This is an old revision of the document!
DNSCrypt
DNSCrypt is a protocol specifically designed to encrypt and authenticate DNS communication between a DNS client and a DNS resolver. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered with.
Some of OpenNIC Tier 2 servers support DNSCrypt. In order to get started with DNSCrypt at OpenNIC, you need five things:
(Example based on ns1.any.dns.opennic.glue)
- dnscrypt-proxy installed - See this for more information
- The servers IP address (
185.121.177.177
) - The DNSCrypt port this server is listening on for DNSCrypt encrypted queries
- The DNSCrypt provider name (
2.dnscrypt-cert.dnsrec.meo.ws
) - The DNSCrypt provider key (
1A6A:D0A3:2B4C:5A61:A695:D153:670D:69AB:1690:3F9E:C3F7:F64F:13E5:35A3:18B2:28A5
)
You can test if the server is indeed configured correctly and working for you by executing:
dnscrypt-proxy -r $IP:$PORT -N $NAME -k $KEY
Example:
dnscrypt-proxy -r 185.121.177.177:5353 \ -N 2.dnscrypt-cert.dnsrec.meo.ws \ -k 1A6A:D0A3:2B4C:5A61:A695:D153:670D:69AB:1690:3F9E:C3F7:F64F:13E5:35A3:18B2:28A5
This example command should produce an output similar to this:
[NOTICE] Proxying from 127.0.0.1:53 to 185.121.177.177:5353
If this is not the case and an error comes up, please double-check that you copied everything correctly and try with another server or port.
Depending on which client you chose from the all the available ones, you might need to edit a CSV file, a configuration file or click through a few configuration settings in order to get started.
Once your DNSCrypt client is running, you can point your local systems DNS settings to query at 127.0.0.1:53
(or a different port if you specified one with -a
or –local-address=
).