DNSCrypt-proxy — Encrypted DNS Proxy with DoH, DoT and DNSCrypt

Introduction

DNSCrypt-proxy sits between your applications and DNS resolvers, encrypting every query so ISPs and network observers cannot see or tamper with your DNS traffic. It is a single static binary with no external dependencies.

What DNSCrypt-proxy Does

• Encrypts DNS queries using DNSCrypt v2, DNS-over-HTTPS (DoH), or DNS-over-TLS (DoT)
• Supports Anonymized DNS relays that separate your IP address from your queries
• Filters responses using blocklists, allowlists, and cloaking rules for ad and tracker blocking
• Caches responses locally to reduce latency for repeated lookups
• Automatically selects the fastest resolver from a curated public server list

Architecture Overview

DNSCrypt-proxy listens on a local UDP/TCP port (typically 53 or 5353), receives plain DNS queries, encrypts them, and forwards to upstream resolvers. It maintains a local cache and applies filtering rules before returning responses. The server list is fetched and verified using built-in signature checking to prevent tampering.

Self-Hosting & Configuration

• Single static binary for Linux, macOS, Windows, FreeBSD, and ARM devices
• Configuration via a single TOML file (dnscrypt-proxy.toml)
• Install as a system service with ./dnscrypt-proxy -service install
• Blocklists and allowlists are plain text files with one domain per line
• Supports forwarding specific domains to internal DNS servers via the forwarding plugin

Key Features

• Protocol diversity: DNSCrypt, DoH, DoT, and Anonymized DNS in one tool
• Built-in server health checking with automatic failover to the fastest resolver
• IP blocking and pattern-based domain filtering without external dependencies
• Cloaking file for custom DNS responses (useful for local development)
• Time-based access restrictions and query logging for auditing

Comparison with Similar Tools

• Pi-hole — network-wide ad blocker using DNS; DNSCrypt-proxy adds encryption but is not a full ad-blocking dashboard
• Unbound — validating recursive resolver; DNSCrypt-proxy is a forwarding proxy that adds encryption on top
• CoreDNS — pluggable DNS server for infrastructure; DNSCrypt-proxy targets end-user privacy
• Stubby — DNS-over-TLS stub resolver; DNSCrypt-proxy supports more protocols and filtering
• AdGuard Home — DNS filtering with a web UI; DNSCrypt-proxy is lighter and config-file driven

FAQ

Q: Can DNSCrypt-proxy replace Pi-hole? A: It can block domains via blocklists, but it lacks Pi-hole's web dashboard and statistics. Many users run both together: Pi-hole for filtering UI and DNSCrypt-proxy for upstream encryption.

Q: Does it work on a Raspberry Pi? A: Yes. ARM binaries are provided and it runs well on minimal hardware.

Q: What is Anonymized DNS? A: A protocol where your query is routed through a relay server so the resolver never sees your IP address, adding a layer of privacy beyond encryption.

Q: Does DNSCrypt-proxy slow down DNS lookups? A: Initial lookups may add a few milliseconds for encryption. The built-in cache eliminates this overhead for repeated queries, often making it faster than unencrypted DNS.

Sources

• https://github.com/DNSCrypt/dnscrypt-proxy
• https://dnscrypt.info