Encrypted and authenticated DNS traffic, supporting DNS-over-HTTPS (DoH) and DNSCrypt

DNS query monitoring, with separate log files for regular and suspicious queries

Filtering: block ads, malware, and other unwanted content

DNS caching, to reduce latency and improve privacy

Local IPv6 blocking to reduce latency on IPv4-only networks

Load balancing: pick a set of resolvers, dnscrypt-proxy will automatically measure and keep track of their speed, and balance the traffic across the fastest available ones

Automatic background updates of resolvers lists

DNSSEC-compatible

How to install and enable DNSCrypt Proxy 2 in Ubuntu 19.04 / 18.10 or Debian Unstable / Testing

sudo apt purge dnscrypt-proxy

sudo apt install dnscrypt-proxy

127.0.2.1

System Settings > Network

IPv4

Automatic

DNS

127.0.2.1

sudo systemctl restart NetworkManager

System Settings > WiFi

Edit Connections

IPv4 Settings

Automatic (DHCP) addresses only

Method

127.0.2.1

Save

Enable Networking

sudo systemctl restart NetworkManager

How to install and enable DNSCrypt Proxy 2 in Ubuntu 18.04 or Linux Mint 19.x

sudo apt purge dnscrypt-proxy

sudo add-apt-repository ppa:shevchuk/dnscrypt-proxy sudo apt update sudo apt install dnscrypt-proxy

127.0.2.1

System Settings > Network

Automatic

DNS

127.0.2.1

sudo systemctl restart NetworkManager

System Settings > WiFi

Edit Connections

IPv4 Settings

Automatic (DHCP) addresses only

Method

127.0.2.1

Save

Enable Networking

sudo systemctl restart NetworkManager

How to check if you're using DNSCrypt Proxy

sudo systemctl stop dnscrypt-proxy.socket sudo systemctl stop dnscrypt-proxy

ping google.com

$ ping google.com ping: google.com Name or service not known

sudo systemctl start dnscrypt-proxy sudo systemctl start dnscrypt-proxy.socket

dnscrypt-proxy -resolve google.com

Resolver IP

$ dnscrypt-proxy -resolve google.com Resolving [google.com] Domain exists: yes, 4 name servers found Canonical name: google.com. IP addresses: 74.125.24.113, 74.125.24.139, 74.125.24.100, 74.125.24.138, 74.125.24.101, 74.125.24.102, 2404:6800:4003:c03::71 TXT records: facebook-domain-verification=22rm551cu4k0ab0bxsw536tlds4h95 v=spf1 include:_spf.google.com ~all docusign=05958488-4752-4ef2-95eb-aa7ba8a3bd0e Resolver IP: 209.250.235.170 (209.250.235.170.vultr.com.)

(Optional) How to change the DNSCrypt Proxy 2 DNS servers

/etc/dnscrypt-proxy/dnscrypt-proxy.toml

gedit admin:///etc/dnscrypt-proxy/dnscrypt-proxy.toml

gedit

xed

sudo nano /etc/dnscrypt-proxy/dnscrypt-proxy.toml

server_names

#

Name

server_names

/etc/dnscrypt-proxy/dnscrypt-proxy.toml

server_names = ['server']

server_names = ['server1', 'server2', 'server3']

