Install and Enable DNSCrypt Proxy 2 in Ubuntu 18.04 Or 19.04 / Debian Unstable Or Testing [How To]

DNSCrypt

DNSCrypt Proxy 2 is a flexible DNS proxy with support for encrypted DNS protocols, like DNSCrypt v2 and DNS-over-HTTPS.

DNSCrypt is a network protocol which authenticates and encrypts Domain Name System (DNS) traffic between the user's computer and recursive name servers. It turns regular DNS traffic into encrypted DNS traffic that's protected from spying, spoofing, or man-in-the-middle attacks, thus improving the user's online security and privacy.

DNSCrypt Proxy 2 features include:

  • Encrypted and authenticated DNS traffic, supporting DNS-over-HTTPS (DoH) and DNSCrypt
  • DNS query monitoring, with separate log files for regular and suspicious queries
  • Filtering: block ads, malware, and other unwanted content
  • DNS caching, to reduce latency and improve privacy
  • Local IPv6 blocking to reduce latency on IPv4-only networks
  • Load balancing: pick a set of resolvers, dnscrypt-proxy will automatically measure and keep track of their speed, and balance the traffic across the fastest available ones
  • Automatic background updates of resolvers lists
  • DNSSEC-compatible

You can check out the complete DNSCrypt Proxy v2 feature list by visiting the project page.

Compared to v1, the 2.0 series of DNSCrypt Proxy, which had its first stable release back in February, was rewritten in Go, has support for DNS-over-TLS and DNS-over-HTTP, and it supports DNS caching. It also has a new configuration file format that's not compatible with the old v1.

DNSCrypt Proxy v2 is available in the Debian Testing and Unstable repositories, as well as the Ubuntu 18.10 and 19.04 repositories. There's also a PPA for Ubuntu 18.04 and Linux Mint 19. The PPA has packages for older Ubuntu / Linux Mint versions but I couldn't get it to work, so this article offers instructions only for Ubuntu 18.04, Ubuntu 18.10, Ubuntu 19.04, Linux Mint 19.x, Debian Unstable and Debian Testing.

As a side note, for Windows users there's a simple management tool for DNSCrypt Proxy, called Simple DNSCrypt.

In this article:


How to install and enable DNSCrypt Proxy 2 in Ubuntu 19.04 / 18.10 or Debian Unstable / Testing


Ubuntu 18.10 is the first Ubuntu release to have the new DNSCrypt Proxy 2 in its archive. The package was imported from Debian and thus, is also available in Debian Unstable and Testing.

If you had an older dnscrypt-proxy (< 2.0) version installed, purge and reinstall it, so its new configuration is installed:

sudo apt purge dnscrypt-proxy

To install dnscrypt-proxy in Ubuntu 19.04 or 18.10 or Debian Unstable / Testing, use this command:

sudo apt install dnscrypt-proxy

To use DNSCrypt Proxy 2, change the DNS to 127.0.2.1 in your network configuration. How to change this depends on the desktop environment you're using.

For example in Ubuntu 18.10 with the Gnome desktop (wired network), go to System Settings > Network, click the cog icon next to the network you're connected to, and in the IPv4 tab disable Automatic next to DNS, and enter 127.0.2.1 as the DNS server, like in this screenshot:

Change DNS Ubuntu 18.10 network

You'll also need to disable and re-enable your network using the slider (next to (1) in the screenshot), or restart it from the command line:

sudo systemctl restart NetworkManager

For WiFi, go to System Settings > WiFi instead. Remember to restart the WiFi network to use the new DNS.

