
Dnscrypt-proxy 2 – A flexible DNS proxy with support for encrypted DNS protocols - known
https://github.com/DNSCrypt/dnscrypt-proxy
======
qwertox
This post came at a right time for me. I already run a custom DNS server on
premises and setting up dnscrypt-proxy took less than 5 minutes. It's good to
see how encrypted DNS has evolved in the last year or so.

It was actually the post "Big ISPs aren’t happy about Google’s plans for
encrypted DNS" [1] which made me think that I will tackle this issue now, even
though I was already thinking about this for months.

[1]
[https://news.ycombinator.com/item?id=21124900](https://news.ycombinator.com/item?id=21124900)

------
jedisct1
And to run your own encrypted DNS server:
[https://github.com/jedisct1/encrypted-dns-
server](https://github.com/jedisct1/encrypted-dns-server)

------
snvzz
I'm a (former) user. It's bloated. Extremely bloated.

Fortunately, openbsd added DoH support to their recursive resolver, allowing
me to get rid of dnscrypt-proxy.

~~~
iforgotpassword
Can you elaborate a bit? I'm not really a fan of go, but not all go projects
are automatically bad. Is it slow, a memory hog, ...?

~~~
snvzz
>slow or memory hog.

Both. It'll easily use several hundred mb of ram and, if you use its cache
feature (enabled by default) and hit the cache while measuring the latency,
you'll see it takes about 10x the time to respond compared to pdnsd's cache.

Therefore, when I used it, I put pdnsd in front.

~~~
snvzz
Forgot: Also very high CPU usage. Hundreds of hours after a few weeks.

------
mosselman
I use this as a local dns resolver in combination with a blacklist and a
whitelist to do DNS-level ad/tracker blocking. Works pretty well.

I see people here are using some DNS switchers in macos, but you can also
configure an extra 'location' in your networking configuration. My default
location uses the dnscrypt-proxy server I run locally and another uses
CloudFlare, for the rare occasions where things break. I haven't had anything
break really, but sometimes you want to test certain things and it is useful
to be able to switch quickly.

~~~
dngray
I have mine configured on my router:

[https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a...](https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a_Raspberry_Pi#Unbound_DNS_forwarder_with_dnscrypt)

My DHCP server hands out the router's IP as a DNS server, then that DNS server
forwards through the VPN to my VPN provider's DNS server, or to my DNSCrypt
servers.

The good thing about it is it works on every host no matter what platform,
configuration, application without any installed software.

When I am out and about I just use a VPN on my phone and use the accepted DNS
server pushed to me (which is an internal one to my VPN provider).

~~~
mosselman
Cool. I am still looking into setting up a Pi-hole in order to block things on
all devices. I haven't had the time though.

------
nominated1
I looked into this but Go on a little OpenWrt router seemed… silly.

If you’re interested in something lightweight for OpenWrt give this a try:

[https://openwrt.org/docs/guide-
user/services/dns/doh_dnsmasq...](https://openwrt.org/docs/guide-
user/services/dns/doh_dnsmasq_https-dns-proxy)

~~~
rmilejczz
>I looked into this but Go on a little OpenWrt router seemed… silly.

Why? Go compiles to distributable binaries, Go binaries do not depend on Go to
run. You wouldn’t need to actually install Go on the router

~~~
nominated1
From their own documentation [1]

> The dnscrypt-proxy file is quite large, but can be compressed for a massive
> reduction of its size, from ~12 Mb down to ~2 Mb.

Routers typically have 8-16 Mb of storage. Even 2 Mb is a bit much but even if
the size doesn’t bother you the memory usage is still relatively extreme when
compared to the link I shared.

[1] [https://github.com/dnscrypt/dnscrypt-
proxy/wiki/Installation...](https://github.com/dnscrypt/dnscrypt-
proxy/wiki/Installation-on-OpenWRT)

~~~
rmilejczz
Sure that’s fair, not really specific to Go though

~~~
detaro
Go specifically makes a bunch of choices that lead to (somewhat, it's by no
means extreme) larger executables. Which is fine, but means it's not the best
choice for the specific usecase of targeting tiny devices.

------
agumonkey
I wanted to setup a local dns (pdnsd) with dnscrypt but I lack knowledge on
how to be sure everything is coupled the way it should.

~~~
jedisct1
You can adds DNSCrypt support to pdnsd, simply by installing
[https://github.com/jedisct1/encrypted-dns-
server](https://github.com/jedisct1/encrypted-dns-server) \- In
`upstream_addr`, instead of `9.9.9.9:53`, just put the IP and port of your
pdnsd server.

------
js2
I run [https://github.com/m13253/dns-over-
https](https://github.com/m13253/dns-over-https) on my EdgeOS based router. It
was trivial to cross-compile the doh-client binary. I have doh-client listen
on localhost:5353, then I point dnsmasq at doh-client. Works great, and gives
me the full flexibility and caching of dnsmasq. e.g. There's a few domains
that I don't send over doh.

------
GrryDucape
Is it just me or has this DNSCrypt project been doing things without any prior
announcement?

Last month or so, the main GitHub repo for DNSCrypt randomly got deleted. It
wasn't until several days later, the author posted a tweet saying he/she are
not supporting it anymore.

Now it has seemingly been resurrected...after I have already configured my
server to use a new project called getdns (and stubby).

~~~
megous
Stubby is kind of limited. It has no cache, and I can't find a way to avoid
resolving a list of my own domains via a specified resolver, so it's not that
great for privacy.

~~~
megous
Though I like getdns C API, I'll probably use it in one of my projects.

