How to Encrypt DNS with `dnscrypt-proxy` on Arch Linux

How to Encrypt DNS with dnscrypt-proxy on Arch Linux
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  5 minute read  

In today’s digital landscape, privacy and security are more important than ever. One often overlooked area is DNS (Domain Name System) traffic, which typically travels over the internet in plaintext. This makes it vulnerable to interception, surveillance, and manipulation. Encrypting your DNS traffic helps prevent eavesdropping and spoofing attempts, ultimately making your online experience more secure.

One effective and popular tool for DNS encryption is dnscrypt-proxy. It supports DNSCrypt and DNS-over-HTTPS (DoH), and can be easily integrated with Arch Linux. This guide will walk you through understanding, installing, and configuring dnscrypt-proxy to encrypt your DNS queries.

📌 Why Encrypt DNS?

By default, DNS queries are sent in plaintext, allowing anyone between you and your DNS resolver to see the websites you’re visiting. This includes:

  • Your Internet Service Provider (ISP)
  • Potential attackers on public Wi-Fi
  • Surveillance entities

Encrypted DNS prevents:

  • DNS-based tracking and profiling
  • DNS hijacking and spoofing
  • DNS leaks in VPN setups

Protocols like DNSCrypt and DoH wrap your DNS queries in encryption, providing confidentiality and integrity.

🔍 What is dnscrypt-proxy?

dnscrypt-proxy is a flexible DNS proxy that encrypts your DNS traffic using DNSCrypt and/or DoH. It supports:

  • DNSCrypt v2
  • DNS-over-HTTPS (DoH)
  • DNS-over-TLS (DoT, with some manual tweaking)
  • Anonymized DNS relays
  • Filtering/blocking (ad/tracking domains)
  • Query logging
  • Cloaking (mapping hostnames to IPs)

It works system-wide or per-application and is compatible with most DNS clients.

🖥️ Prerequisites

Before we begin, make sure you have:

  • Arch Linux or an Arch-based distribution (e.g., Manjaro)
  • Root or sudo privileges
  • A working internet connection

🧰 Step 1: Installing dnscrypt-proxy

Arch Linux provides dnscrypt-proxy in its official repositories, making installation straightforward.

sudo pacman -S dnscrypt-proxy

This installs the binary, configuration files, and a systemd service.

📁 Step 2: Understanding the Configuration File

The default config file is located at:

/etc/dnscrypt-proxy/dnscrypt-proxy.toml

You might want to back it up before editing:

sudo cp /etc/dnscrypt-proxy/dnscrypt-proxy.toml /etc/dnscrypt-proxy/dnscrypt-proxy.toml.bak

You can edit it with your preferred text editor:

sudo nano /etc/dnscrypt-proxy/dnscrypt-proxy.toml

Some key settings to pay attention to:

Server Selection

By default, dnscrypt-proxy uses a list of public resolvers. You can:

  • Use the fastest servers
  • Manually select resolvers
  • Use DNS-over-HTTPS or DNSCrypt
  • Use anonymized relays
server_names = ['cloudflare', 'quad9-doh', 'dnscrypt.eu-nl']

Or let the proxy choose the fastest:

skip_server_incompatible = true
fallback_resolver = '9.9.9.9:53'

To get a list of available servers, run:

dnscrypt-proxy -list

Listening Address

Make sure dnscrypt-proxy listens on the correct address and port. By default:

listen_addresses = ['127.0.0.1:53']

You can change this if you want it to listen on a different port or interface.

