This relates to my previous post regarding opendns, google & various ISP's within the UK. I thought I'd make this post as a lot of people don't realise it is possible to use dnscrypt with other providers.

Reasons to drop opendns:

  • everything is logged
  • opendns control, change & block (without you knowing)
  • opendns guide

Why use opendns when they log everything and seem to be striking deals with other companies to change things on live networks.

Also opendns guide - when you try a url that does not exist opendns redirects you to their guide. This may seem ok but it is VERY annoying if you are working on CLI as you don't get expected errors eg: 'unknown host'. Opendns guide also has at least 4 analytics scripts running, logging your requests.

Configuring Dnscrypt #

Changing dnscrypt is pretty easy. Details of various providers can be found on dnscrypt.org & dnscrypt-proxy github

It's also possible to setup dnscrypt on your own nameserver using dnscrypt-wrapper.

setup dnscrypt on linux

If you installed dnscrypt using the default package manager there should be a config file within conf.d. All you need to do is edit this file and replace the relevant lines.

See example config below.

/etc/conf.d/dnscrypt-proxy

DNSCRYPT_LOCALIP=127.0.0.1
DNSCRYPT_LOCALPORT=53
DNSCRYPT_USER=nobody
DNSCRYPT_PROVIDER_NAME=2.dnscrypt-cert.resolver1.dnscrypt.eu
DNSCRYPT_PROVIDER_KEY=67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66
DNSCRYPT_RESOLVERIP=176.56.237.171
DNSCRYPT_RESOLVERPORT=443

To apply this just restart the daemon (or just reboot) and make sure you have your local nameserver set to 127.0.0.1 (/etc/resolv.conf)

You can also see the status of dnscrypt with 'systemctl status dnscrypt-proxy' or 'service dnscrypt-proxy status' (depending on version of linux)

Apr 07 15:58:50 dnscrypt-proxy[377]: [INFO] Initializing libsodium for optimal performance
Apr 07 15:58:50 dnscrypt-proxy[377]: [INFO] Generating a new key pair
Apr 07 15:58:50 dnscrypt-proxy[377]: [INFO] Done
Apr 07 15:58:50 dnscrypt-proxy[377]: [INFO] Server certificate #808464433 received
Apr 07 15:58:50 dnscrypt-proxy[377]: [INFO] This certificate looks valid
Apr 07 15:58:50 dnscrypt-proxy[377]: [INFO] Chosen certificate #808464433 is valid from [2013-10-22] to [2014-10-22]
Apr 07 15:58:50 dnscrypt-proxy[377]: [INFO] Server key fingerprint is 923B:5...1:E253
Apr 07 15:58:50 dnscrypt-proxy[377]: [INFO] Proxying from 127.0.0.1:53 to 178.216.201.222:2053

setup dnscrypt on windows

The best guide for windows setup can be found on the dnscrypt-proxy github.

update: this tool makes windows configuration easy

You can test if this has applied by going to: dnsleaktest.com

related info: DNSCurve