User Tools

Site Tools



DNSCrypt offers a way to protect clients against attacks related to the modification and manipulation of DNS traffic — The main objective of DNSCrypt is authentication of the communication channel between the client (you) and a resoolver supporting the protocol — This will protect the client from man in the middle attacks. In addition, encryption of DNS communication improves the client's privacy. DNSCrypt is the client-side version of dnscrypt-wrapper.

The dnscrypt-proxy client project is maintained by Frank Denis jedisct1

Installation on ar71xx platforms

The OpenWrt package for ar71xx is maintained by black-roland

This will install dnscrypt-proxy as well as any dependent libraries such as libsodium

Add third-party source to your opkg configuration file /etc/opkg.conf according to your OpenWRT version:

Barrier Breaker:

src/gz exopenwrt

Attitude Adjustment:

src/gz exopenwrt


src/gz exopenwrt

And proceed with the installation itself:

$ opkg update
$ opkg install dnscrypt-proxy

Forum thread

Installation on x86 platforms

The OpenWrt package for x86 is maintained by damianorenfer

If not already done, install the CACert SSL certificates :

root@OpenWrt:~# mkdir -p /etc/ssl/certs/
root@OpenWrt:~# wget -P /etc/ssl/certs/

As DNSCrypt depends on libsodium, install it :

root@OpenWrt:~# cd /tmp
root@OpenWrt:~# curl -OL --cacert /etc/ssl/certs/cacert.pem
root@OpenWrt:~# opkg install libsodium_0.4.5-1_x86.ipk
root@OpenWrt:~# rm -f libsodium*.ipk

Then get the dnscrypt-proxy package from GitHub :

root@OpenWrt:~# cd /tmp
root@OpenWrt:~# curl -OL --cacert /etc/ssl/certs/cacert.pem
root@OpenWrt:~# opkg install dnscrypt-proxy_1.4.0-1_x86.ipk
root@OpenWrt:~# rm -f dnscrypt-proxy*.ipk

You can then follow the configuration section below. But default port is 5353 and NOT 2053! Change it in /etc/config/dnscrypt-proxy if needed.

Note : this is only for x86 systems, but if you have some OpenWrt knowledge you can compile the packages for your platform. Procedure briefly described at


DNSCrypt is listening on address and port: We need to set OpenWRT to send DNS request to that address.

Server configuration


The config file /etc/config/dnscrypt-proxy is simple and should be edited according to your needs. Possible values for the 'resolver' option are the first column in the list of public DNSCrypt resolvers.

config dnscrypt-proxy option address '' option port '2053' # option resolver 'opendns' # option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'


Name Type Required Default Description
address string yes The IP address of the proxy server.
port string yes 2053 Listening port for DNS queries.
resolver string no opendns DNS service for resolving queries
resolvers_list string no /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv Location of CSV file containing list of resolvers

If you need to specify other options, you will have to edit the /etc/init.d/dnscrypt-proxy script.

Now we will start DNSCrypt and enable auto boot for it:

/etc/init.d/dnscrypt-proxy enable
/etc/init.d/dnscrypt-proxy start


Assuming you are using dnsmasq, edit the bold lines in /etc/config/dhcp

config dnsmasq option domainneeded 1 option boguspriv 1 option filterwin2k 0 option localise_queries 1 option rebind_protection 1 option rebind_localhost 1 option local '/lan/' option domain 'lan' option expandhosts 1 option nonegcache 0 option authoritative 1 option readethers 1 option leasefile '/tmp/dhcp.leases' # option resolvfile '/tmp/' option noresolv 1 list server '' list server '/' # list server '' # list server ''
  • We have disabled /tmp/ file since it instruct dnsmasq to use your ISP's DNS.
  • noresolv option also disables /etc/resolv.conf file for similar reason.
  • is the DNSCrypt address.
  • / adds an exception for, which will be resolved through the standard unencrypted DNS channel. DNSCrypt requires precise time, otherwise it will not resolve any domain, including So if your device's time was incorrect, it could never update its time, and therefore DNSCrypt would never work. So we set this exception so that queries will always bypass DNSCrypt and resolve with the standard unencrypted OpenDNS method.

Reboot router or restart dnsmasq for the changes to take effect.

/etc/init.d/dnsmasq restart

Client configuration

Note: you may need admin privileges to run the commands below.


sudo /etc/init.d/nscd restart


sudo /etc/init.d/networking restart


ipconfig /flushdns

Mac OS X

  • Mac OSX 10.4 (Tiger)
    • lookupd -flushcache
  • Mac OSX 10.5/10.6 (Leopard/Snow Leopard)
    • dscacheutil -flushcache


How to check what features are supported by your resolver

  1. The DNS randomness test will show the actual IP of your DNS. You can check here if the IP is associated with the service you are using (put the IP in the search field).
  2. DNSSEC resolver test determines whether your DNS resolver validates DNSSEC signatures.
  3. If you can access DNSCrypt.bit, your resolver can resolve domain names using Namecoin.

How to check if your DNS queries are using dnscrypt

On the router:

pkill -STOP dnscrypt-proxy

DNS resolution should not work any more.

To restore service, unfreeze the client proxy:

pkill -CONT dnscrypt-proxy

How to check if dnscrypt-proxy is set up and running

The easy way is to look in the log.

  1. Check if dnsmasq is using only dnscrypt. Only the last block of logged nameservers is relevant.
    • logread | grep -n "using nameserver"
    • 132:Jan  1 01:01:00 openwrt dnsmasq[1883]: using nameserver for domain
      133:Jan  1 01:01:00 openwrt dnsmasq[1883]: using nameserver
  2. Check that dnscrypt-proxy is working.
    • logread | grep "Proxying from"
    • Jul 1 12:00:00 openwrt dnscrypt-proxy[1831]: Proxying from to

Suspicious certificate received

A "suspicious" certificate can reported be reported:

root@OpenWrtRouter:/tmp# ./dnscrypt-proxy -R -a [INFO] Generating a new key pair [INFO] Done [ERROR] Suspicious certificate received [ERROR] No useable certificates found [INFO] Refetching server certificates [ERROR] Suspicious certificate received [ERROR] No useable certificates found

Check the date and time on your router: this kind of behavior is usually caused by a system clock that hasn't been set properly.


inbox/dnscrypt.txt · Last modified: 2014/12/08 02:55 by chrysalis