1. Home
  2. Linux

How To Use DNSCrypt To Encrypt DNS Traffic On Linux

A quick and easy way to increase your privacy on Linux is to take control of who sees your DNS lookup information. Though it won’t completely hide all IP traffic, it will prevent dangerous DNS spoofing attacks, ensuring better security. On Linux, the best way to encrypt DNS traffic is to use DNSCrypt.

DNSCrypt is a local program that, when set up correctly on any Linux PC, can lock up all DNS traffic and ensure everything safely goes to the right place.

Install DNSCrypt

Most Linux distributions have DNSCrypt in their software sources, so installing it is a breeze. Open up a terminal and enter the commands that correspond to your Linux distribution.

Ubuntu

sudo apt install dnscrypt-proxy

Debian

sudo apt-get install dnscrypt-proxy

Arch Linux

sudo pacman -S dnscrypt-proxy

Fedora

sudo dnf install dnscrypt-proxy -y

OpenSUSE

sudo zypper install dnscrypt-proxy

Generic Linux

If you can’t find a version of DNSCrypt for your operating system, the next best thing is to download the program directly from Github. Thankfully, due to the developer’s diligence, there’s no need to build DNSCrypt from source. Instead, there are downloads of pre-built binaries available. These binaries will work on all Linux distributions.

To get the binary, open up a terminal and use the wget downloader tool to grab the most recent version.

wget https://github.com/jedisct1/dnscrypt-proxy/releases/download/2.0.16/dnscrypt-proxy-linux_x86_64-2.0.16.tar.gz

or, to download the 32-bit version, do:

wget https://github.com/jedisct1/dnscrypt-proxy/releases/download/2.0.16/dnscrypt-proxy-linux_i386-2.0.16.tar.gz

Did you know that there’s an ARM version of DNSCrypt available? That’s right! It’s possible to get this tool on ARM Linux operating systems. To get it, install wget, open up a terminal and grab it with the following command:

wget https://github.com/jedisct1/dnscrypt-proxy/releases/download/2.0.16/dnscrypt-proxy-linux_arm-2.0.16.tar.gz

Linux ARM64:

wget https://github.com/jedisct1/dnscrypt-proxy/releases/download/2.0.16/dnscrypt-proxy-linux_arm64-2.0.16.tar.gz

With the binary release on your Linux PC, let’s install the software! To start off, use the Tar command to fully extract the contents of the archive.

tar -xzvf dnscrypt-proxy-linux_*-2.0.16.tar.gz

Extracting the DNSCrypt binary folder will place all of the necessary files into a “Linux” folder in /home. It’s safe to keep these files in /home/, where the wget tool put it. Though be careful you don’t delete the folder by accident!

To start up the tool, you’ll need to first enter the newly extracted file folder. Using the CD command, move to it.

cd linux-*

DNSCrypt will start with the following command:

./dnscrypt

Set Up DNSCrypt

The DNSCrypt tool is on your Linux PC and ready to go. Though, just because it’s installed doesn’t mean it’s working. Unfortunately, you’ll need to tinker with the DNSCrypt settings to get it to work. The first step is to pick a public DNS.

There are a lot of safe, secure public DNS choices out there. It’s important to go with an alternative DNS, instead of sticking with the one that your ISP provides, if you’d like better security. There’s not really a point to setting up encrypted DNS on Linux if you are not hiding it from your provider.

A really good choice for a secure Public DNS is CloudFlare. The reason to go with this provider is simple: out of all the other DNS solutions out there, CloudFlare has repeatedly shown that they care about user privacy when it comes to DNS. It’s also blazing fast!

Note: don’t want to go with CloudFlare DNS? OpenDNS is a solid alternative. Learn more here!

Click on your network icon and edit your default connection.

Find the IPv4 option, and look for “DNS Servers”. In the “DNS Servers” text-box, paste the following address:

127.0.0.2

After setting up the DNSCrypt software, it’s imperative that you reboot your network manager with the following command. If you don’t, it’s likely the tool will refuse to work.

sudo systemctl restart NetworkManager.service

Apply DNS Settings

The basic settings that allow the DNSCrypt tool to work are in place. The last thing to do is to drop down to the command-line and apply the DNS profile.

sudo dnscrypt-proxy -R cloudflare -a 127.0.0.2:53 -u dnscrypt

Disable DNSCrypt

DNSCrypt is a nice little tool that allows users to hide their DNS lookups, to increase security and prevent DNS spoofing. Still, for as good as it is, if you find it’s not for you (for whatever reason), you may want to disable it.

Thanks to the systemd init system in Linux, DNSCrypt, users can start and stop it at any time, without even needing to uninstall it! To do this, open up a terminal and gain a root shell.

sudo -s

With a root shell, you’re free to manipulate the DNSCrypt service files. To stop it, run the following command:

sudo systemctl stop dnscrypt-proxy.service

To disable it completely, and prevent it from running at startup do:

sudo systemctl disable dnscrypt-proxy.service

Leave a comment