First of all, you have to install the dnscrypt-proxy plugin (os-dnscrypt-proxy) from the plugins view reachable via.
After a page reload you will get a new menu entry under Services for DNSCrypt-Proxy.
When you start the daemon, it looks for a list of public DNS server from here: https://dnscrypt.info/public-servers
Depending on all settings below the list will shortened to your choice, like only IPv4, or logging disabled. The fastest two servers will be used for DNS queries. If you use Unbound as your main resolver and want to send your queries to Unbound first and forward to DNSCrypt-Proxy, just set this in your Unbound Advanced settings:
do-not-query-localhost: no forward-zone: name: "." forward-addr: 127.0.0.1@5353
|Enable and start DNSCrypt-Proxy.|
|Listen Address:||Here you set the addresses and ports to listen on. Default is localhost and port 5353. If you want it to listen to port 53 you should enable Allow Privileged Ports, especially when the system itself should treat it as a resolver.|
|Allow Privileged Ports:|
|This allows the service to listen on ports below 1024, like 53.|
|Max Client Connections:|
|How many clients are allowed to contact the daemon.|
|Use IPv4 Servers:|
|Use IPv4 enabled servers.|
|Use IPv6 Servers:|
|Only use IPv6 enabled servers.|
|Use DNSCrypt Servers:|
|Include resolvers supporting DNSCrypt protocol in the decision process.|
|Use DNS-over-HTTPS Servers:|
|Include resolvers supporting DNS-over-HTTPS in the decision process.|
|Require DNSSEC:||Only use resolvers supporting DNSSEC protocol.|
|Require NoLog:||Only use resolvers with disabled loggong.|
|Only use resolvers without filtering. Otherwise requests would also filtered for adult content or ad’s.|
|Force TCP:||Always use TCP to connect to upstream servers. This can be can be useful if you need to route everything through Tor, otherwise keep it disabled.|
|Proxy:||Use this to route all TCP connections to a local Tor node, format has to be like 127.0.0.1:9050|
|Timeout:||How long a DNS query will wait for a response in milliseconds.|
|Keepalive:||Keepalive for HTTP (HTTPS, HTTP/2) queries in seconds.|
|Cert Refresh Delay:|
|Delay in minutes after which certificates are reloaded.|
|Ephemeral Keys:||Create a new, unique key for every single DNS query. This may improve privacy but can also have a significant impact on CPU usage.|
|TLS Disable Session Tickets:|
|Disable TLS session tickets - increases privacy but also latency.|
|This is a normal, non-encrypted DNS resolver, that will be only used for one-shot queries when retrieving the initial resolvers list, and only if the system DNS configuration does not work.|
|Block IPv6:||Immediately respond to IPv6-related queries with an empty response. This makes things faster when there is no IPv6 WAN connectivity.|
|Cache:||Enable a DNS cache to reduce latency and outgoing traffic.|
|Cache Size:||Set the cache size.|
|Cache Min TTL:||Minimum TTL for cached entries.|
|Cache Max TTL:||Maximum TTL for cached entries.|
|Cache Negative Min TTL:|
|Minimum TTL for negatively cached entries.|
|Cache Negative Max TTL:|
|Maximum TTL for negatively cached entries.|
Example: Standalone DNS¶
You can use the DNSCrypt-Proxy as a full-featured standalone DNS instead of Unbound or Dnsmasq. This setup has the advantage that you do not need a forwarder solution for encrypting DNS requests or the usage of DNSBL.
To do so go to Services->Unbound DNS->General and uncheck Enable. If you are using Dnsmasq go to Services->Dnsmasq DNS->Settings and uncheck Enable. Now change to Services->DNSCrypt-Proxy->Configuration and add your Local LAN IP address to the Listen Address field, e.g. 192.168.2.1:53.
For IPv6 with dynamic prefixes you can work around this with ::1:53 as Listen Address and add a Port Forward rule, matching every IPv6 UDP traffic, port 53, redirect to ::1.
Optionally you can set :53 to listen on all addresses like the default behaviour in Unbound.