Install DNSCrypt-Proxy 2 on Ubuntu 16.04

DNSCrypt-Proxy version 2 implements the DNSCrypt v2, DNSCrypt v1 and DNS-over-HTTP/2 protocols that encrypt and authenticate DNS traffic between the DNS resolver and the user's PC. 

Version 2 has a long list of improvements over version 1. Among other version 2 will load-balance the DNS resolvers making it much more robust in the face of resolver failures. Another improvement that is felt right away is the built in cache. Because of it we no longer have to front DNSCrypt-Proxy with DNSMasq making the setup a lot simpler. Maintenance is also a breeze because the list of public resolvers is automatically downloaded on first use and regularly updated in the background.

You can check out the full list of changes here.

Get the Tarball

Version 2 is not available from the official Ubuntu package repositories prior to Ubuntu 18.10. Instead we opt to install DNSCrypt-Proxy from a tarball.

Head over to and grab the latest release. At the time of writing it is dnscrypt-proxy-linux_x86_64-2.0.23.tar.gz.

Install it

After downloading the file hit the terminal with ctrl+alt+t and unpack the file.

$ cd Downloads
$ tar xvzf dnscrypt-proxy-linux_x86_64-2.0.23.tar.gz

It's time to go root, move the files to /usr/local/dnscrypt-proxy and set root as owner.

$ sudo -s
$ mv linux-x86_64/ /usr/local/dnscrypt-proxy
$ chown root:root -R /usr/local/dnscrypt-proxy

Before we proceed any further lets make sure we don't have an old installation of DNSCrypt-Proxy version 1 and DNSMasq running (DNSMasq is not needed with DNSCrypt-Proxy version 2).

$ systemctl stop dnscrypt-proxy.service dnsmasq.service
$ apt purge dnscrypt-proxy dnsmasq

Test launch

Create a configuration file from example-dnscrypt-proxy.toml and do a test launch of DNSCrypt-Proxy version 2.

$ cd /usr/local/dnscrypt-proxy
$ cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml 
$ ./dnscrypt-proxy
[2019-05-31 16:46:36] [NOTICE] Source [] loaded
[2019-05-31 16:46:36] [NOTICE] dnscrypt-proxy 2.0.23
[2019-05-31 16:46:36] [NOTICE] Now listening to [UDP]
[2019-05-31 16:46:36] [NOTICE] Now listening to [TCP]
[2019-05-31 16:46:36] [NOTICE] Now listening to [::1]:53 [UDP]
[2019-05-31 16:46:36] [NOTICE] Now listening to [::1]:53 [TCP]
[2019-05-31 16:46:46] [NOTICE] System DNS configuration not usable yet, exceptionally resolving [] using fallback resolver []
[2019-05-31 16:46:46] [NOTICE] [] OK (DoH) - rtt: 42ms
[2019-05-31 16:46:47] [NOTICE] [arvind-io] OK (DNSCrypt) - rtt: 319ms
[2019-05-31 16:46:47] [NOTICE] [bottlepost-dns-nl] OK (DNSCrypt) - rtt: 23ms
[2019-05-31 16:46:47] [NOTICE] [charis] OK (DNSCrypt) - rtt: 21ms
[2019-05-31 16:46:47] [NOTICE] [cloudflare] OK (DoH) - rtt: 11ms
[2019-05-31 16:46:47] [NOTICE] [cpunks-ru] OK (DNSCrypt) - rtt: 39ms
[2019-05-31 16:47:12] [NOTICE] dnscrypt-proxy is ready - live servers: 73

In its first run DNSCrypt-Proxy will download the list of public resolvers and store it under /usr/local/dnscrypt-proxy/ In this sample configuration it will load-balance DNS queries among a subset of the fastest resolvers.

We can test DNSCrypt-Proxy in a new terminal window ctrl+alt+t by sending a DNS query directly to on port 53 using the dig command (part of the dnsutils package).

$ sudo su - 
$ apt-get install dnsutils $ dig @ -p 53

Use DNSCrypt-Proxy systemwide

Applications in general use the glibc resolver API to lookup domain names. This API reads its nameserver configuration from /etc/resolv.conf. We need to configure it to use DNSCrypt-Proxy on

The resolv.conf file can be overwritten by a multitude of services. Rather than try to figure out what service(s) is trying to manage the file, we are going to edit the file and then lock the file for modification. But first we recreate it because it might be a link (on my system it was a link to /run/resolvconf/resolv.conf).

$ rm /etc/resolv.conf
$ vim /etc/resolv.conf

Press i to enter insert mode and then enter this content


Press ESC to exit insert mode and type ":wq" to write and quit.

Make the file readable and lock it for modification.

$ chmod a+r /etc/resolv.conf
$ chattr +i /etc/resolv.conf

Check that apps that use the resolver API, such as a web browser, still work. If everything is OK then stop the dnscrypt-crypt process we started manually by pressing ctrl+c in the terminal where we opened it. 

Managing DNSCrypt-Proxy with Systemd

Now setup DNSCrypt-Proxy as a Systemd managed service.

$ ./dnscrypt-proxy -service install
$ ./dnscrypt-proxy -service start

You can find the new Systemd unitfile for DNSCrypt-Proxy under /etc/systemd/system/dnscrypt-proxy.service.

Configure resolvers

If you want to use a particular set of resolvers, then open dnscrypt-proxy.toml, uncomment the server_names option and add the servers you want from the public resolver list.

# server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']

When you are done tinkering with the configuration, restart the DNSCrypt-Proxy service with systemctl.

$ systemctl restart dnscrypt-proxy.service