DNSCrypt – Improve your privacy

DNS is one of the old timers that keep the internet working. Back when it has been designed privacy wasn’t that much of an issue. Nowadays DNS can leak critical information about the activity of a user. Even tools that should protect the privacy of the user (e.g. VPNs, TOR, … ) can leak DNS queries if not configured correctly. Currently the IEFT works on draft for DNS over Datagram TLS, but if you want to take back your privacy right now, DNSCrypt is at your service.


DNSCrypt is a protocol which protects  DNS traffic of the client to the resolver. The the resolver uses normal DNS or alternatives ways to resolve the request for the client. It doesn’t provide end-to-end protection, but can prevent passive and active attacks on the client (e.g. eavesdropping, spoofing,  tampering …).

But the implementation of DNSCrypt has many features. Some are built in and some are based on plugins like the logging and blacklist plugin. The functionality can of DNSCrypt can easily extended by writing your own plugin.


As base installation we use a vanilla Debian 9 and our goal is to install DNSCrypt. Also we want to use some of the cool features. To get started we need to install the software first with the command:

1. Installation

sudo apt install dnscrypt-proxy

2. Configuration

The most important settings are the IP and port to listen on and which resolver to use. There are some resolver preinstalled with the package, but you can also run your own if you want. The following configuration uses the blacklist ipv6 plugins and the query logging plugin.

sudo vim /etc/dnscrypt-proxy/dnscrypt-proxy.conf

3. Integration

Now we need to change our system to use the resolver. Therefore we set the nameserver to and start and enable DNSCrypt per systemd. Be aware to use the socket and not the service.

echo ‘nameserver’ | sudo tee /etc/resolv.conf

sudo systemctl enable dnscrypt-proxy.socket

sudo systemctl start dnscrypt-proxy.socket

Verification of the installation

Here we test if DNS still works with this domain.

Test with dig

The test has been successful, but are we really using DNSCrypt. This can be verified by looking at whats realy going over the wire with Wireshark.

QUIC and DNS Wireshark

And we see only QUIC traffic and DNSCrypt is working.

This tutorial showed how to install and configure DNSCrypt. Stay tune for more privacy related posts :).