Even if you encrypt your traffic with HTTPS or even use a VPN, in some cases, your DNS traffic remains open and readily readable to your ISP and the rest of the world. That might not sound like a lot, but it’s a major privacy concern. DNS resolves the sites you visit, so reading your DNS records can easily tell the story of your browsing habits.
DNSCrypt encrypts your DNS traffic automatically and sends it to DNS servers that also use encryption. This way, the entire transaction remains encrypted throughout. Not even your ISP will be able to see where you’re browsing. DNSCrypt is actually one of the easiest services that you can set up on Linux, so there’s really no reason not to use it.
In this tutorial you will learn:
- How to install DNSCrypt on Ubuntu and Debian.
- How to configure your DNS server.
- How to set DNSCrypt as your system DNS with NetworkManager and with Resolvconf.
Software Requirements and Conventions Used
Category | Requirements, Conventions or Software Version Used |
---|---|
System | A current version of Debian or Ubuntu |
Software | DNSCrypt |
Other | A working install of a supported distribution with root privileges. |
Conventions |
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
Install DNSCrypt
Begin by installing DNSCrypt. It’s already in both Ubuntu and Debian’s repositories, so you’ll be able to just install it with apt
.
$ sudo apt install dnscrypt-proxy
Configure Your DNS Server
There really isn’t much that needs to be done in the way of configuration to get DNSCrypt working. Actually, it’s probably already working right after your install. You may want to change the DNS server(s) that DNSCrypt connects to, and that’s actually a simple thing to do.
Open /etc/dnscrypt-proxy/dnscrypt-proxy.toml
with your favorite text editor and root privileges. Locate the line that begins with server_names
. Add in any of the names on the supported server list surrounded by quotes to the array. The end result should look something like the example below. Cloudflare is a great option, if you’re not sure what to use.
server_names = ['cloudflare']
Save an exit your file. Then, restart the DNSCrypt service.
$ sudo systemctl restart dnscrypt-proxy
Set DNSCrypt As Your System DNS
While DNSCrypt is running on our system, your computer isn’t configured to use it for DNS. That’s the next step. The method you use will depend on how your network connection is configured. Most people are using NetworkManager, as that’s the default, but if you’ve set up something custom with a static IP, you can use Resolvconf too.
With NetworkManager
Open up the settings application for your desktop environment. Go to the “Network” section, and open up the connection that you’re using.
In the configuration window that opens up, look for the IP4 section. That’s usually where you’ll find the settings you need.
Under that tab, look for the DNS section, and change any existing servers to 127.0.2.1
. Save your changes and exit. Now, restart NetworkManager.
$ sudo systemctl restart NetworkManager
With Resolvconf
If you’re using Resolvconf or /etc/resolv.conf
to specify your name servers, you can still get set up easily. First, if you’re just using a plain test /etc/resolv.conf
file, you can change our nameserver
line to reflect the local DNSCrypt one.
nameserver 127.0.2.1
For Resolvconf, change or add the dns-nameservers
line for your interface in /etc/network/interfaces
.
dns-nameservers 127.0.2.1
Go ahead and restart both networking and Resolvconf. If that doesn’t work, restart your computer.
$ sudo systemctl restart networking $ sudo systemctl restart resolvconf
Closing Thoughts
Your DNS should now be fully encrypted. DNSCrypt will run automatically in the background. Because of your configuration, all DNS traffic will be diverted through DNSCrypt, encrypted, and sent out to the server that you specified. This is an easy way to control your DNS, and it’s not hard to get running, so there’s really no reason not to.