Anonymized DNSCryptĮnabling Anonymized DNSCrypt allows the server to be used as an encrypted DNS relay. Prometheus metrics can optionally be enabled in order to monitor performance, cache efficiency, and more. Access controlĪccess control can be enabled in the section and configured with the query_meta configuration value of dnscrypt-proxy. Filteringĭomains can be filtered directly by the proxy, see the section of the configuration file. Putting it in a directory that is only readable by the super-user is not a bad idea. That file contains the provider secret key, as well as certificates and encryption keys.ĭo not delete the file, unless you want to change parameters (such as the provider name), and keep it secret, or the keys will be lost. The proxy creates and updates a file named encrypted-dns.state by default. In addition, if a server is slow or unresponsive, expired cached queries will be returned, ensuring that popular domain names always keep being served. The proxy includes a key cache, as well as a DNS cache to significantly reduce the load on upstream servers. Your server is now running the new proxy. Run encrypted-dns -import-from-dnscrypt-wrapper secret.key, with secret.key being the file with the dnscrypt-wrapper provider secret key.ĭone.If you forgot it, it can be recovered from its DNS stamp. Double check that the provider name in encrypted-dns.toml matches the one you previously configured.If you are currently running an encrypted DNS server using dnscrypt-wrapper, moving to the new proxy is simple: Certificates are automatically generated and rotated. They can be used directly with dnscrypt-proxy. It will automatically create a new provider key pair if there isn't any. You should probably at least change the listen_addrs and provider_name settings. This is where all the parameters can be configured, including the IP addresses to listen to. Then, review the encrypted-dns.toml file. Make a copy of the example-encrypted-dns.toml configuration file named encrypted-dns.toml. DoH support is optional, as it is currently way more complicated to setup than DNSCrypt due to certificate management. A Docker image for a non-censoring, non-logging, DNSSEC-capable, DNSCrypt-enabled DNS resolver - GitHub - DNSCrypt/dnscrypt-server-docker: A Docker image. rust-doh is the recommended DoH proxy server. In order to support DoH in addition to DNSCrypt, a DoH proxy must be running as well. External resolvers such as Quad9 or Cloudflare DNS can also be used, but this may be less reliable due to rate limits. That resolver can run locally and only respond to 127.0.0.1. The proxy requires a recursive DNS resolver, such as Knot, PowerDNS or Unbound. This Docker image that includes a caching DNS resolver, the encrypted DNS proxy, and scripts to automatically configure everything. Options 3: Dockerĭnscrypt-server-docker is the most popular way to deploy an encrypted DNS server. The executable file will be copied to ~/.cargo/bin/encrypted-dns by default.