address=::1,127.0.0.1
}}
}}


If you configured DNSCrypt to use a resolver with enabled DNSSEC validation, make sure to enable it also in dnsmasq:
If you configured ''dnscrypt-proxy'' to use a resolver with enabled [[DNSSEC]] validation, make sure to enable it also in dnsmasq:


{{hc|/etc/dnsmasq.conf|2=
{{hc|/etc/dnsmasq.conf|2=
proxy-dnssec
conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec
}}
}}


Line 129: Line 211:
===== pdnsd =====
===== pdnsd =====


Install [[pdnsd]]. A basic configuration to work with DNSCrypt is:
Install [[pdnsd]]. A basic configuration to work with ''dnscrypt-proxy'' is:


{{hc|/etc/pdnsd.conf|2=
{{hc|/etc/pdnsd.conf|2=
Line 161: Line 243:


Restart {{ic|pdnsd.service}} to apply the changes.
Restart {{ic|pdnsd.service}} to apply the changes.
=== Sandboxing ===
[[Edit]] {{ic|dnscrypt-proxy.service}} to include the following lines:
[Service]
CapabilityBoundingSet=CAP_IPC_LOCK CAP_SETGID CAP_SETUID CAP_NET_BIND_SERVICE
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
PrivateTmp=true
PrivateDevices=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
RestrictRealtime=true
RestrictAddressFamilies=AF_INET AF_INET6
SystemCallArchitectures=native
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @ipc @module @mount @obsolete @raw-io
See {{man|5|systemd.exec}} and [[Systemd#Sandboxing application environments]] for more information. Additionally see [https://github.com/jedisct1/dnscrypt-proxy/pull/601#issuecomment-284171727 upstream comments]{{Dead link|2018|01|08}}.


=== Enable EDNS0 ===
=== Enable EDNS0 ===
Line 188: Line 248:
{{Expansion|Name the advantages/motivation for enabling this.}}
{{Expansion|Name the advantages/motivation for enabling this.}}


[[wikipedia:Extension_mechanisms_for_DNS|Extension Mechanisms for DNS]] that, among other things, allows a client to specify how large a reply over UDP can be.
[[Wikipedia:Extension mechanisms for DNS|Extension Mechanisms for DNS]] that, among other things, allows a client to specify how large a reply over UDP can be.


Add the following line to your {{ic|/etc/resolv.conf}}:
Add the following line to your {{ic|/etc/resolv.conf}}:


  options edns0
  options edns0
{{Out of date|dnscrypt-proxy2 uses different config file.}}
You may also wish to append the following to {{ic|/etc/dnscrypt-proxy.conf}}:
EDNSPayloadSize ''<bytes>''
Where ''<bytes>'' is a number, the default size being '''1252''', with values up to '''4096''' bytes being purportedly safe.  A value below or equal to '''512''' bytes will disable this mechanism, unless a client sends a packet with an OPT section providing a payload size.


