DNSCrypt focuses on securing communications between a client and its first-level resolver. It does this by encrypting traffic, making it harder to snoop in a local network. This prevents variety of attacks like Man in the Middle. The DNSCrypt daemon acts as a DNS proxy between a regular client, like a DNS cache or an operating system stub resolver, and a DNSCrypt-aware resolver, like OpenDNS. Just like HTTPS encrypts normal HTTP traffic, DNSCrypt encrypts the normal DNS traffic by using Elliptic-curve cryptography.



The source can be easily download and compiled with the instructions provided in the github 

If it is already in the package sources file it can also be installed via apt package manager in Ubuntu like distros via:

apt install dnscrypt-proxy


Once the package is installed we need to change our system's default DNS resolver from to

This can be achieved by various ways, the most common of them is directly editing /etc/resolv.conf file and adding the below line


but if your system is using resolvconf daemon the changes made to the above file will reset, to make it persistent, edit the /etc/resolvconf/resolv.conf.d/base file and make the below entry in last line


Third method is where you simply open your network manager and make static entry in DNS servers just like in image below

netman.png, May 2021


Once the changes are made restart both networking and Resolvconf daemon by:

sudo systemctl restart networking
sudo systemctl restart resolvconf



Let us now compare the difference of before and after installing dnscrypt


The below image before installing DNSCrypt clearly shows the unencrypted DNS traffic being captured by Wireshark when we make make DNS queries via host command

before_dnscrypt.png, May 2021

By making a TXT record query to debug.opendns.com we get the following results as shown in below image

dnscrypt_debug_b4.png, May 2021


Let us now compare the same after enabling dnscrypt-proxy. We can now not see any DNS traffic in our wireshark instance.

packafter_dnscrypt.png, May 2021

The TXT record request made to opendns now gives us following confirmation

dnscrypt_debug_after.png, May 2021


Congratulations ! We now have succesfully installed and configured our DNS traffic