In Debian Unstable / Testing with Xfce, right click the network applet in the panel and select Edit Connections. Next, select your active connection, then click the cog icon at the bottom to edit it. On the IPv4 Settings tab select Automatic (DHCP) addresses only from the Method dropdown, then enter 127.0.2.1 in the DNS servers field, and click Save:

Change DNS Debian Xfce

Next, right click the network applet in the panel again, click Enable Networking once to disable it, then click it again to re-enable networking. You can also restart it by using this command:

sudo systemctl restart NetworkManager

How to install and enable DNSCrypt Proxy 2 in Ubuntu 18.04 or Linux Mint 19.x


DNSCrypt Proxy v2 didn't make it into the Ubuntu 18.04 archive, but it has an official PPA you can use to install it and receive future updates. The PPA is compatible with Ubuntu 18.04, Ubuntu 16.04, Linux Mint 19.x and Linux Mint 18.x., but I didn't have much success getting DNSCrypt Proxy 2 from this PPA to work in Ubuntu 16.04 or Linux Mint 18. So the instructions below are for Ubuntu 18.04 and Linux Mint 19.x only.

Before adding the PPA and installing DNSCrypt Proxy v2, make sure you purge dnscrypt-proxy if it was previously installed on your system, by using this command:

sudo apt purge dnscrypt-proxy

Now you can add the PPA and install DNSCrypt Proxy v2 in Ubuntu 18.04 or Linux Mint 19:

sudo add-apt-repository ppa:shevchuk/dnscrypt-proxy
sudo apt update
sudo apt install dnscrypt-proxy

Now you'll need to change your DNS server to 127.0.2.1 in your network settings. How to change this depends on the desktop environment you're using.

In Ubuntu 18.04 (Gnome) it's similar to Ubuntu 19.04 / 18.10 (it's exactly like in the screenshot for Ubuntu 19.04 / 18.10 above): go to System Settings > Network, click the cog icon next to the network you're connected to, and in the IPv4 tab disable Automatic next to DNS, and enter 127.0.2.1 as the DNS server. Restart the network by disabling and re-enabling the slider next to the network you're connected to, or restart it by using this command:

sudo systemctl restart NetworkManager

For WiFi networks, go to System Settings > WiFi instead. Remember to restart the WiFi network to use the new DNS.

In Linux Mint 19 Cinnamon for example, left click the network applet in the bottom panel and select Edit Connections. Next, select your active connection, then click the cog icon at the bottom to edit it. On the IPv4 Settings tab select Automatic (DHCP) addresses only from the Method dropdown, then enter 127.0.2.1 in the DNS servers field, and click Save:

Change DNS Linux Mint 19 Cinnamon

Next, right click the network applet in the bottom panel again, click Enable Networking once to disable it, then click it again to re-enable networking. You can also restart it by using this command:

sudo systemctl restart NetworkManager

How to check if you're using DNSCrypt Proxy


There are multiple ways of checking if you're using DNSCrypt Proxy and which is the current DNS you're using. Use the first one below to find out if DNSCrypt Proxy actually works on your system and the other two if you want to check what is the DNS in use on your computer (all can be used to also check if you're using DNSCrypt Proxy, but the first one is the most reliable).

I. The best way to check if you're using DNSCrypt Proxy is to stop the service. Since it's stopped, DNS resolution should not work any more, confirming that DNSCrypt Proxy is actually in use when the service is running.

Stop the DNSCrypt Proxy service / socket using these commands:

sudo systemctl stop dnscrypt-proxy.socket
sudo systemctl stop dnscrypt-proxy

Now try to ping a domain, like google.com:

ping google.com

The domain shouldn't resolve, throwing an error, like this:

$ ping google.com
ping: google.com Name or service not known

Now that you've confirmed DNSCrypt Proxy is used, start its service / socket again using:

sudo systemctl start dnscrypt-proxy
sudo systemctl start dnscrypt-proxy.socket

II. To check the actual IP of the DNS (for example, if you're using Google's 8.8.8.8 and 8.8.4.4 DNS, the actual IP isn't any of those two) you're currently using, you can look at the output of this command:

dnscrypt-proxy -resolve google.com

For example, using de.dnsmaschine.net DNS server, which is hosted by vultr.com, this is the output (see the last line, called Resolver IP):

