2018-01-08 06:09:33 -08:00
<chapter xmlns= "http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-dnscrypt-proxy">
2018-09-29 17:51:11 -07:00
<title > DNSCrypt client proxy</title>
<para >
2019-09-18 13:13:35 -07:00
The DNSCrypt client proxy relays DNS queries to a DNSCrypt enabled upstream resolver. The traffic between the client and the upstream resolver is encrypted and authenticated, mitigating the risk of MITM attacks, DNS poisoning attacks, and third-party snooping (assuming the upstream is trustworthy).
2018-09-29 17:51:11 -07:00
</para>
<sect1 xml:id= "sec-dnscrypt-proxy-configuration" >
<title > Basic configuration</title>
2018-01-08 06:09:33 -08:00
<para >
2018-09-29 17:51:11 -07:00
To enable the client proxy, set
<programlisting >
2018-04-05 01:43:56 -07:00
<xref linkend= "opt-services.dnscrypt-proxy.enable" /> = true;
2019-06-17 03:01:51 -07:00
</programlisting>
2018-01-08 06:09:33 -08:00
</para>
<para >
2019-09-18 13:13:35 -07:00
Enabling the client proxy does not alter the system nameserver; to relay local queries, prepend <literal > 127.0.0.1</literal> to <option > networking.nameservers</option> .
2018-01-08 06:09:33 -08:00
</para>
2018-09-29 17:51:11 -07:00
</sect1>
<sect1 xml:id= "sec-dnscrypt-proxy-forwarder" >
<title > As a forwarder for another DNS client</title>
2018-01-08 06:09:33 -08:00
<para >
2019-09-18 13:13:35 -07:00
To run the DNSCrypt proxy client as a forwarder for another DNS client, change the default proxy listening port to a non-standard value and point the other client to it:
2018-09-29 17:51:11 -07:00
<programlisting >
2018-04-05 01:43:56 -07:00
<xref linkend= "opt-services.dnscrypt-proxy.localPort" /> = 43;
2019-06-17 03:01:51 -07:00
</programlisting>
2018-01-08 06:09:33 -08:00
</para>
2018-09-29 17:51:11 -07:00
<sect2 xml:id= "sec-dnscrypt-proxy-forwarder-dsnmasq" >
<title > dnsmasq</title>
<para >
<programlisting >
2018-04-05 01:43:56 -07:00
{
<xref linkend= "opt-services.dnsmasq.enable" /> = true;
<xref linkend= "opt-services.dnsmasq.servers" /> = [ "127.0.0.1#43" ];
}
2019-06-17 03:01:51 -07:00
</programlisting>
2018-09-29 17:51:11 -07:00
</para>
2018-01-08 06:09:33 -08:00
</sect2>
2018-09-29 17:51:11 -07:00
<sect2 xml:id= "sec-dnscrypt-proxy-forwarder-unbound" >
<title > unbound</title>
<para >
<programlisting >
2018-04-05 01:43:56 -07:00
{
<xref linkend= "opt-services.unbound.enable" /> = true;
<xref linkend= "opt-services.unbound.forwardAddresses" /> = [ "127.0.0.1@43" ];
}
2019-06-17 03:01:51 -07:00
</programlisting>
2018-09-29 17:51:11 -07:00
</para>
2018-01-08 06:09:33 -08:00
</sect2>
2018-09-29 17:51:11 -07:00
</sect1>
2018-01-08 06:09:33 -08:00
</chapter>