sudo systemctl restart dnscrypt-proxy

/etc/dnscrypt-proxy/dnscrypt-proxy.toml

/etc/dnscrypt-proxy/dnscrypt-proxy.toml

dnscrypt-proxy.toml

/etc/dnscrypt-proxy/dnscrypt-proxy.toml

listen_addresses

127.0.2.1

dnscrypt-proxy.socket

DNSCrypt is a network protocol which authenticates and encrypts Domain Name System (DNS) traffic between the user's computer and recursive name servers. It turns regular DNS traffic into encrypted DNS traffic that's protected from spying, spoofing, or man-in-the-middle attacks, thus improving the user's online security and privacy.DNSCrypt Proxy 2 features include:You can check out the complete DNSCrypt Proxy v2 feature list by visiting the project page Compared to v1, the 2.0 series of DNSCrypt Proxy, which had its first stable release back in February, was rewritten in Go, has support for DNS-over-TLS and DNS-over-HTTP, and it supports DNS caching. It also has a new configuration file format that's not compatible with the old v1.DNSCrypt Proxy v2 is available in the Debian Testing and Unstable repositories, as well as the Ubuntu 18.10 and 19.04 repositories. There's also a PPA for Ubuntu 18.04 and Linux Mint 19. The PPA has packages for older Ubuntu / Linux Mint versions but I couldn't get it to work, so this article offers instructions only for Ubuntu 18.04, Ubuntu 18.10, Ubuntu 19.04, Linux Mint 19.x, Debian Unstable and Debian Testing.As a side note, for Windows users there's a simple management tool for DNSCrypt Proxy, called Simple DNSCrypt In this article:Ubuntu 18.10 is the first Ubuntu release to have the new DNSCrypt Proxy 2 in its archive. The package was imported from Debian and thus, is also available in Debian Unstable and Testing.. How to change this depends on the desktop environment you're using.For example in, go to, click the cog icon next to the network you're connected to, and in thetab disablenext to, and enteras the DNS server, like in this screenshot:You'll also need to disable and re-enable your network using the slider (next to (1) in the screenshot), or restart it from the command line:, right click the network applet in the panel and select. Next, select your active connection, then click the cog icon at the bottom to edit it. On thetab selectfrom thedropdown, then enterin the DNS servers field, and clickNext, right click the network applet in the panel again, clickonce to disable it, then click it again to re-enable networking. You can also restart it by using this command:DNSCrypt Proxy v2 didn't make it into the Ubuntu 18.04 archive, but it has an official PPA you can use to install it and receive future updates. The PPA is compatible with Ubuntu 18.04, Ubuntu 16.04, Linux Mint 19.x and Linux Mint 18.x., but I didn't have much success getting DNSCrypt Proxy 2 from this PPA to work in Ubuntu 16.04 or Linux Mint 18. So the instructions below are for Ubuntu 18.04 and Linux Mint 19.x only.Now you can add the PPA and install DNSCrypt Proxy v2 in Ubuntu 18.04 or Linux Mint 19:How to change this depends on the desktop environment you're using.: go to, click the cog icon next to the network you're connected to, and in the IPv4 tab disablenext to, and enteras the DNS server. Restart the network by disabling and re-enabling the slider next to the network you're connected to, or restart it by using this command:for example, left click the network applet in the bottom panel and select. Next, select your active connection, then click the cog icon at the bottom to edit it. On thetab selectfrom thedropdown, then enterin the DNS servers field, and clickNext, right click the network applet in the bottom panel again, clickonce to disable it, then click it again to re-enable networking. You can also restart it by using this command:There are multiple ways of checking if you're using DNSCrypt Proxy and which is the current DNS you're using. Use the first one below to find out if DNSCrypt Proxy actually works on your system and the other two if you want to check what is the DNS in use on your computer (all can be used to also check if you're using DNSCrypt Proxy, but the first one is the most reliable).I. The best way to check if you're using DNSCrypt Proxy is to stop the service. Since it's stopped, DNS resolution should not work any more, confirming that DNSCrypt Proxy is actually in use when the service is running.Stop the DNSCrypt Proxy service / socket using these commands:Now try to ping a domain, like google.com:The domain shouldn't resolve, throwing an error, like this:Now that you've confirmed DNSCrypt Proxy is used, start its service / socket again using:II. To check the actual IP of the DNS (for example, if you're using Google's 8.8.8.8 and 8.8.4.4 DNS, the actual IP isn't any of those two) you're currently using, you can look at the output of this command:For example, using de.dnsmaschine.net DNS server, which is hosted by vultr.com, this is the output (see the last line, called):III. You can find your current DNS resolver by using a DNS Leak tester website. There are quite a few websites for this available, like Perfect Privacy DNS Leak Test , the DNS Leak Test of ExpressVPN , ipleak.net and so on.Using its default configuration, DNSCrypt Proxy 2 automatically picks the fastest working servers from the public servers list , which match the filters set up in the DNSCrypt Proxy 2 configuration file.This is the case for the packages from the DNSCrypt Proxy 2 PPA, but not for the package available in the Ubuntu 19.04 and 18.10 repositories. In Ubuntu 19.04 / 18.10, DNSCrypt Proxy 2 defaults to the CloudFlare DNS.If you want to change the DNSCrypt Proxy 2 servers, you'll need to edit theconfiguration file as root. To open this file as root with Gedit (the default Gnome text editor), you can use this command:Replacewith the graphical text editor of your choice (like, which is the default text editor in Linux Mint Cinnamon, etc.).Or, if you want to use Nano command line editor, use:Next, in this file uncomment theline if it's commented out (it should be near the top - it's commented out for the PPA packages; uncommenting this line means to remove thesign from the beginning of the line, if it's present).Copy the server name (copy the exact server name from thecolumn) you want to use from this page , and add it toin. For example, if you only want to add one server, the server_names value should look like this:If you want to add multiple DNS servers, it should look like this:After making changes to the DNSCrypt Proxy 2 configuration file, you'll need to restart its systemd service or else the changes won't be applied until you reboot. You can restart DNSCrypt Proxy 2 by using this command:All the DNSCrypt Proxy 2 options can be changed by editing theconfiguration file.If you're using the PPA package, all the DNSCrypt Proxy 2 configuration options are already available in thefile.In case of Ubuntu 19.04 / 18.10 and Debian Testing and Unstable, the DNSCrypt Proxy 2 package that's available in the repositories ships with a simplified configuration file, which only has a few options listed. You can find the originalon GitHub though. Copy the options you want to use (and uncomment them) in yourDon't change thevalue though (leave it empty) as it may cause DNSCrypt Proxy 2 to stop working. If you must change the DNSCrypt Proxy 2 listen address (defaulting toin Debian and Ubuntu), do so by editing thefile.