How to Encrypt Your DNS With DNSCrypt on Ubuntu and Debian

Even if you encrypt your traffic with HTTPS or even use a VPN, in some cases, your DNS traffic remains open and readily readable to your ISP and the rest of the world. That might not sound like a lot, but it’s a major privacy concern. DNS resolves the sites you visit, so reading your DNS records can easily tell the story of your browsing habits.

DNSCrypt encrypts your DNS traffic automatically and sends it to DNS servers that also use encryption. This way, the entire transaction remains encrypted throughout. Not even your ISP will be able to see where you’re browsing. DNSCrypt is actually one of the easiest services that you can set up on Linux, so there’s really no reason not to use it.

In this tutorial you will learn:

  • How to install DNSCrypt on Ubuntu and Debian.
  • How to configure your DNS server.
  • How to set DNSCrypt as your system DNS with NetworkManager and with Resolvconf.

NetworkManager DNS Configuration.

NetworkManager DNS Configuration.

Software Requirements and Conventions Used

Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System A current version of Debian or Ubuntu
Software DNSCrypt
Other A working install of a supported distribution with root privileges.
Conventions # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ – requires given linux commands to be executed as a regular non-privileged user

Install DNSCrypt



Begin by installing DNSCrypt. It’s already in both Ubuntu and Debian’s repositories, so you’ll be able to just install it with apt.

$ sudo apt install dnscrypt-proxy

Configure Your DNS Server

There really isn’t much that needs to be done in the way of configuration to get DNSCrypt working. Actually, it’s probably already working right after your install. You may want to change the DNS server(s) that DNSCrypt connects to, and that’s actually a simple thing to do.

Open /etc/dnscrypt-proxy/dnscrypt-proxy.toml with your favorite text editor and root privileges. Locate the line that begins with server_names. Add in any of the names on the supported server list surrounded by quotes to the array. The end result should look something like the example below. Cloudflare is a great option, if you’re not sure what to use.

server_names = ['cloudflare']

Save an exit your file. Then, restart the DNSCrypt service.

$ sudo systemctl restart dnscrypt-proxy

Set DNSCrypt As Your System DNS

While DNSCrypt is running on our system, your computer isn’t configured to use it for DNS. That’s the next step. The method you use will depend on how your network connection is configured. Most people are using NetworkManager, as that’s the default, but if you’ve set up something custom with a static IP, you can use Resolvconf too.

With NetworkManager

Open up the settings application for your desktop environment. Go to the “Network” section, and open up the connection that you’re using.

In the configuration window that opens up, look for the IP4 section. That’s usually where you’ll find the settings you need.

NetworkManager DNS Configuration.

NetworkManager DNS Configuration.


Under that tab, look for the DNS section, and change any existing servers to 127.0.2.1. Save your changes and exit. Now, restart NetworkManager.

$ sudo systemctl restart NetworkManager

With Resolvconf

If you’re using Resolvconf or /etc/resolv.conf to specify your name servers, you can still get set up easily. First, if you’re just using a plain test /etc/resolv.conf file, you can change our nameserver line to reflect the local DNSCrypt one.

nameserver 127.0.2.1
Resolvconf DNS Configuration.

Resolvconf DNS Configuration.

For Resolvconf, change or add the dns-nameservers line for your interface in /etc/network/interfaces.

dns-nameservers 127.0.2.1

Go ahead and restart both networking and Resolvconf. If that doesn’t work, restart your computer.

$ sudo systemctl restart networking
$ sudo systemctl restart resolvconf

Closing Thoughts

Your DNS should now be fully encrypted. DNSCrypt will run automatically in the background. Because of your configuration, all DNS traffic will be diverted through DNSCrypt, encrypted, and sent out to the server that you specified. This is an easy way to control your DNS, and it’s not hard to get running, so there’s really no reason not to.



Comments and Discussions
Linux Forum