How to Encrypt DNS with DNSCrypt Proxy 2 on Debian 10/Ubuntu 20.04 LTS

DNSCrypt encrypts your DNS traffic automatically. This way, the entire DNS query remains encrypted. In a lot of countries with restricted internet access the ISP block access to some websites for example Facebook, Youtube etc this can be avoided by using DNSCrypt.

Advantages of DNSCrypt
– Prevent DNS Hijacking
– Faster
– Cannot be MITM by ISP
– Can use UDP and TCP for transport

Install Dependency

Install dependency

sudo apt install wget tar -y

Install and Configure DNSCrypt

Download DNSCrypt latest version

wget  https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.0.44/dnscrypt-proxy-linux_x86_64-2.0.44.tar.gz

download latest dnscrypt proxy

Extract DNSCrypt Proxy

sudo tar zxvf dnscrypt-proxy-linux_x86_64-2.0.44.tar.gz -C /opt/

extract dnscrypt source

Copy config file

sudo cp /opt/linux-x86_64/example-dnscrypt-proxy.toml /opt/linux-x86_64/dnscrypt-proxy.toml

Install DNSCrypt

sudo /opt/linux-x86_64/dnscrypt-proxy -service install

Enable DNSCrypt Proxy on boot

sudo systemctl enable dnscrypt-proxy

Start DNSCrypt Proxy

sudo systemctl start dnscrypt-proxy

to enable LAN use this DNSCrypt, change the listen_addresses on /opt/linux-x86_64/dnscrypt-proxy.toml to your computer IP.

listen_addresses = ['127.0.0.1:53']

to

listen_addresses = ['127.0.0.1:53', '192.168.1.2']

My LAN IP range is 192.168.1.0/24, and my homeserver has static IP 192.168.1.2. To enable this by default to all user you can change your router DNS to this IP, but remember the computer must active 24/7, if not no one will able to connect to internet because the DNS server down.
For example setting default DNS on Mikrotik router
set dnscrypt proxy on mikrotik

Testing DNSCrypt Proxy

To make sure everything working as expected we’ll need to testing our DNSCrypt Proxy

1. Without DNSCrypt

Run following command to test dns resolve using default DNS server on your computer.

sudo /opt/linux-x86_64/dnscrypt-proxy -resolve atetux.com

dnscrypt testing resolving doman

2. With DNSCrypt

First change DNS to DNSCrypt

echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf

Test resolve domain

sudo /opt/linux-x86_64/dnscrypt-proxy -resolve atetux.com

testing resolving doman with dnscrypt

4 thoughts on “How to Encrypt DNS with DNSCrypt Proxy 2 on Debian 10/Ubuntu 20.04 LTS”

      • nah it actually works, but i need to run “echo “nameserver 127.0.0.1″ | sudo tee /etc/resolv.conf” command everytime i plug the tethering cable.

        Reply
        • if you want that to be permanent after running the echo command above set

          sudo chattr +i /etc/resolv.conf

          so no one can change these value, to reset the setting

          sudo chattr -i /etc/resolv.conf

          another solution is set on the router which responsible for DHCP server

          Reply

Leave a Comment