Logging

To enable query logging:

log_level = 2
log_file = '/var/log/dnscrypt-proxy/query.log'

Make sure the log directory exists:

sudo mkdir -p /var/log/dnscrypt-proxy
sudo touch /var/log/dnscrypt-proxy/query.log
sudo chown dnscrypt:dnscrypt /var/log/dnscrypt-proxy/query.log

Filtering and Cloaking (Optional)

Block ads or trackers:

blocklist_file = '/etc/dnscrypt-proxy/blocklist.txt'

Map hostnames:

[static.hosts]
'example.local' = ['192.168.1.10']

⚙️ Step 3: Enabling and Starting the Service

After configuration, enable and start dnscrypt-proxy:

sudo systemctl enable dnscrypt-proxy.service
sudo systemctl start dnscrypt-proxy.service

Check its status:

systemctl status dnscrypt-proxy.service

You should see it running without errors. If not, review the journal logs:

journalctl -u dnscrypt-proxy.service

🔄 Step 4: Setting dnscrypt-proxy as Your DNS Resolver

Now we need to route all DNS queries through the proxy.

For systemd-resolved (default on some Arch setups)

Create or edit the drop-in config:

sudo mkdir -p /etc/systemd/resolved.conf.d
sudo nano /etc/systemd/resolved.conf.d/dnscrypt-proxy.conf

Add:

[Resolve]
DNS=127.0.0.1
FallbackDNS=9.9.9.9
DNSStubListener=no

Restart services:

sudo systemctl restart systemd-resolved

Make sure /etc/resolv.conf is a symlink to systemd-resolved:

sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

Alternatively, manually set /etc/resolv.conf

sudo nano /etc/resolv.conf

Add:

nameserver 127.0.0.1

Make it immutable to prevent overwriting:

sudo chattr +i /etc/resolv.conf

(Use sudo chattr -i /etc/resolv.conf to unlock if needed.)

🔍 Step 5: Verifying DNS Encryption

Test if your DNS queries are encrypted and going through dnscrypt-proxy.

Use dig or drill

dig +short txt debug.opendns.com

This can tell you if OpenDNS sees your IP and which resolver is being used.

Use dnsleaktest.com

Visit https://dnsleaktest.com and run the extended test.

You should not see your ISP’s DNS resolvers listed.

🔐 Optional: Use Anonymized DNS Relays

To prevent DNS resolvers from knowing your IP address, you can use anonymized DNS relays. Edit your config:

[sources]
  [sources.public-resolvers]
  urls = ['https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
  cache_file = 'public-resolvers.md'
  minisign_key = 'RWQfF3...'

[anonymized_dns]
  routes = [
    { server_name='cloudflare', via=['anon-relay-ams'] },
    { server_name='quad9-doh', via=['anon-relay-par'] }
  ]

Then restart the service.

🧪 Troubleshooting

Can’t resolve domains?

  • Ensure no other DNS service is bound to port 53 (e.g., systemd-resolved or NetworkManager).
  • Use sudo ss -tuln | grep 53 to see what’s using port 53.
  • Check logs: journalctl -u dnscrypt-proxy

DNS leaks?

  • Double-check /etc/resolv.conf points to 127.0.0.1.
  • Avoid VPNs that override your DNS settings.

🔄 Updating dnscrypt-proxy

Keep the resolver list up to date:

sudo systemctl restart dnscrypt-proxy

Or periodically:

sudo dnscrypt-proxy -service update

(Although this is done automatically in most cases.)

🧭 Conclusion

Encrypting DNS traffic with dnscrypt-proxy on Arch Linux is a powerful way to boost your privacy and security. Whether you’re simply concerned about surveillance or you’re a network-savvy user looking to control and inspect DNS traffic, dnscrypt-proxy offers a customizable and robust solution.

By following this guide, you’ve:

  • Installed and configured dnscrypt-proxy
  • Encrypted your DNS traffic using DNSCrypt or DoH
  • Set up your system to resolve names privately and securely
  • Gained the ability to customize, filter, and log DNS behavior

In a time where digital freedom and privacy are often taken for granted, even small steps like encrypting DNS can make a meaningful difference.


< How to Set Up Two-Factor Authentication (2FA) on Arch LinuxHow to Block Ads System-Wide with `Pi-hole` on Arch Linux >