The generic instructions for Linux work fine on Debian and Ubuntu. The additional instructions below are not required if you are going that route.
sudo apt update && \
sudo apt install -t testing dnscrypt-proxy
sudo apt update && \
sudo apt install -t unstable dnscrypt-proxy
And complete the setup with a reboot.
DNSCrypt-Proxy 2.x is included in Ubuntu 18.10+ repositories, install it with sudo apt install dnscrypt-proxy
sudo dnscrypt-proxy -service stop
sudo dnscrypt-proxy -service uninstall
/etc/dnscrypt-proxy/ is where the Debian/Ubuntu package expects the dnscrypt-proxy configuration to be.
So, type the following commands to copy the examples to that directory:
sudo cp /usr/share/doc/dnscrypt-proxy/examples/* /etc/dnscrypt-proxy/
cd /etc/dnscrypt-proxy
cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml
The last step is important. You should overwrite the existing dnscrypt-proxy.toml with the example.
Type:
cd /etc/dnscrypt-proxy
dnscrypt-proxy -check
If should print Configuration successfully checked.
You can also print the list of configured resolvers with:
cd /etc/dnscrypt-proxy
dnscrypt-proxy -list
Type:
cd /etc/dnscrypt-proxy
sudo dnscrypt-proxy
The proxy should start:
[2025-01-07 14:26:33] [NOTICE] Network connectivity detected
[2025-01-07 14:26:33] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
[2025-01-07 14:26:33] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
[2025-01-07 14:26:33] [NOTICE] Source [public-resolvers] loaded
[2025-01-07 14:26:33] [NOTICE] Source [relays] loaded
[2025-01-07 14:26:33] [NOTICE] Firefox workaround initialized
[2025-01-07 14:26:33] [NOTICE] [cs-slovakia] OK (DNSCrypt) - rtt: 44ms
[2025-01-07 14:26:34] [NOTICE] [jp.tiar.app] OK (DNSCrypt) - rtt: 266ms
...
Without stopping the proxy, and in a different terminal, type:
cd /etc/dnscrypt-proxy
dnscrypt-proxy -resolve example.com
This should print something like the following:
Resolving [example.com] using 127.0.0.1 port 53
Resolver : 185.117.118.20 (public.deepdns.net.)
Canonical name: example.com.
IPv4 addresses: 93.184.215.14
IPv6 addresses: 2606:2800:21f:cb07:6820:80da:af6b:8b2c
Name servers : a.iana-servers.net., b.iana-servers.net.
DNSSEC signed : yes
Mail servers : 1 mail servers found
HTTPS alias : -
HTTPS info : -
Host info : -
TXT records : v=spf1 -all, wgyf8z8cgvm2qmxpnbnldrcltvk4xqfn
If everything appears to be working fine, stop the proxy by hitting Ctrl+C and/or by closing the terminal window.
Now, it's time to configure it to start automatically at boot:
cd /etc/dnscrypt-proxy
sudo dnscrypt-proxy -service install
sudo dnscrypt-proxy -service start
Whenever you change the configuration, the service can be restarted with the following command:
sudo dnscrypt-proxy -service restart
Note that if you ever want to stop dnscrypt-proxy from running at boot (obviously, don't do it now as the next steps wouldn't work), type:
sudo dnscrypt-proxy -service stop
sudo dnscrypt-proxy -service uninstall
Type:
sudo nano /etc/systemd/resolved.conf
Locate the [Resolve] section. There should be a line like the following:
#DNS=
Replace it with:
DNS=127.0.0.1
Save the file, and restart the systemd DNS cache:
sudo systemctl restart systemd-resolved
Done! Your system is now using dnscrypt-proxy to secure and anonymize your DNS traffic.
dnsmasq performs caching, as does dnscrypt-proxy v2. As such, the redundant caching is unnecessary, and dnsmasq can effectively be disabled. To disable dnsmasq for NetworkManager, make the /etc/NetworkManager/NetworkManager.conf file look like this:
[main]
plugins=ifupdown,keyfile,ofono
#dns=dnsmasq
[ifupdown]
managed=false
If you want to use dnsmasq, some configuration is needed:
- dnsmasq listens on
127.0.0.1:53, so configure dnscrypt-proxy to use something different (e.g.127.0.2.1:53, seelisten_addressesindnscrypt-proxy.toml) - configure dnsmasq to use dnscrypt-proxy:
sudo tee /etc/dnsmasq.d/dnscrypt-proxy << EOF
# Redirect everything to dnscrypt-proxy
server=127.0.2.1
no-resolv
proxy-dnssec
EOF