==== Test EDNS0 ====
==== Test EDNS0 ====
Line 215: Line 267:
  "2a00:d880:3:1::a6c1:2e89 DNS reply size limit is at least 4055 bytes"
  "2a00:d880:3:1::a6c1:2e89 DNS reply size limit is at least 4055 bytes"
  "2a00:d880:3:1::a6c1:2e89 sent EDNS buffer size 4096"
  "2a00:d880:3:1::a6c1:2e89 sent EDNS buffer size 4096"
=== Redundant DNSCrypt providers ===
{{Remove|Out of date and irrelevant since dnscrypt-proxy2 handles the configuration of multiple sources.}}
To use several different dnscrypt providers, you may simply copy the original {{ic|dnscrypt-proxy.service}} and {{ic|dnscrypt-proxy.socket}}. Then in your new copy of the service change the command line parameters, either pointing to a new configuration file or naming a different resolver directly. From there change the port in the new copy of the socket. Lastly, update your local DNS cache program to point to new service's port. For example, with [[unbound]] the configuration file would look like if using ports {{ic|53000}} for the original socket and {{ic|53001}} for the new socket.
{{hc|/etc/unbound/unbound.conf|
do-not-query-localhost: no
forward-zone:
  name: "."
  forward-addr: 127.0.0.1@53000
  forward-addr: 127.0.0.1@53001
}}
==== Create instanced systemd service ====
An alternative option to copying the systemd service is to used an instanced service.
===== Create systemd file =====
First, create {{ic|/etc/systemd/system/dnscrypt-proxy@.service}} containing:
[Unit]
Description=DNSCrypt client proxy
Documentation=man:dnscrypt-proxy(8)
Requires=dnscrypt-proxy@%i.socket
[Service]
Type=notify
NonBlocking=true
ExecStart=/usr/bin/dnscrypt-proxy \
    --resolver-name=%i
Restart=always
This specifies an instanced systemd service that starts a dnscrypt-proxy using the service name specified after the @ symbol of a corresponding .socket file.
===== Add dnscrypt-sockets =====
To create multiple dnscrypt-proxy sockets, copy {{ic|/usr/lib/systemd/system/dnscrypt-proxy.socket}} to a new file, {{ic|/etc/systemd/system/dnscrypt-proxy@''short-name.here''.socket}}, replacing the socket instance name with one of the short names listed in [[#Select_resolver|{{ic|dnscrypt-resolvers.csv}}]] and  [[#Change_port|change the port]].  Use a different port for each instance (53000, 53001, and so forth).
===== Apply new systemd configuration =====
Now we need to reload the systemd configuration.
# systemctl daemon-reload
Since we are replacing the default service with a different name, we need to explicitly [[stop]] and [[disable]] {{ic|dnscrypt-proxy.service}} and {{ic|dnscrypt-proxy.socket}}.
Now [[start/enable]] the new service(s), e.g., {{ic|dnscrypt-proxy@dnscrypt.eu-nl}}, etc.
Finally [[restart]] {{ic|unbound.service}}.
== See also ==
* [[Wikipedia:DNS over HTTPS]]

Latest revision as of 21:57, 21 January 2024

This article or section needs expansion.

Reason: What is the difference to dnscrypt-wrapper? (Discuss in Talk:Dnscrypt-proxy)

dnscrypt-proxy is a DNS proxy client with support for the encrypted DNS protocols DNS over HTTPS and DNSCrypt, which can be used to prevent man-in-the-middle attacks and eavesdropping. dnscrypt-proxy is also compatible with DNSSEC.

Installation

Install the dnscrypt-proxy package.

Configuration

The default configuration file referred to is at /etc/dnscrypt-proxy/dnscrypt-proxy.toml.

Tip: While dnscrypt-proxy has no manual currently, the project maintains an extensive configuration wiki.

Startup

Note: Even though there are two ways to start the proxy, upstream recommends the service one.[1][2]

The service can be started in two mutually exclusive ways (i.e. only one of the two may be enabled):

  1. With the systemd service dnscrypt-proxy.service.
    • The listen_addresses option must be configured (e.g. listen_addresses = ['127.0.0.1:53', '[::1]:53']) in the configuration file when using the service.
  2. Through socket activation using dnscrypt-proxy.socket.
    • The listen_addresses option must be set to empty (i.e. listen_addresses = [ ]) in the configuration file, since systemd is taking care of the socket configuration.

Select resolver

By leaving server_names commented out in the configuration file, dnscrypt-proxy will choose the fastest server from the sources already configured under [sources] [3]. The lists will be downloaded, verified, and automatically updated [4]. Thus, configuring a specific set of servers is optional.

To manually set which server is used, uncomment the server_names variable in the configuration file and select one or more of the servers. For example, to use Cloudflare's servers:

server_names = ['cloudflare', 'cloudflare-ipv6']

A full list of resolvers is located at the upstream page or Github. If dnscrypt-proxy has run successfully on the system before, /var/cache/dnscrypt-proxy/public-resolvers.md will also contain a list. Look at the description for servers note which validate DNSSEC, do not log, and are uncensored. These requirements can be configured globally with the require_dnssec, require_nolog, require_nofilter options.

Disable any services bound to port 53

Tip: If using #Unbound as your local DNS cache this section can be ignored, as unbound runs on port 53 by default.

