DNS Security

DnsCrypt on Ubuntu – Encrypted DNS Traffic

DNSCrypt is an authentication protocol that facilitates the communication between DNS clients and DNS resolvers.  It’s an effective tool to prevent DNS spoofing where traffic is diverted to fake websites by manipulating DNS servers. DNSCrypt uses cryptographic signatures to authenticate traffic sources. So it’s easier to detect any manipulation of incoming information. It’s an open specification with multiple free and open-source implementation. DNSCrypt clients are available for Windows, MacOS, Unix, Android, iOS, and Linux.

Available DNS Resolvers with DNSCrypt Capability

There are a number of public DNS server with support for DNSCrypt protocol. You can also run your own DNS resolver.

You will need a DNSCrypt client to communicate with these servers.

DNSCrypt Clients

One of the most popular clients is dnscrypt-proxy. It has both a command line and a graphical user interface. It’s up-to-date to current DNSCrypt protocol and it is supported on Windows, macOS, Linux, OpenBSD, FreeBSD, NetBSD, Android, and iOS.

There are other clients like Simple DNSCrypt and DNSCrypt-OSXClient.

Benefits of DNSCrypt Clients

The DNSCrypt clients have the following benefits:

  • Reviews traffic integrity in real-time and detects any manipulation.
  • Provides control over rejecting ads, trackers, spam, malware or other harmful sites.
  • Caches responses and avoids IPv6 requests on IPv4-only networks to improve latency.
  • Mandatory TCP use through TCP-only tunnels or Tor
  • Local zone queries are protected

DNSCrypt Client dnscrypt-proxy Installation on Ubuntu

For Ubuntu 14.x, you can use Pascal’s DNSCrypt PPA:

$ sudo add-apt-repository ppa:anton+/dnscrypt

$ sudo apt-get update

$ sudo apt-get install dnscrypt-proxy

For Ubuntu 16.x and 17.x, dnscrypt-proxy is part of the Ubuntu repository. So you can directly install using the following command:

$ sudo apt-get install dnscrypt-proxy

After installation, add to your DNS servers on your network configuration.

Next, start the dnscrypt-proxy service using the following command:

$ service dnscrypt-proxy start

It will create a user called “_dnscrypt-proxy” and run the service as that user. Check the service status using:

$ service dnscrypt-proxy status

Verifying Successful Installation

The following link verifies successful installations:


A successful installation should show the following page:

Alternatively, you can use the following command line

$ dig txt debug.opendns.com

You should get output like:

$ dig txt debug.opndns.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> txt debug.opndns.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41412
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

; EDNS: version: 0, flags:; udp: 4096
;debug.opndns.com.        IN    TXT

debug.opendns.com. 0 IN TXT "server 11.ash"
debug.opendns.com. 0 IN TXT "flags 20 0 70 5950800000000000000"
debug.opendns.com. 0 IN TXT "originid 0"
debug.opendns.com. 0 IN TXT "actype 0"
debug.opendns.com. 0 IN TXT "source [REDACTED-YOUR IP]"
debug.opendns.com. 0 IN TXT "dnscrypt enabled (71447764594D3377)"

;; Query time: 74 msec
;; WHEN: Sat Dec 09 11:26:16 UTC 2017
;; MSG SIZE  rcvd: 249

Notice the debug.opendns.com. 0 IN TXT “dnscrypt enabled (71447764594D3377)” line. If you have a similar line that means your DNSCrypt protocol is working.

About the author



A passionate Linux user for personal and professional reasons, always exploring what is new in the world of Linux and sharing with my readers.