Skip to content
Frank Denis edited this page Jun 3, 2024 · 75 revisions

Installation

How do I install DNSCrypt?

You can't. Because DNSCrypt is just a specification.

However, that specification has been implemented in software such as unbound, dnsdist, dnscrypt-wrapper, Simple DNSCrypt and dnscrypt-proxy.

dnscrypt-proxy is a flexible DNS proxy. It runs on your computer or router, and can locally block unwanted content, reveal where your devices are silently sending data to, make applications feel faster by caching DNS responses, and improve security and confidentiality by communicating to upstream DNS servers over secure channels.

OS-specific instructions

Graphical front-ends

  • Simple DNSCrypt is a simple management tool to configure dnscrypt-proxy on windows based systems.
  • DNSCloak is a full-featured DNSCrypt client for iOS, with filtering, logging, caching, password protection and more. No jailbreak required.
  • AdGuard Pro for iOS, Android, macOS and Windows embeds dnscrypt-proxy in a slick user interface.
  • dnscrypt-proxy switcher is a plugin for Bitbar on macOS, to control dnscrypt-proxy usage from the menu bar.

Not-graphical front-ends

Setting up dnscrypt-proxy (general guidelines)

  1. Extract and adjust the configuration file dnscrypt-proxy.toml to your needs. In case you started fresh, ensure you backup your modified dnscrypt-proxy.toml file.

Note: You can choose a set of preferred servers in the dnscrypt-proxy.toml file.

Look for:

# server_names = ['scaleway-fr', 'google', 'yandex']

Change to the servers you would like to use and remove the leading #.

Example:

server_names = ['google', 'cloudflare']

When doing this filters are ignored if you explicitly name the set of resolvers to use ['google', 'cloudflare']

Filters are used when the list is empty, which means all resolvers from configured sources, matching the filters.

  1. Make sure that nothing else is already listening to port 53 on your system and run (in a console with elevated privileges on Windows) the dnscrypt-proxy application.

Change your DNS settings to the configured IP address and check that everything works as expected.

./dnscrypt-proxy -resolve example.com

should return one of the chosen DNS servers instead of your ISP's resolver.

  1. Register as a system service.

Verification of downloaded files

Pre-compiled binaries can be verified with Minisign:

(warning: long line, that may require horizontal scrolling if you use a large font. Make sure to copy the whole of it; the last characters are jB5)

minisign -Vm dnscrypt-proxy-*.tar.gz -P RWTk1xXqcTODeYttYMCMLo0YJHaFEHn7a3akqHlb/7QvIQXHVPxKbjB5

On Windows, archives are ZIP files, not .tar.gz files, so use dnscrypt-proxy-*.zip in the command above.

The public key can also be obtained using a (DNSSEC-signed) DNS query:

dig txt dnscrypt-proxy.key.dnscrypt.info.

Storing the application and its configuration in different directories

This approach is feasible. However, the developers chose to keep them together for simplicity.

If you do decide to store them separately, you must specify the configuration file using an absolute path with the -config option when running any command that requires the configuration file but is not located in the current directory.

The subordinate files (such as allow/block lists, source/log files, and so on) use relative paths based on the location of the [dnscrypt-proxy.toml](https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml) file.

Upgrading

Assuming that the official package from this repository was installed, here's how to upgrade to a new version:

  1. Check the change log for configuration files that need to be updated. When in doubt, start over from the example configuration files.
  2. Check that the new version can properly load the old configuration files: /path/to/new/dnscrypt-proxy -config /path/to/old/dnscrypt-proxy.toml -check (it shouldn't print any error)
  3. Replace the old dnscrypt-proxy file with the new one.
  4. Restart the service.
Clone this wiki locally