Installation on Debian and Ubuntu - DNSCrypt/dnscrypt-proxy GitHub Wiki

Installation on Debian and Ubuntu

Generic Linux installation procedure

The generic instructions for Linux work fine on Debian and Ubuntu. The additional instructions below are not required if you are going that route.

Install DNSCrypt-Proxy

`debian testing`

sudo apt update && \
sudo apt install -t testing dnscrypt-proxy

`debian unstable`

sudo apt update && \
sudo apt install -t unstable dnscrypt-proxy

And complete the setup with a reboot.

Ubuntu

DNSCrypt-Proxy 2.x is included in Ubuntu 18.10+ repositories, install it with sudo apt install dnscrypt-proxy

Configuration

Remove the previous dnscrypt-proxy service

sudo dnscrypt-proxy -service stop
sudo dnscrypt-proxy -service uninstall

Copy the example configuration files to /etc/dnscrypt-proxy/

/etc/dnscrypt-proxy/ is where the Debian/Ubuntu package expects the dnscrypt-proxy configuration to be.

So, type the following commands to copy the examples to that directory:

sudo cp /usr/share/doc/dnscrypt-proxy/examples/* /etc/dnscrypt-proxy/
cd /etc/dnscrypt-proxy
cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml

The last step is important. You should overwrite the existing dnscrypt-proxy.toml with the example.

Check if the configuration is correct

Type:

cd /etc/dnscrypt-proxy
dnscrypt-proxy -check

If should print Configuration successfully checked.

You can also print the list of configured resolvers with:

cd /etc/dnscrypt-proxy
dnscrypt-proxy -list

Try to run the proxy manually

Type:

cd /etc/dnscrypt-proxy
sudo dnscrypt-proxy

The proxy should start:

[2025-01-07 14:26:33] [NOTICE] Network connectivity detected
[2025-01-07 14:26:33] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
[2025-01-07 14:26:33] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
[2025-01-07 14:26:33] [NOTICE] Source [public-resolvers] loaded
[2025-01-07 14:26:33] [NOTICE] Source [relays] loaded
[2025-01-07 14:26:33] [NOTICE] Firefox workaround initialized
[2025-01-07 14:26:33] [NOTICE] [cs-slovakia] OK (DNSCrypt) - rtt: 44ms
[2025-01-07 14:26:34] [NOTICE] [jp.tiar.app] OK (DNSCrypt) - rtt: 266ms
...

Check if the proxy is properly running

Without stopping the proxy, and in a different terminal, type:

cd /etc/dnscrypt-proxy
dnscrypt-proxy -resolve example.com

This should print something like the following:

Resolving [example.com] using 127.0.0.1 port 53

Resolver      : 185.117.118.20 (public.deepdns.net.)

Canonical name: example.com.

IPv4 addresses: 93.184.215.14
IPv6 addresses: 2606:2800:21f:cb07:6820:80da:af6b:8b2c

Name servers  : a.iana-servers.net., b.iana-servers.net.
DNSSEC signed : yes
Mail servers  : 1 mail servers found

HTTPS alias   : -
HTTPS info    : -

Host info     : -
TXT records   : v=spf1 -all, wgyf8z8cgvm2qmxpnbnldrcltvk4xqfn

Install the service

If everything appears to be working fine, stop the proxy by hitting Ctrl+C and/or by closing the terminal window.

Now, it's time to configure it to start automatically at boot:

cd /etc/dnscrypt-proxy
sudo dnscrypt-proxy -service install
sudo dnscrypt-proxy -service start

Whenever you change the configuration, the service can be restarted with the following command:

sudo dnscrypt-proxy -service restart

Note that if you ever want to stop dnscrypt-proxy from running at boot (obviously, don't do it now as the next steps wouldn't work), type:

sudo dnscrypt-proxy -service stop
sudo dnscrypt-proxy -service uninstall

Configure the systemd DNS to use dnscryt-proxy

Type:

sudo nano /etc/systemd/resolved.conf

Locate the [Resolve] section. There should be a line like the following:

#DNS=

Replace it with:

DNS=127.0.0.1

Save the file, and restart the systemd DNS cache:

sudo systemctl restart systemd-resolved

Done! Your system is now using dnscrypt-proxy to secure and anonymize your DNS traffic.

If dnsmasq was/is also running

Option 1: remove dnsmasq

dnsmasq performs caching, as does dnscrypt-proxy v2. As such, the redundant caching is unnecessary, and dnsmasq can effectively be disabled. To disable dnsmasq for NetworkManager, make the /etc/NetworkManager/NetworkManager.conf file look like this:

[main]
plugins=ifupdown,keyfile,ofono
#dns=dnsmasq

[ifupdown]
managed=false

Option 2: keep dnsmasq

If you want to use dnsmasq, some configuration is needed:

dnsmasq listens on 127.0.0.1:53, so configure dnscrypt-proxy to use something different (e.g. 127.0.2.1:53, see listen_addresses in dnscrypt-proxy.toml)
configure dnsmasq to use dnscrypt-proxy:

sudo tee /etc/dnsmasq.d/dnscrypt-proxy << EOF
# Redirect everything to dnscrypt-proxy
server=127.0.2.1
no-resolv
proxy-dnssec
EOF