DNSCrypt-Proxy
Overview
This article provides a short guide to setting up a DNSCrypt-Proxy server on Alpine Linux.
Also see dnscrypt.info. Source code on github.com/jedisct1/dnscrypt-proxy
Features
- DNS traffic encryption and authentication. Supports DNS-over-HTTPS (DoH) using TLS 1.3, and DNSCrypt.
- DNS query monitoring, with separate log files for regular and suspicious queries
- Filtering: block ads, malware, and other unwanted content. Compatible with all DNS services
- Time-based filtering, with a flexible weekly schedule
- Transparent redirection of specific domains to specific resolvers
- DNS caching, to reduce latency and improve privacy
and more...
Installation
Install the dnscrypt-proxy package:
apk add dnscrypt-proxy dnscrypt-proxy-openrc
Also see Alpine Linux package management .
Service commands
Enable the dnscrypt-proxy service so that it starts at boot:
rc-update add dnscrypt-proxy
List services to verify sshd is enabled:
rc-status
Start the dnscrypt-proxy service immediately:
/etc/init.d/dnscrypt-proxy start
Also see Alpine Linux Init System.
Exposing the service on the local network
The main configuration file is /etc/dnscrypt-proxy/dnscrypt-proxy.toml. Any line starting with "#" will be ignored by dnscrypt-proxy. Replace
listen_addresses = ['127.0.0.1:53', '[::1]:53']
With
listen_addresses = [':53']
Then restart the service with
/etc/init.d/dnscrypt-proxy restart
Forwarding internal traffic to a local DNS server
The main configuration file is /etc/dnscrypt-proxy/dnscrypt-proxy.toml. Any line starting with "#" will be ignored by dnscrypt-proxy. Remove the "#" from the beginning of this line
# forwarding_rules = '/etc/dnscrypt-proxy/forwarding-rules.txt' forwarding_rules = '/etc/dnscrypt-proxy/forwarding-rules.txt'
The copy the example file
cp /usr/share/dnscrypt-proxy/example-forwarding-rules.txt /etc/dnscrypt-proxy/forwarding-rules.txt
Then edit the file, and add a line for your local network. If your network is configured as ".home", and your home router is at 192.168.1.1 then add
home 192.168.1.1
Then restart the service with
/etc/init.d/dnscrypt-proxy restart
Creating a Family Friendly DNS Service
Some providers have their own adult content blocking filters. They don't all use the same system, so researching may be worthwhile. The list of providers can be found here public-servers. It might be unwise to select only one service in case it becomes unavailable. Edit /etc/dnscrypt-proxy/dnscrypt-proxy.toml and make an adjustment like this in the Global Settings
# server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare'] server_names = ['cleanbrowsing-family']
Then restart the service with
/etc/init.d/dnscrypt-proxy restart