DNSCrypt-proxy on Ubuntu 16.04

DNS is the weak link of the Internet. Early versions of the DNS security extension didn't scale with the growth of the Internet and for most users DNS still doesn't offer any security for the "last mile" from the DNS Resolver, typically hosted at the Internet Service Provider, to the user's PC.

Network diagram showing that DNS offers no security for most users but can be secured with DNSCrypt

This is in stark contrast with HTTPS which has encryption, authentication and data integrity from door to door. Because of the revelation of mass surveillance HTTPS usage has risen to 45% but a visit to a website always starts with a DNS lookup.

One option to secure the "last mile" is DNSCrypt which offers encryption and authentication. In this post we go through the installation of the reference implementation of DNSCrypt called dnscrypt-proxy.

DNSCrypt and HTTPS is not enough to protect your privacy. Nation-state snooping reveals what IP addresses you visit and can easily correlate those with their domain names. On top of that HTTPS SNI sends the domain name in clear text before encrypting the connection.

Update: DNSCrypt-Proxy version 2 has been released since this post was written. It's not available as a package until Ubuntu 18.10 but it can be installed in Ubuntu 16.04 from a tarball.

Enable the Universe repository

dnscrypt-proxy is available in the Universe repository. If you haven't already enabled the repository then run this command.

$ sudo add-apt-repository universe
$ sudo apt update

Install dnscrypt-proxy

Install the dnscrypt-proxy package and enable the service so that it will start again after a reboot.

$ sudo apt install dnscrypt-proxy
$ sudo systemctl enable dnscrypt-proxy

Set the DNS Resolver

Pick one from the list of public DNS Resolvers that support DNSCrypt. The list is also installed from the dnscrypt-proxy package under /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv. You might want a resolver that is close to home to avoid high latency and one that offers nice terms like no logging and no censorship.

Edit the file /etc/default/dnscrypt-proxy

$ sudo vim /etc/default/dnscrypt-proxy

Press i to enter Insert mode and add the name of the DNS Resolver you picked (from the first column of the list) to the DNSCRYPT_PROXY_RESOLVER_NAME property.

# Remote DNS(Crypt) resolver.
# You can find a list of resolvers at
# /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv.

In the same file we see that dnscrypt-proxy is configured to listen to We will leave that unchanged. Then press ESC to exit Insert mode and type :wq to write the file and quit.

Restart the dnscrypt-proxy service.

$ sudo systemctl restart dnscrypt-proxy

At this point dnscrypt-proxy should resolve all DNS requests sent to it at You can test it with the dig command.

$ dig @ -p 53

We are not actually going to use dnscrypt-proxy directly. Instead we front it with the dnsmasq service to add a local cache.

Install dnsmasq

Install dnsmasq

$ sudo apt install dnsmasq

We are going to configure dnsmasq to use dnscrypt-proxy as a DNS forwarder.

Edit the file /etc/default/dnsmasq.

$ sudo vim /etc/default/dnsmasq

Press i to enter Insert mode. Then uncomment the IGNORE_RESOLVCONF option.

# If the resolvconf package is installed, dnsmasq will use its output 
# rather than the contents of /etc/resolv.conf to find upstream 
# nameservers. Uncommenting this line inhibits this behaviour.
# Note that including a "resolv-file=" line in 
# /etc/dnsmasq.conf is not enough to override resolvconf if it is
# installed: the line below must be uncommented.

Press ESC to exit Insert mode and type :wq to write the file and quit.

Then edit the file /etc/dnsmasq.conf

$ sudo vim /etc/dnsmasq.conf

Press i to enter Insert mode and add this line to the file.


Press ESC to exit Insert mode and type :wq to write the file and quit.

Then restart the dnsmasq service.

$ sudo systemctl restart dnsmasq

dnsmasq listens to by default and we are not going to change that. Any DNS request sent to this address is now forwarded to dnscrypt-proxy. You can test dnsmasq directly with dig.

$ dig @ -p 53

Set dnsmasq as systemwide DNS resolver

To make all applications use dnsmasq as the domain name resolver, open the network dropdown menu in the top right corner of the Ubuntu desktop. From the menu click "Edit connections...". Select the network connection you are using and click "Edit". Then open the tab named "IPV4 Settings".

Screenshot showing Ubuntu's network configuration for DNS set up to use dnscrypt-proxy

Under Method select "Automatic (DHCP) addresses only".

Under "DNS servers enter "".

Then click save.

Restart the network from the desktop dropdown menu by disconnecting and then reconnecting. Now you should be up and running with dnscrypt-proxy.