Every website you visit starts with a DNS query — your device asking a server to translate a domain name into an IP address. By default, these queries are sent in plaintext, meaning your ISP, your router, and anyone monitoring your network can see every domain you look up. DNSCrypt-Proxy solves this by encrypting all DNS traffic using the DNSCrypt protocol or DNS-over-HTTPS (DoH), and routing it to privacy-respecting resolvers.
Why DNSCrypt-Proxy?
Compared to simply switching your DNS server to 1.1.1.1 or 8.8.8.8, DNSCrypt-Proxy offers:
- Full encryption of queries using DNSCrypt v2 or DoH
- DNSSEC validation to detect spoofed responses
- Local caching for faster repeat lookups
- Query filtering — block ads, trackers, and malware domains
- Anonymized DNS — hides your IP even from the resolver
- Load balancing across multiple servers automatically
Installing DNSCrypt-Proxy
Linux (Debian/Ubuntu)
sudo apt update && sudo apt install dnscrypt-proxyLinux (Arch)
sudo pacman -S dnscrypt-proxyLinux (Manual/Latest Binary)
Download the latest release from GitHub:
wget https://github.com/DNSCrypt/dnscrypt-proxy/releases/latest/download/dnscrypt-proxy-linux_x86_64-2.1.7.tar.gz
tar xzf dnscrypt-proxy-linux_x86_64-2.1.7.tar.gz
cd linux-x86_64
sudo cp dnscrypt-proxy /usr/local/bin/
sudo cp example-dnscrypt-proxy.toml /etc/dnscrypt-proxy.tomlWindows
Download the Windows binary from the same GitHub releases page and extract it. Run as Administrator:
.\dnscrypt-proxy.exe -service install
.\dnscrypt-proxy.exe -service startmacOS
brew install dnscrypt-proxyConfiguring dnscrypt-proxy.toml
The main configuration file is /etc/dnscrypt-proxy/dnscrypt-proxy.toml (or wherever you extracted the binary).
Core Settings
# Listen on localhost port 53
listen_addresses = ['127.0.0.1:53']
# Enable IPv6 if your network supports it
ipv6_servers = false
# Use only servers that support DNSSEC
require_dnssec = true
# Reject servers that keep logs
require_nolog = true
# Reject servers that don't support DNS over HTTPS or DNSCrypt
require_nofilter = false
# Maximum latency threshold in milliseconds
timeout = 5000
keepalive = 30Choosing Resolvers
DNSCrypt-Proxy uses a resolver list that it downloads automatically. Specify which servers to use:
# Use only specific named servers
server_names = ['cloudflare', 'mullvad-doh', 'quad9-dnscrypt-ip4-filter-pri']Or leave server_names empty to auto-select the fastest servers from the list based on latency.
Update the resolver list URL in the [sources] block:
[sources]
[sources.public-resolvers]
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md',
'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 72Enabling Anonymized DNS
Anonymized DNS relays your queries through an intermediate relay, hiding your IP from the resolver itself. Enable it:
[anonymized_dns]
routes = [
{ server_name='cloudflare', via=['anon-cs-amsterdam', 'anon-cs-london'] },
{ server_name='mullvad-doh', via=['anon-cs-de'] }
]
skip_incompatible = trueThis adds a relay hop between you and the DNS resolver — the resolver sees the relay’s IP, not yours.
DNS Query Caching
Enable caching to speed up repeated lookups:
[cache]
enabled = true
size = 4096
min_ttl = 2400
max_ttl = 86400
neg_min_ttl = 60
neg_max_ttl = 600Blocking Ads and Malware with DNS Filters
DNSCrypt-Proxy can block domains using blocklists:
[blocked_names]
blocked_names_file = '/etc/dnscrypt-proxy/blocklist.txt'
log_file = '/var/log/dnscrypt-proxy/blocked.log'Download a comprehensive blocklist:
sudo curl -o /etc/dnscrypt-proxy/blocklist.txt \
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnscrypt/pro.txtHagezi’s DNS blocklist is one of the best maintained lists with millions of ad and tracker domains.
Pointing Your System at DNSCrypt-Proxy
Linux with systemd-resolved
Edit /etc/systemd/resolved.conf:
[Resolve]
DNS=127.0.0.1
FallbackDNS=
DNSStubListener=nosudo systemctl restart systemd-resolvedLinux without systemd-resolved
Edit /etc/resolv.conf:
nameserver 127.0.0.1To prevent NetworkManager from overwriting this file:
sudo chattr +i /etc/resolv.confWindows
Set your DNS server to 127.0.0.1 in Network Adapter Settings > IPv4 Properties.
Starting and Enabling the Service
# systemd
sudo systemctl enable dnscrypt-proxy
sudo systemctl start dnscrypt-proxy
sudo systemctl status dnscrypt-proxyVerifying Encrypted DNS
Test that your DNS is actually encrypted:
# Check which server is being used
dnscrypt-proxy -resolve example.com
# Or use dig
dig @127.0.0.1 example.comVisit dnsleaktest.com and run the extended test. You should see only your chosen DNSCrypt resolver, not your ISP’s DNS server.
Checking Latency of Resolvers
DNSCrypt-Proxy includes a built-in speed test:
dnscrypt-proxy -list-all 2>/dev/null | head -30This shows all available resolvers sorted by estimated latency. The proxy will automatically route to the fastest one.
Final Thoughts
DNSCrypt-Proxy is a set-and-forget privacy upgrade that encrypts one of the most fundamental yet overlooked aspects of internet traffic. Once installed and configured, it runs silently in the background, blocking ads, validating DNSSEC, and keeping your browsing activity away from prying eyes. Combine it with a VPN for layered protection, or use it standalone for a meaningful privacy improvement over plain DNS.