Very much superceded by DNS over TLS and DNS over HTTP. This post is left here for posterity only.

Please note this is a rough guide and is probably not the most elegant solution.

DNS or the DOMAIN NAME SYSTEM is the protocol used by computers to break down human recognisable hostname names into IP addresses that computers can work with.

For example, if you were to run a ping against http://www.google.com, the computer will first contact a DNS resolver to get the IP address for http://www.google.com and then run the ping against the IP address it returns:

Pinging http://www.google.com [] with 32 bytes of data:
Reply from bytes=32 time=8ms TTL=6

DNS queries and responses between a client and a DNS resolver are sent in plain text which subjects the protocol to snooping or even DNS hijacking where DNS responses can be faked by a device in the network path between the client and resolver to send the client to a different location. DNS hijacking can be used legitimately in scenarios such as logons to WIFI hotspots but can also be used by malicious third parties to redirect clients to websites serving up malware, viruses and suchlike.DNSCrypt is a program that can be used to encrypt communications between a DNS client and a DNS resolver to eliminate these problems.

The application is available for multiple platforms including Windows, Linux and even routers. To work successfully, the DNS resolver must be DNSCrypt compatible. Examples of such resolvers can be found at DNSCcrypt.eu and OpenDNS.

This article will focus on an install of DNSCrypt-proxy on a Ubuntu 16.04 LTS virtual machine.

Add the DNSCrypt-Proxy Repository to Ubuntu and install DNSCrypt-Proxy.

sudo add-apt-repository ppa:anton+/dnscrypt
sudo apt-get update
sudo apt-get install dnscrypt-proxy

At this point, you will need to ensure your server has a static IP address and the DNS server is configured to look at the primary IP address associated with the NIC. You will break DNS and will be unable to access the Internet at this point from this server until DNSCrypt is operational.

To set a static IP address, edit the interfaces file in /etc/network/

sudo nano /etc/network/interfaces
# This file describes the network interfaces available on your system                                                                                                 
# and how to activate them. For more information, see interfaces(5).                                                                                                  

source /etc/network/interfaces.d/*                                                                                                                                    

# The loopback network interface                                                                                                                                      

auto lo                                                                                                                                                               
iface lo inet loopback                                                                                                                                                

# The primary network interface                                                                                                                                       
auto ens160                                                                                                                                                           
iface ens160 inet static                                                                                                                                              
        # dns-* options are implemented by the resolvconf package, if installed                                                                                       

You will now need to restart the networking service or reboot the Ubuntu box for the changes to take effect

sudo service networking restart

Edit the .socket file associated with DNSCrypt-proxy

sudo nano /lib/systemd/system/dnscrypt-proxy.socket

Update the ListenStream and ListenDatagram IP address from the loopback address (127.x.x.x) and ports to reflect the IP address associated with the NIC on your Ubuntu 16.04 server. In my case, this is


Once the .socket file has been updated, you will need to update systemd

sudo systemctl daemon-reload

The dnscrypt-proxy configuration file can now be updated to choose which Internet DNSCrypt resolver we want to use.

sudo nano /etc/default/dnscrypt-proxy

The resolver of choice is set at the end of the DNSCRYPT_PROXY_RESOLVER_NAME1 line. In this configuration file, dnscrypt.eu-dk is the upstream resolver.

# What local IP the daemon will listen to, with an optional port.                                                                                                     
# The default port is 53. If using systemd, this is not used and must be                                                                                              
# specified in dnscrypt-proxy.socket.                                                                                                                                 

# Remote DNS(Crypt) resolver.                                                                                                                                         
# You can find a list of resolvers at                                                                                                                                 
# /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv.                                                                                                                   

# Extra flags to pass to dnscrypt-proxy                                                                                                                               

Now restart the DNSCrypt-Proxy service or start it if it isn’t running

sudo service dnscrypt-proxy stop
sudo service dnscrypt-proxy start

You should hopefully now be able to point a client at your Ubuntu server and resolve IP addresses securely.

Something to bear in mind is that DNSCrypt-Proxy is not a caching DNS server and every DNS request made by your client devices is forwarded to the upstream resolver. You can optimise this by introducing a caching DNS (such as dnsmasq, unbound etc) server between the clients and DNSCrypt but that is beyond the scope of this document.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.