DNSCrypt is a protocol specifically designed to encrypt and authenticate DNS communication between a DNS client and a DNS resolver. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered with.

Some of OpenNIC Tier 2 servers support DNSCrypt. In order to get started with DNSCrypt at OpenNIC, you need five things:

(Example based on ns1.any.dns.opennic.glue)

  • dnscrypt-proxy installed - See this for more information
  • The servers IP address (
  • The DNSCrypt port this server is listening on for DNSCrypt encrypted queries (5353)
  • The DNSCrypt provider name (2.dnscrypt-cert.dnsrec.meo.ws)
  • The DNSCrypt provider key (1A6A:D0A3:2B4C:5A61:A695:D153:670D:69AB:1690:3F9E:C3F7:F64F:13E5:35A3:18B2:28A5)

You can test if the server is indeed configured correctly and working for you by executing:

dnscrypt-proxy -r $IP:$PORT -N $NAME -k $KEY


dnscrypt-proxy -r \
               -N 2.dnscrypt-cert.dnsrec.meo.ws \
               -k 1A6A:D0A3:2B4C:5A61:A695:D153:670D:69AB:1690:3F9E:C3F7:F64F:13E5:35A3:18B2:28A5

This example command should produce an output similar to this:

[NOTICE] Proxying from to

If this is not the case and an error comes up, please double-check that you copied everything correctly and try with another server or port. Note: 53 is in most cases not the DNSCrypt port, it is 443 instead unless another port is specified.

Depending on which client you chose from the all the available ones, you might need to edit a CSV file, a configuration file or click through a few configuration settings in order to get started.

Once your DNSCrypt client is running, you can point your local systems DNS settings to query at (or a different port if you specified one with -a or –local-address=).

  • /wiki/data/pages/opennic/dnscrypt.txt
  • Last modified: 16 months ago
  • by fusl