To see if any programs are using port 53, run:

 $ ss -lp 'sport = :domain'

The factual accuracy of this article or section is disputed.

Reason: systemd-resolved listens on 127.0.0.53:53, it should not affect dnscrypt-proxy that listens on 127.0.0.1:53. (Discuss in Talk:Dnscrypt-proxy)

If the output contains more than the first line of column names, you need to disable whatever service is using port 53. One common culprit is systemd-resolved.service(NetworkManager#Unit dbus-org.freedesktop.resolve1.service not found), but other network managers may have analogous components. You are ready to proceed once the above command outputs nothing more than the following line:

 Netid               State                 Recv-Q                Send-Q                                 Local Address:Port                                   Peer Address:Port

Modify resolv.conf

This article or section needs expansion.

Reason: Explain what the options mean. (Discuss in Talk:Dnscrypt-proxy)

Modify the resolv.conf file and replace the current set of resolver addresses with the address for localhost and options [5]:

/etc/resolv.conf
nameserver ::1
nameserver 127.0.0.1
options edns0

Other programs may overwrite this setting; see resolv.conf#Overwriting of /etc/resolv.conf for details.

Start systemd service

Finally, start/enable the dnscrypt-proxy.service unit or dnscrypt-proxy.socket, depending on which method you chose above.

Check if dnscrypt-proxy is working

Open the browser and head to DnsLeakTest and do an extended test, if the results show servers that you have set in the configuration files it means that dnscrypt-proxy is working, otherwise something is wrong.

Tips and tricks

Enabling, downloading and auto-updating filter lists / block lists

This article or section is being considered for removal.

Reason: Overwriting files in /usr/share/dnscrypt-proxy/utils/generate-domains-blocklist/ that are owned by the dnscrypt-proxy package is not a good idea. (Discuss in Talk:Dnscrypt-proxy#automatic blocklist updates)

Configure filter list sources in /usr/share/dnscrypt-proxy/utils/generate-domains-blocklist/domains-blocklist.conf. For example:

# NextDNS CNAME cloaking list
https://raw.githubusercontent.com/nextdns/cname-cloaking-blocklist/master/domains
# AdGuard Simplified Domain Names filter
https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
# OISD.NL Big:
https://big.oisd.nl/domainswild
# HaGeZi Multi Pro
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/pro-onlydomains.txt
# HaGeZi Thread Intelligence Feeds
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/tif-onlydomains.txt

Create a service to download & combine filter lists. /etc/systemd/system/dnscrypt-filterlist-update.service:

[Unit]
Description=DNSCrypt Filterlist Update

[Service]
Type=oneshot
User=root
WorkingDirectory=/usr/share/dnscrypt-proxy/utils/generate-domains-blocklist/
ExecStart=generate-domains-blocklist -a domains-allowlist.txt -o blocklist.txt ; sleep 2 ; systemctl restart dnscrypt-proxy.service

[Install]
WantedBy=multi-user.target

Create a time to run on boot but also every 5 hours. /etc/systemd/system/dnscrypt-filterlist-update.timer:

[Unit]
Description=Run 15min after boot and every 5 hours (DNSCrypt Filterlist Update)

[Timer]
OnBootSec=15min
OnUnitActiveSec=5h

[Install]
WantedBy=timers.target

Enable the timer:

systemctl daemon-reload
systemctl enable dnscrypt-filterlist-update.timer

Configure DNSCrypt to apply the created filter rules. /etc/dnscrypt-proxy/dnscrypt-proxy.toml:

blocked_names_file = '/usr/share/dnscrypt-proxy/utils/generate-domains-blocklist/blocklist.txt'
log_file = '/var/log/dnscrypt-proxy/blocked-names.log'

Local DNS cache configuration

Tip: dnscrypt-proxy can cache entries without relying on another program. This feature is enabled by default with the line cache = true in the configuration file.

It is recommended to run dnscrypt-proxy as a forwarder for a local DNS cache if not using dnscrypt-proxy's cache feature; otherwise, every single query will make a round-trip to the upstream resolver. Any local DNS caching program should work. In addition to setting up dnscrypt-proxy, you must setup your local DNS cache program.

