Debian 8 - DNSCrypt

DNSCrypt is a protocol that authenticates communications between a DNS client and a DNS resolver. It prevents DNS spoofing. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven’t been tampered with.

  1. Install libsodium
    • apt-get install libsodium-dev
  2. Download the latest version of DNSCrypt.
  3. Extract.

  4. ./configure

  5. make

  6. make install

  7. Edit your /etc/resolv.conf name servers to only contain nameserver 127.0.0.1. All queries going to localhost will be forwarded through DNSCrypt.

  8. Find a provider you’d like to use from this list: https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv.

  9. Create a systemd service file. Change the --resolver-name option to the name of the provider you have chosen. It’s best if you choose one near you so the response time is still good.
    • /etc/systemd/system/dnscrypt.service
    • ```[Unit] Description=dnscrypt daemon After=network.target

[Service] ExecStart=/usr/local/sbin/dnscrypt-proxy –resolver-name=cisco ExecReload=/bin/kill -s HUP $MAINPID ExecStop=/bin/kill -s TERM $MAINPID

[Install] WantedBy=multi-user.target


1. Enable and start it.
   - `systemctl enable dnscrypt.service`
   - `systemctl start dnscrypt.service`

● dnscrypt.service - dnscrypt daemon Loaded: loaded (/etc/systemd/system/dnscrypt.service; disabled) Active: active (running) since Fri 2016-12-09 02:51:55 UTC; 2s ago Process: 23833 ExecStop=/bin/kill -s TERM $MAINPID (code=exited, status=0/SUCCESS) Main PID: 23836 (dnscrypt-proxy) CGroup: /system.slice/dnscrypt.service └─23836 /usr/local/sbin/dnscrypt-proxy –resolver-name=cs-ussouth

Dec 09 02:51:55 dnscrypt-proxy[23836]: [INFO] - [cs-ussouth] does not support DNS Security Extensions Dec 09 02:51:55 dnscrypt-proxy[23836]: [INFO] + Provider supposedly doesn’t keep logs Dec 09 02:51:55 dnscrypt-proxy[23836]: [NOTICE] Starting dnscrypt-proxy 1.7.0 Dec 09 02:51:55 dnscrypt-proxy[23836]: [INFO] Generating a new session key pair Dec 09 02:51:55 dnscrypt-proxy[23836]: [INFO] Done Dec 09 02:51:55 dnscrypt-proxy[23836]: [INFO] Server certificate with serial ‘0001’ received Dec 09 02:51:55 dnscrypt-proxy[23836]: [INFO] This certificate is valid Dec 09 02:51:55 dnscrypt-proxy[23836]: [INFO] Chosen certificate #808464433 is valid from [2016-11-03] to [2026-11-01] Dec 09 02:51:55 dnscrypt-proxy[23836]: [INFO] Server key fingerprint is BAB8:591D:F2F8:10AA:362E:6CF9:AB91:3573:1EA9:AD44:20D5:6A3F:492E:5083:C435:5236 Dec 09 02:51:55 dnscrypt-proxy[23836]: [NOTICE] Proxying from 127.0.0.1:53 to 70.32.38.67:443


udp 0 0 127.0.0.1:53 0.0.0.0:* 23836/dnscrypt-prox ```

Comments