Skip to content

Instantly share code, notes, and snippets.

@yordanoweb

yordanoweb/dnscrypt.md

Last active January 13, 2025 19:53
Show Gist options
  • Save yordanoweb/2fce56e4b51d2e2125558a9c83cd5f7b to your computer and use it in GitHub Desktop.
Save yordanoweb/2fce56e4b51d2e2125558a9c83cd5f7b to your computer and use it in GitHub Desktop.
Download ZIP
DNS-Crypt in ArchLinux
Raw
dnscrypt.md

Use DNSCrypt-Proxy to secure name resolution

Install related packages

pacman -S dnscrypt-proxy

Force system to use dnscrypt-proxy

Edit in /etc/systemd/resolved.conf the setting that sets local DNS to dnscrypt-proxy.

DNS=127.0.0.127

This setting is usually empty. After this, restart the local resolver service.

sudo systemctl restart systemd-resolved.service

My dnscrypt-proxy.toml only changed these

Special attention to the line containing: listen_addresses = ['127.0.0.127:53']. With this we are telling the system not to interfere with the local resolver.

##################################
#         Global settings        #
##################################

## List of servers to use

server_names = ['altername', 'ams-dnscrypt-nl', 'adfilter-adl', 'adfilter-per', 'scaleway-fr', 'google', 'yandex', 'cloudflare']

# server_names = ['google', 'yandex', 'cloudflare']

listen_addresses = ['127.0.0.127:53']

ipv4_servers = true

ipv6_servers = false

dnscrypt_servers = true

doh_servers = true

# Use servers implementing the Oblivious DoH protocol
odoh_servers = false

## Require servers defined by remote sources to satisfy specific properties

# Server must support DNS security extensions (DNSSEC)
require_dnssec = false

# Server must not log user queries (declarative)
require_nolog = true

# Server must not enforce its own blocklist (for parental control, ads blocking...)
require_nofilter = true

# Server names to avoid even if they match all criteria
disabled_server_names = []


## Always use TCP to connect to upstream servers.
## This can be useful if you need to route everything through Tor.
## Otherwise, leave this to `false`, as it doesn't improve security
## (dnscrypt-proxy will always encrypt everything even using UDP), and can
## only increase latency.

force_tcp = false

## SOCKS proxy
## Uncomment the following line to route all TCP connections to a local Tor node
## Tor doesn't support UDP, so set `force_tcp` to `true` as well.

# proxy = 'socks5://127.0.0.1:9050'

## HTTP/HTTPS proxy
## Only for DoH servers

# http_proxy = 'http://127.0.0.1:8888'

## How long a DNS query will wait for a response, in milliseconds.
## If you have a network with *a lot* of latency, you may need to
## increase this. Startup may be slower if you do so.
## Don't increase it too much. 10000 is the highest reasonable value.

timeout = 5000

## Keepalive for HTTP (HTTPS, HTTP/2, HTTP/3) queries, in seconds

keepalive = 30

bootstrap_resolvers = ['9.9.9.11:53', '8.8.8.8:53']

## Always use the bootstrap resolver before the system DNS settings.

ignore_system_dns = true

netprobe_timeout = 60

netprobe_address = '9.9.9.9:53'

block_ipv6 = false

###########################
#        DNS cache        #
###########################

## Enable a DNS cache to reduce latency and outgoing traffic

cache = true

## Cache size

cache_size = 4096

## Minimum TTL for cached entries

cache_min_ttl = 2400

## Maximum TTL for cached entries

cache_max_ttl = 86400

## Minimum TTL for negatively cached entries

cache_neg_min_ttl = 60

## Maximum TTL for negatively cached entries

cache_neg_max_ttl = 600

After editing the TOML, restart the service

sudo systemctl restart dnscrypt-proxy.service
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment