User Tools

Site Tools



DNSCrypt offers a way to protect clients against attacks related to the modification and manipulation of DNS traffic — The main objective of DNSCrypt is authentication of the communication channel between the client (you) and a resolver supporting the protocol — This will protect the client from man in the middle attacks. In addition, encryption of DNS communication improves the client's privacy. DNSCrypt is the client-side version of dnscrypt-wrapper.

DNSCrypt verifies that responses you get from a DNS provider have been actually sent by that provider, and haven't been tampered with.

This is not a VPN. It doesn't mask your IP address, and if you are using it with a public DNS service, be aware that it will (and has to) decrypt your queries.

If you are using it for privacy, it might do the opposite of what you are trying to achieve. If you are using it to prevent VPN “leaks”, this isn't the right tool either: the proper way to prevent VPN “leaks” is to avoid sending data to yet another third party: use a VPN service that operates its own DNS resolvers.


dnscrypt-proxy and libsodium are in the official repository for Chaos Calmer 15.05 and up.

opkg update
opkg install dnscrypt-proxy
  • If installed skip to configuration.
  • If somehow you can't install it that way, proceed with the following instructions.

In addition, you can install the luci-app-dnscrypt-proxy package, which provides the ability to configure dnscrypt-proxy via the LuCi web interface.

Custom build for ar71xx from black-roland

The OpenWrt package for ar71xx is maintained by black-roland.

Differences with OpenWrt packages:

Package Difference
dnscrypt-proxy Newest version for Chaos Calmer (with ephemeral keys support). Barrier Breaker support. Procd support and possibility of launching multiple instances.
libsodium Newest version for Chaos Calmer. Barrier Breaker support.

This will install dnscrypt-proxy as well as any dependent libraries such as libsodium

Add third-party source to your opkg configuration file /etc/opkg.conf according to your OpenWrt version.


Already have newest dnscrypt-proxy version with possibility of launching multiple instances.

opkg update
opkg install dnscrypt-proxy

Chaos Calmer:

cd /tmp
wget ''
opkg-key add
echo '/etc/opkg/keys/1a929a1dd62138c1' >> /etc/sysupgrade.conf
echo 'src/gz exopenwrt' >> /etc/opkg.conf

Barrier Breaker:

echo 'src/gz exopenwrt' >> /etc/opkg.conf

And proceed with the installation itself:

opkg update
opkg install dnscrypt-proxy

Forum thread


DNSCrypt is listening on address and port: We need to set OpenWrt to send DNS request to that address.

Server configuration


The config file /etc/config/dnscrypt-proxy is simple and should be edited according to your needs. Possible values for the 'resolver' option are the first column in the list of public DNSCrypt resolvers.

config dnscrypt-proxy option address '' option port '5353' # option resolver 'cisco' # option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv' # option ephemeral_keys '1'


Name Type Required Default Description
address string yes The IP address of the proxy server.
port string yes 5353 Listening port for DNS queries.
resolver string no cisco DNS service for resolving queries. You can't add more than one resolver.
resolvers_list string no /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv Location of CSV file containing list of resolvers. When you use a custom DNSCrypt server and you later get problems when executing DNSCrypt, have a look in the resolver list (/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv) and make sure the resolver you chose is listed there. If not you may need to manually add it or just update the resolver list with the official one. Make sure to verify the integrity of the file before overwriting the local list!
ephemeral_keys boolean no 0 Improve privacy by using an ephemeral public key for each query. Note that you cannot yet use it with current (Chaos Calmer) version of OpenWrt as the dnscrypt-proxy package is outdated and uses a version of DNSCrypt, which does not support ephemeral keys. Ephemeral keys option requires extra CPU cycles (especially on non-x86 platforms) and can cause huge system load. Disable it in case of performance problems. Also this option is useless with most DNSCrypt servers (all the servers using short TTLs for the certificates, which is done by default in the Docker image).

These options are only supported by Trunk:

Name Type Required Default Description
client_key string no none Use a client public key for identification. By default, the client uses a randomized key pair in order to make tracking more difficult. This option does the opposite and uses a static key pair, so that DNS providers can offer premium services to queries signed with a known set of public keys. A client cannot decrypt the received responses without also knowing the secret key. The value of this property is the path to a file containing the secret key. The corresponding public key is computed automatically
syslog boolean no 1 Send logs to the syslog daemon
syslog_prefix string no dnscrypt-proxy Log entries can optionally be prefixed with a string

These options are not supported (at this moment), because DNSCrypt compiled without plugins support:

Name Type Required Default Description
query_log_file string no none Log the received DNS queries to a file, so you can watch in real-time what is happening on the network. The value for this parameter is a full path to the log file. The file name can be prefixed with ltsv: in order to store logs using the LTSV format (ex: ltsv:/tmp/dns-queries.log)
local_cache boolean no 0 Enable cache may speed up dnscrypt-proxy
block_ipv6 boolean no 0 Disable IPv6 may also speed up dnscrypt-proxy
list blacklist string no none Blacklists allow you to block domains, ip, … The value of this property is the blocklist type and path to file (ex: domains:/path/to/domains-blacklist-file.txt or ips:/path/to/ips-blacklist-file.txt). You can specify several blocklists by adding several list blacklist options.

If you need to specify other options, you will have to edit the /etc/init.d/dnscrypt-proxy script.

Note: I've had a little bit of confusion at setup, so I want to remind you; address and port strings are for local proxy server, you just have to pick a DNSCrypt server from the resolvers list, put its name in resolver string and comment out resolvers and resolvers list settings.

Now we will start DNSCrypt and enable auto boot for it:

/etc/init.d/dnscrypt-proxy enable
/etc/init.d/dnscrypt-proxy start

Note: If dnscrypt-proxy is not starting after a router reboot, it may be trying to start before the network interface is fully up. Add the following to /etc/rc.local, above the line “exit 0”:

sleep 10
/etc/init.d/dnscrypt-proxy start


Assuming you are using dnsmasq, edit the bold lines in /etc/config/dhcp

config dnsmasq option domainneeded 1 option boguspriv 1 option filterwin2k 0 option localise_queries 1 option rebind_protection 1 option rebind_localhost 1 option local '/lan/' option domain 'lan' option expandhosts 1 option nonegcache 0 option authoritative 1 option readethers 1 option leasefile '/tmp/dhcp.leases' # option resolvfile '/tmp/' option noresolv 1 list server '' list server '/' # list server '' # list server ''
  • We have disabled /tmp/ file since it instructs dnsmasq to use your ISP's DNS.
  • noresolv option also disables /etc/resolv.conf file for similar reason.
  • is the DNSCrypt address.
  • / adds an exception for, which will be resolved through the standard unencrypted DNS channel. DNSCrypt requires precise time, otherwise it will not resolve any domain, including So if your device's time was incorrect, it could never update its time, and therefore DNSCrypt would never work. So we set this exception so that queries will always bypass DNSCrypt and resolve with the standard unencrypted OpenDNS method.

Reboot router or restart dnsmasq for the changes to take effect.

/etc/init.d/dnsmasq restart

Multiple DNSCrypt instances

This option is not available in Chaos Calmer and earlier

Multiple DNSCrypt instances are helpful to provide dnsmasq with a fallback nameserver without losing the privacy benefits of DNSCrypt (source).

Add more resolver entries to your /etc/config/dnscrypt-proxy configuration (note that each resolver must be on a different port):

config dnscrypt-proxy ns1 option address '' option port '5353' option resolver 'cisco' # option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv' # option ephemeral_keys '0' config dnscrypt-proxy ns2 option address '' option port '5454' option resolver 'd0wn-random-ns1' # option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv' # option ephemeral_keys '0'

Create /etc/resolv-crypt.conf with a single line options timeout:1. This will reduce dnsmasq's upstream timeout to 1 second, so resolution will be more responsive if your primary nameserver is down.

In your config dnsmasq section of your /​etc/​config/​dhcp, remove the line option noresolv 1 and add option resolvfile '/etc/resolv-crypt.conf' along with any other resolvers you created in step 1:

option resolvfile '/etc/resolv-crypt.conf' list server '' list server '' list server '/'

Reboot router or restart dnscrypt-proxy and dnsmasq for the changes to take effect.

/etc/init.d/dnscrypt-proxy restart
/etc/init.d/dnsmasq restart

Client configuration

Note: you may need admin privileges to run the commands below.


sudo /etc/init.d/nscd restart


sudo /etc/init.d/networking restart


ipconfig /flushdns

Mac OS X

  • Mac OSX 10.4 (Tiger)
    • lookupd -flushcache
  • Mac OSX 10.5/10.6 (Leopard/Snow Leopard)
    • dscacheutil -flushcache


How to check what features are supported by your resolver

  1. The DNS leak test or DNS randomness test will show the actual IP of your DNS. You can check here if the IP is associated with the service you are using (put the IP in the search field).
  2. DNSSEC resolver test determines whether your DNS resolver validates DNSSEC signatures.
  3. If you can access DNSCrypt.bit, your resolver can resolve domain names using Namecoin.

How to check if your DNS queries are using dnscrypt

On the router:

pkill -STOP dnscrypt-proxy

DNS resolution should not work any more.

To restore service, unfreeze the client proxy:

pkill -CONT dnscrypt-proxy

How to check if dnscrypt-proxy is set up and running

The easy way is to look at the log.

  1. Check if dnsmasq is using only dnscrypt. Only the last block of logged nameservers is relevant.
    • logread | grep -n "using nameserver"
    • 132:Jan  1 01:01:00 openwrt dnsmasq[1883]: using nameserver for domain
      133:Jan  1 01:01:00 openwrt dnsmasq[1883]: using nameserver
  2. Check that dnscrypt-proxy is working.
    • logread | grep "Proxying from"
    • Jul 1 12:00:00 openwrt dnscrypt-proxy[1831]: Proxying from to

If you have problems, check port conflict (for example, between the mDNS ZeroConf Daemon (avahi) and the default port for dnscrypt-proxy).

Suspicious certificate received

A “suspicious” certificate can be reported:

root@OpenWrtRouter:/tmp# ./dnscrypt-proxy -R -a [INFO] Generating a new key pair [INFO] Done [ERROR] Suspicious certificate received [ERROR] No useable certificates found [INFO] Refetching server certificates [ERROR] Suspicious certificate received [ERROR] No useable certificates found

Check the date and time on your router: this kind of behavior is usually caused by a system clock that hasn't been set properly.

docs/guide-user/services/dns/dnscrypt.txt · Last modified: 2019/02/22 16:02 by brianpow