Every time your browser loads a website, it first sends a DNS query — a plaintext request asking “what is the IP address for example.com?” Without encryption, this query is visible to your ISP, network administrator, and anyone between you and your DNS resolver. DNSCrypt-proxy solves this by encrypting DNS queries using the DNSCrypt protocol or DNS-over-HTTPS (DoH), running locally on your machine and acting as an intermediary between your system and a trusted upstream resolver.
DNSCrypt vs DoH vs DoT
| Protocol | Encryption | Port | Observation Resistance |
|---|---|---|---|
| DNSCrypt | Yes | 443 or 5443 | Strong — authenticates server |
| DNS-over-HTTPS (DoH) | Yes | 443 | Strong — looks like web traffic |
| DNS-over-TLS (DoT) | Yes | 853 | Moderate — identifiable port |
| Plain DNS | No | 53 | None |
DNSCrypt-proxy supports all three, but DNSCrypt is its namesake and primary strength. The DNSCrypt protocol uses elliptic-curve cryptography to authenticate the resolver, ensuring you are not talking to an impersonator — something DoH alone does not guarantee without certificate validation.
Downloading DNSCrypt-Proxy
DNSCrypt-proxy is released on GitHub. Navigate to:
https://github.com/DNSCrypt/dnscrypt-proxy/releasesDownload the archive for your platform:
- Linux x86_64:
dnscrypt-proxy-linux_x86_64-*.tar.gz - Windows x64:
dnscrypt-proxy-win64-*.zip - macOS:
dnscrypt-proxy-macos_arm64-*.tar.gz(Apple Silicon) orx86_64variant
Extract the archive to a permanent location such as /opt/dnscrypt-proxy/ on Linux or C:\Program Files\dnscrypt-proxy\ on Windows.
Configuring dnscrypt-proxy.toml
The configuration file is dnscrypt-proxy.toml. Open it in a text editor. Key settings to configure:
Server Selection
server_names = ['cloudflare', 'nextdns', 'quad9-dnscrypt-ip4-filter-pri']Leave this commented out to let dnscrypt-proxy automatically select the fastest, most reliable servers from the public resolver list. Or specify servers explicitly. The public list is fetched from:
[sources]
[sources.'public-resolvers']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md']
cache_file = 'public-resolvers.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 72The list is signed with a Minisign key — dnscrypt-proxy verifies the signature before trusting it.
Require DNS-Sec and No-Logging
Filter the server list to only use resolvers with DNSSEC validation and no-logging policies:
require_dnssec = true
require_nolog = true
require_nofilter = falseSetting require_nolog = true ensures dnscrypt-proxy only connects to resolvers that publicly commit to not logging queries.
Anonymized Relays
Anonymized DNS relays are intermediary servers that forward your encrypted query to a resolver without the resolver learning your IP address. Configure them:
[anonymized_dns]
routes = [
{ server_name='cloudflare', via=['anon-cs-de', 'anon-cs-nl'] },
{ server_name='quad9-dnscrypt-ip4-filter-pri', via=['anon-quad9-1'] }
]With this configuration, the relay sees your IP but not your query content. The resolver sees the query but not your IP. Neither has the full picture.
Listening Address
listen_addresses = ['127.0.0.1:53', '[::1]:53']This binds dnscrypt-proxy to localhost port 53, where your system DNS will be redirected.
Installing as a System Service
Linux (systemd)
sudo cp /opt/dnscrypt-proxy/dnscrypt-proxy /usr/local/bin/
sudo dnscrypt-proxy -service install
sudo dnscrypt-proxy -service startCheck status:
sudo systemctl status dnscrypt-proxyWindows
Open PowerShell as Administrator:
.\dnscrypt-proxy.exe -service install
.\dnscrypt-proxy.exe -service startThe service will start automatically on boot.
Pointing System DNS to 127.0.0.1
Linux (NetworkManager)
Edit the connection in NetworkManager:
nmcli connection modify "Your Connection Name" ipv4.dns "127.0.0.1" ipv4.ignore-auto-dns yes
nmcli connection up "Your Connection Name"Or edit /etc/resolv.conf directly (if not managed by NetworkManager):
nameserver 127.0.0.1To prevent NetworkManager from overwriting this, create /etc/NetworkManager/conf.d/no-dns.conf:
[main]
dns=noneWindows
Go to Control Panel > Network and Sharing Center > Change adapter settings, right-click your adapter, select Properties, then Internet Protocol Version 4 (TCP/IPv4) and set DNS to 127.0.0.1.
Verifying Your Setup
DNS Leak Test
Visit dnsleaktest.com and run the Extended test. The resolvers shown should be the ones you configured in dnscrypt-proxy.toml, not your ISP’s DNS servers. If your ISP appears, your system DNS is not fully pointing to 127.0.0.1.
Command-Line Verification
dnscrypt-proxy -resolve example.comThis shows which resolver was used and the response time. You should see your configured resolver, not a raw ISP nameserver.
dig @127.0.0.1 dnssec-tools.orgCheck for the ad flag (Authenticated Data) in the response — this confirms DNSSEC validation is working.
Integration with Pi-hole
If you already use Pi-hole for ad-blocking, you can chain them:
Client → Pi-hole (port 53) → DNSCrypt-proxy (port 5335) → Encrypted upstreamConfigure dnscrypt-proxy to listen on port 5335 instead of 53:
listen_addresses = ['127.0.0.1:5335']Then in Pi-hole’s admin interface under Settings > DNS, set the custom upstream DNS to 127.0.0.1#5335. Pi-hole handles ad-blocking; dnscrypt-proxy handles encryption. Both benefits stack.
Performance Considerations
DNSCrypt-proxy includes a local cache:
[cache]
cache = true
cache_size = 4096
cache_min_ttl = 2400
cache_max_ttl = 86400Caching dramatically reduces latency for repeated queries. The initial cold query may take 50–150ms depending on relay distance, but cached responses return in under 1ms.
DNSCrypt-proxy is one of the most impactful privacy tools per unit of complexity. Installation takes under 20 minutes, and once configured, it operates silently in the background encrypting every DNS query your system makes — from every app, not just your browser.