$ dnscrypt-proxy -resolve google.com
Resolving [google.com]

Domain exists:  yes, 4 name servers found
Canonical name: google.com.
IP addresses:   74.125.24.113, 74.125.24.139, 74.125.24.100, 74.125.24.138, 74.125.24.101, 74.125.24.102, 2404:6800:4003:c03::71
TXT records:    facebook-domain-verification=22rm551cu4k0ab0bxsw536tlds4h95 v=spf1 include:_spf.google.com ~all docusign=05958488-4752-4ef2-95eb-aa7ba8a3bd0e
Resolver IP:    209.250.235.170 (209.250.235.170.vultr.com.)

III. You can find your current DNS resolver by using a DNS Leak tester website. There are quite a few websites for this available, like Perfect Privacy, DNS Leak Test, the DNS Leak Test of ExpressVPN , ipleak.net and so on.

(Optional) How to change the DNSCrypt Proxy 2 DNS servers


Using its default configuration, DNSCrypt Proxy 2 automatically picks the fastest working servers from the public servers list, which match the filters set up in the DNSCrypt Proxy 2 configuration file.

This is the case for the packages from the DNSCrypt Proxy 2 PPA, but not for the package available in the Ubuntu 19.04 and 18.10 repositories. In Ubuntu 19.04 / 18.10, DNSCrypt Proxy 2 defaults to the CloudFlare DNS.

If you want to change the DNSCrypt Proxy 2 servers, you'll need to edit the /etc/dnscrypt-proxy/dnscrypt-proxy.toml configuration file as root. To open this file as root with Gedit (the default Gnome text editor), you can use this command:

gedit admin:///etc/dnscrypt-proxy/dnscrypt-proxy.toml

Replace gedit with the graphical text editor of your choice (like xed, which is the default text editor in Linux Mint Cinnamon, etc.).

You may be interested in: gksu Removed From Ubuntu, Here's The Recommended Replacement

Or, if you want to use Nano command line editor, use:

sudo nano /etc/dnscrypt-proxy/dnscrypt-proxy.toml

Next, in this file uncomment the server_names line if it's commented out (it should be near the top - it's commented out for the PPA packages; uncommenting this line means to remove the # sign from the beginning of the line, if it's present).

Copy the server name (copy the exact server name from the Name column) you want to use from this page, and add it to server_names in /etc/dnscrypt-proxy/dnscrypt-proxy.toml. For example, if you only want to add one server, the server_names value should look like this:

server_names = ['server']

If you want to add multiple DNS servers, it should look like this:

server_names = ['server1', 'server2', 'server3']

After making changes to the DNSCrypt Proxy 2 configuration file, you'll need to restart its systemd service or else the changes won't be applied until you reboot. You can restart DNSCrypt Proxy 2 by using this command:

sudo systemctl restart dnscrypt-proxy

All the DNSCrypt Proxy 2 options can be changed by editing the /etc/dnscrypt-proxy/dnscrypt-proxy.toml configuration file.

If you're using the PPA package, all the DNSCrypt Proxy 2 configuration options are already available in the /etc/dnscrypt-proxy/dnscrypt-proxy.toml file.

In case of Ubuntu 19.04 / 18.10 and Debian Testing and Unstable, the DNSCrypt Proxy 2 package that's available in the repositories ships with a simplified configuration file, which only has a few options listed. You can find the original dnscrypt-proxy.toml on GitHub though. Copy the options you want to use (and uncomment them) in your /etc/dnscrypt-proxy/dnscrypt-proxy.toml.

Don't change the listen_addresses value though (leave it empty) as it may cause DNSCrypt Proxy 2 to stop working. If you must change the DNSCrypt Proxy 2 listen address (defaulting to 127.0.2.1 in Debian and Ubuntu), do so by editing the dnscrypt-proxy.socket file.