-
Notifications
You must be signed in to change notification settings - Fork 1k
Installation on Debian and Ubuntu
The generic instructions for Linux work fine on Debian and Ubuntu. The additional instructions below are not required if you are going that route.
sudo apt update && \
sudo apt install -t testing dnscrypt-proxysudo apt update && \
sudo apt install -t unstable dnscrypt-proxyAnd complete the setup with a reboot.
DNSCrypt-Proxy 2.x is included in Ubuntu 18.10+ repositories, install it with sudo apt install dnscrypt-proxy
sudo dnscrypt-proxy -service stop
sudo dnscrypt-proxy -service uninstall/etc/dnscrypt-proxy/ is where the Debian/Ubuntu package expects the dnscrypt-proxy configuration to be.
So, type the following commands to copy the examples to that directory:
sudo cp /usr/share/doc/dnscrypt-proxy/examples/* /etc/dnscrypt-proxy/
cd /etc/dnscrypt-proxy
cp example-dnscrypt-proxy.toml dnscrypt-proxy.tomlThe last step is important. You should overwrite the existing dnscrypt-proxy.toml with the example.
Type:
cd /etc/dnscrypt-proxy
dnscrypt-proxy -checkIf should print Configuration successfully checked.
You can also print the list of configured resolvers with:
cd /etc/dnscrypt-proxy
dnscrypt-proxy -listType:
cd /etc/dnscrypt-proxy
sudo dnscrypt-proxyThe proxy should start:
[2025-01-07 14:26:33] [NOTICE] Network connectivity detected
[2025-01-07 14:26:33] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
[2025-01-07 14:26:33] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
[2025-01-07 14:26:33] [NOTICE] Source [public-resolvers] loaded
[2025-01-07 14:26:33] [NOTICE] Source [relays] loaded
[2025-01-07 14:26:33] [NOTICE] Firefox workaround initialized
[2025-01-07 14:26:33] [NOTICE] [cs-slovakia] OK (DNSCrypt) - rtt: 44ms
[2025-01-07 14:26:34] [NOTICE] [jp.tiar.app] OK (DNSCrypt) - rtt: 266ms
...
Without stopping the proxy, and in a different terminal, type:
cd /etc/dnscrypt-proxy
dnscrypt-proxy -resolve example.comThis should print something like the following:
Resolving [example.com] using 127.0.0.1 port 53
Resolver : 185.117.118.20 (public.deepdns.net.)
Canonical name: example.com.
IPv4 addresses: 93.184.215.14
IPv6 addresses: 2606:2800:21f:cb07:6820:80da:af6b:8b2c
Name servers : a.iana-servers.net., b.iana-servers.net.
DNSSEC signed : yes
Mail servers : 1 mail servers found
HTTPS alias : -
HTTPS info : -
Host info : -
TXT records : v=spf1 -all, wgyf8z8cgvm2qmxpnbnldrcltvk4xqfn
If everything appears to be working fine, stop the proxy by hitting Ctrl+C and/or by closing the terminal window.
Now, it's time to configure it to start automatically at boot:
cd /etc/dnscrypt-proxy
sudo dnscrypt-proxy -service install
sudo dnscrypt-proxy -service startWhenever you change the configuration, the service can be restarted with the following command:
sudo dnscrypt-proxy -service restartNote that if you ever want to stop dnscrypt-proxy from running at boot (obviously, don't do it now as the next steps wouldn't work), type:
sudo dnscrypt-proxy -service stop
sudo dnscrypt-proxy -service uninstallType:
sudo nano /etc/systemd/resolved.confLocate the [Resolve] section. There should be a line like the following:
#DNS=Replace it with:
DNS=127.0.0.1Save the file, and restart the systemd DNS cache:
sudo systemctl restart systemd-resolvedDone! Your system is now using dnscrypt-proxy to secure and anonymize your DNS traffic.
dnsmasq performs caching, as does dnscrypt-proxy v2. As such, the redundant caching is unnecessary, and dnsmasq can effectively be disabled. To disable dnsmasq for NetworkManager, make the /etc/NetworkManager/NetworkManager.conf file look like this:
[main]
plugins=ifupdown,keyfile,ofono
#dns=dnsmasq
[ifupdown]
managed=false
If you want to use dnsmasq, some configuration is needed:
- dnsmasq listens on
127.0.0.1:53, so configure dnscrypt-proxy to use something different (e.g.127.0.2.1:53, seelisten_addressesindnscrypt-proxy.toml) - configure dnsmasq to use dnscrypt-proxy:
sudo tee /etc/dnsmasq.d/dnscrypt-proxy << EOF
# Redirect everything to dnscrypt-proxy
server=127.0.2.1
no-resolv
proxy-dnssec
EOFIn somecases if you want to run dnscrypt-proxy as a non-root user you'll get the error "[FATAL] listen udp 0.0.0.0:53: bind: permission denied"
to solve this problem you can run the following command and allow dnscrypt to have access to a low level port :
sudo setcap cap_net_bind_service=+ep $(which dnscrypt-proxy)
- Home
- Installation
- Configuration
- Checking that your DNS traffic is encrypted
- Automatic Updates
- Server sources
- Combining blocklists
- Public Blocklist and other configuration files
- Building from source
- Run your own DNSCrypt server in under 10 minutes
- DNS stamps specifications
- Windows Tips
- dnscrypt-proxy in the media
- Planned Features