Skip to content

Installation

Jump to bottom Edit New page
Andrew edited this page Mar 14, 2018 · 75 revisions

Installation

How do I install DNSCrypt?

You can't. Because DNSCrypt is just a specification.

That specification has been implemented in software such as unbound, dnsdist, dnscrypt-wrapper and dnscrypt-proxy.

dnscrypt-proxy is a flexible DNS proxy. It runs on your computer or router, and can locally block unwanted content, reveal where your devices are silently sending data to, make applications feel faster by caching DNS responses, and improve security and confidentiality by communicating to upstream DNS servers over secure channels.

Setting up dnscrypt-proxy

  1. Extract and adjust the configuration file dnscrypt-proxy.toml to your needs. In case you started fresh, ensure you backup your modified dnscrypt-proxy.toml file.

Note: You can choose a set of preferred servers in the dnscrypt-proxy.toml file.

Look for:

# server_names = ['scaleway-fr', 'google', 'yandex']

Change to the servers you would like to use and remove the leading #.

Example:

server_names = ['google', 'cisco-ipv6']

When doing this filters are ignored if you explicitly name the set of resolvers to use ['google', 'cisco-ipv6']

Filters are used when the list is empty, which means all resolvers from configured sources, matching the filters.

  1. Make sure that nothing else is already listening to port 53 on your system and run (in a console with elevated privileges on Windows) the dnscrypt-proxy application.

Change your DNS settings to the configured IP address and check that everything works as expected.

./dnscrypt-proxy -resolve example.com

should return one of the chosen DNS servers instead of your ISP's resolver.

  1. Register as a system service (see below).

Installing as a system service (Windows, Linux, MacOS)

With administrator privileges, type dnscrypt-proxy -service install to register dnscrypt-proxy as a system service, and dnscrypt-proxy -service start to start it.

If the file is in the current directory and not where other executable files are, use ./dnscrypt-proxy instead of just dnscrypt-proxy.

On Windows, this is not even required: you can just double-click on server-install.bat to install the service.

Done. It will automatically start at boot.

This setup procedure is compatible with Windows, Linux (systemd, Upstart, SysV), and macOS (launchd).

Other commands include stop, restart (useful after a configuration change) and uninstall.

Note that on Linux, kernel 2.6.23 or later is required.

Installing dnscrypt-proxy on Arch Linux as a system service

Arch Linux has a package for v2 in its AUR repository:

  1. Install it with :
yaourt -S dnscrypt-proxy-go
  1. Activate & Start the service:
systemctl enable dnscrypt-proxy.service
systemctl start dnscrypt-proxy.service
  1. Check successful service start:
systemctl status dnscrypt-proxy.service

And look for the Log Line

dnscrypt-proxy is ready - live servers:
dnscrypt-proxy is now listening on 127.0.0.1:53

Installing dnscrypt-proxy on Gentoo Linux as a system service

Gentoo Linux has a package for v2 in its main repository:

  1. Install it with :
emerge dnscrypt-proxy -av

  1. Activate & Start the service:

    • With OpenRC
    rc-update add dnscrypt-proxy default
rc-service dnscrypt-proxy start
    • With systemd
    sed -i 's|\['\''127\.0\.0\.1:53'\'', '\''\[::1\]:53'\''\]|\[\]|g' /etc/dnscrypt-proxy/dnscrypt-proxy.toml
systemctl enable dnscrypt-proxy.service --now

  2. Check successful service start:

    • With OpenRC
    rc-service dnscrypt-proxy status
 * status: started
    • With systemd
    systemctl status dnscrypt-proxy.service

  3. Adjust your /etc/resolv.conf file to query dnscrypt-proxy

nameserver 127.0.0.1

Installation on pi-hole

Pi-hole has a documentation page on how to set up dnscrypt-proxy 2: https://github.com/pi-hole/pi-hole/wiki/DNSCrypt-2.0

Running it as a non-root user on Linux (manual installation)

The following command adds the required attributes to the dnscrypt-proxy file so that it can run as a non-root user:

sudo setcap cap_net_bind_service=+pe dnscrypt-proxy

Installing dnscrypt-proxy on MacOS as a system service

Using Homebrew - https://brew.sh

To install Homebrew type in Terminal:

/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

and to install dnscrypt-proxy with Homebrew type in Terminal:

brew install dnscrypt-proxy

And follow the instructions that are given in the Terminal.

Manual installation

Download the dnscrypt-proxy-macos-2.x.x.tar.gz

  1. Extract the tar.gz file; move it to a location you would like to put it in. You can also rename the folder.

Example: Put it in the home directory and rename the folder to Dnscrypt.

Note: Make sure you change example-dnscrypt-proxy.toml to dnscrypt-proxy.toml it's located in the folder.

  1. Install the dnscrypt-proxy service and start it by opening Terminal and entering:
sudo ~/Dnscrypt/dnscrypt-proxy -service install
sudo ~/Dnscrypt/dnscrypt-proxy -service start

Or

cd Dnscrypt
sudo ./dnscrypt-proxy -service install
sudo ./dnscrypt-proxy -service start
  1. Now open Network Preferences and change the DNS server under Advanced and DNS tab.

Change it to 127.0.0.1 or ::1.

Installing dnscrypt-proxy on Ubuntu 16.04.3 LTS or Debian Jessie as a system service

Download the dnscrypt-proxy-linux_x86_64-2.x.x.tar.gz (or whichever is appropriate for your system)

  1. Extract the tar.gz file; move it to a location you would like to put it in. You can also rename the folder.

Example: Put it in the home directory and rename the folder to Dnscrypt.

Note: Make sure you change example-dnscrypt-proxy.toml to dnscrypt-proxy.toml it's located in the folder.

  1. Install the dnscrypt-proxy service and start it by opening Terminal and enter:
sudo ~/Dnscrypt/dnscrypt-proxy -service install
sudo ~/Dnscrypt/dnscrypt-proxy -service start

Or

cd Dnscrypt
sudo ./dnscrypt-proxy -service install
sudo ./dnscrypt-proxy -service start
  1. Now to set the dns server in /etc/network/interfaces. Within the Terminal enter:
sudoedit /etc/network/interfaces

Then add the following to it:

dns-nameservers 127.0.0.1

It should now look something like this:

# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback
dns-nameservers 127.0.0.1

Save it, then either reboot or run the following command:

sudo ifdown lo && sudo ifup lo

Linux kernel requirements

From golang's minimum requirements:

  • Kernel version 2.6.23 or later.
  • Linux/ARMv5 requires much newer kernels, at least v3.1 (for __kuser_cmpxchg64).
  • We don't support CentOS 5. The kernel is too old (2.6.18).
  • For little-endian MIPS64, kernel version 4.1 is known to fail, and 4.8 works.

In somecases if you want to run dnscrypt-proxy as a non-root user you'll get the error "[FATAL] listen udp 0.0.0.0:53: bind: permission denied"

to solve this problem you can run the following command and allow dnscrypt to have access to a low level port :

sudo setcap cap_net_bind_service=+ep $(which dnscrypt-proxy)

Clone this wiki locally