Change port

In order to forward queries from a local DNS cache, dnscrypt-proxy should listen on a port different from the default 53, since the DNS cache itself needs to listen on 53 and query dnscrypt-proxy on a different port. Port number 53000 is used as an example in this section. In this example, the port number is larger than 1024 so dnscrypt-proxy is not required to be run by root.

There are two methods for changing the default port:

Socket method

Edit dnscrypt-proxy.socket with the following contents:

[Socket]
ListenStream=
ListenDatagram=
ListenStream=127.0.0.1:53000
ListenStream=[::1]:53000
ListenDatagram=127.0.0.1:53000
ListenDatagram=[::1]:53000

When queries are forwarded from the local DNS cache to 53000, dnscrypt-proxy.socket will start dnscrypt-proxy.service.

Service method

Edit the listen_addresses option in /etc/dnscrypt-proxy/dnscrypt-proxy.toml with the following:

listen_addresses = ['127.0.0.1:53000', '[::1]:53000']

Example local DNS cache configurations

The following configurations should work with dnscrypt-proxy and assume that it is listening on port 53000.

Unbound

Configure Unbound to your liking (in particular, see Unbound#Local DNS server) and add the following lines to the end of the server section in /etc/unbound/unbound.conf:

  do-not-query-localhost: no
forward-zone:
  name: "."
  forward-addr: ::1@53000
  forward-addr: 127.0.0.1@53000
Tip: If you are setting up a server, add interface: 0.0.0.0@53 and access-control: your-network/subnet-mask allow inside the server: section so that the other computers can connect to the server. A client must be configured with nameserver address-of-your-server in /etc/resolv.conf.

Restart unbound.service to apply the changes.

dnsmasq

Configure dnsmasq as a local DNS cache. The basic configuration to work with dnscrypt-proxy:

/etc/dnsmasq.conf
no-resolv
server=::1#53000
server=127.0.0.1#53000
listen-address=::1,127.0.0.1

If you configured dnscrypt-proxy to use a resolver with enabled DNSSEC validation, make sure to enable it also in dnsmasq:

/etc/dnsmasq.conf
conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec

Restart dnsmasq.service to apply the changes.

pdnsd

Install pdnsd. A basic configuration to work with dnscrypt-proxy is:

/etc/pdnsd.conf
global {
    perm_cache = 1024;
    cache_dir = "/var/cache/pdnsd";
    run_as = "pdnsd";
    server_ip = 127.0.0.1;
    status_ctl = on;
    query_method = udp_tcp;
    min_ttl = 15m;       # Retain cached entries at least 15 minutes.
    max_ttl = 1w;        # One week.
    timeout = 10;        # Global timeout option (10 seconds).
    neg_domain_pol = on;
    udpbufsize = 1024;   # Upper limit on the size of UDP messages.
}

server {
    label = "dnscrypt-proxy";
    ip = 127.0.0.1;
    port = 53000;
    timeout = 4;
    proxy_only = on;
}

source {
    owner = localhost;
    file = "/etc/hosts";
}

Restart pdnsd.service to apply the changes.

Enable EDNS0

This article or section needs expansion.

Reason: Name the advantages/motivation for enabling this. (Discuss in Talk:Dnscrypt-proxy)

Extension Mechanisms for DNS that, among other things, allows a client to specify how large a reply over UDP can be.

Add the following line to your /etc/resolv.conf:

options edns0

Test EDNS0

Make use of the DNS Reply Size Test Server, use the drill command line tool to issue a TXT query for the name rs.dns-oarc.net:

$ drill rs.dns-oarc.net TXT

With EDNS0 supported, the "answer section" of the output should look similar to this:

rst.x3827.rs.dns-oarc.net.
rst.x4049.x3827.rs.dns-oarc.net.
rst.x4055.x4049.x3827.rs.dns-oarc.net.
"2a00:d880:3:1::a6c1:2e89 DNS reply size limit is at least 4055 bytes"
"2a00:d880:3:1::a6c1:2e89 sent EDNS buffer size 4096"