# DNSCrypt-proxy — Encrypted DNS Proxy with DoH, DoT and DNSCrypt > DNSCrypt-proxy is a flexible DNS proxy that encrypts and authenticates DNS traffic using DNS-over-HTTPS, DNS-over-TLS, DNSCrypt, and Anonymized DNS. It runs on any platform and protects against DNS spoofing and surveillance. ## Install Save in your project root: # DNSCrypt-proxy — Encrypted DNS Proxy with DoH, DoT and DNSCrypt ## Quick Use ```bash # Download the latest release binary for your platform curl -LO https://github.com/DNSCrypt/dnscrypt-proxy/releases/latest/download/dnscrypt-proxy-linux_x86_64-*.tar.gz tar xzf dnscrypt-proxy-*.tar.gz cd linux-x86_64 cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml ./dnscrypt-proxy -service install && ./dnscrypt-proxy -service start ``` ## Introduction DNSCrypt-proxy sits between your applications and DNS resolvers, encrypting every query so ISPs and network observers cannot see or tamper with your DNS traffic. It is a single static binary with no external dependencies. ## What DNSCrypt-proxy Does - Encrypts DNS queries using DNSCrypt v2, DNS-over-HTTPS (DoH), or DNS-over-TLS (DoT) - Supports Anonymized DNS relays that separate your IP address from your queries - Filters responses using blocklists, allowlists, and cloaking rules for ad and tracker blocking - Caches responses locally to reduce latency for repeated lookups - Automatically selects the fastest resolver from a curated public server list ## Architecture Overview DNSCrypt-proxy listens on a local UDP/TCP port (typically 53 or 5353), receives plain DNS queries, encrypts them, and forwards to upstream resolvers. It maintains a local cache and applies filtering rules before returning responses. The server list is fetched and verified using built-in signature checking to prevent tampering. ## Self-Hosting & Configuration - Single static binary for Linux, macOS, Windows, FreeBSD, and ARM devices - Configuration via a single TOML file (`dnscrypt-proxy.toml`) - Install as a system service with `./dnscrypt-proxy -service install` - Blocklists and allowlists are plain text files with one domain per line - Supports forwarding specific domains to internal DNS servers via the forwarding plugin ## Key Features - Protocol diversity: DNSCrypt, DoH, DoT, and Anonymized DNS in one tool - Built-in server health checking with automatic failover to the fastest resolver - IP blocking and pattern-based domain filtering without external dependencies - Cloaking file for custom DNS responses (useful for local development) - Time-based access restrictions and query logging for auditing ## Comparison with Similar Tools - **Pi-hole** — network-wide ad blocker using DNS; DNSCrypt-proxy adds encryption but is not a full ad-blocking dashboard - **Unbound** — validating recursive resolver; DNSCrypt-proxy is a forwarding proxy that adds encryption on top - **CoreDNS** — pluggable DNS server for infrastructure; DNSCrypt-proxy targets end-user privacy - **Stubby** — DNS-over-TLS stub resolver; DNSCrypt-proxy supports more protocols and filtering - **AdGuard Home** — DNS filtering with a web UI; DNSCrypt-proxy is lighter and config-file driven ## FAQ **Q: Can DNSCrypt-proxy replace Pi-hole?** A: It can block domains via blocklists, but it lacks Pi-hole's web dashboard and statistics. Many users run both together: Pi-hole for filtering UI and DNSCrypt-proxy for upstream encryption. **Q: Does it work on a Raspberry Pi?** A: Yes. ARM binaries are provided and it runs well on minimal hardware. **Q: What is Anonymized DNS?** A: A protocol where your query is routed through a relay server so the resolver never sees your IP address, adding a layer of privacy beyond encryption. **Q: Does DNSCrypt-proxy slow down DNS lookups?** A: Initial lookups may add a few milliseconds for encryption. The built-in cache eliminates this overhead for repeated queries, often making it faster than unencrypted DNS. ## Sources - https://github.com/DNSCrypt/dnscrypt-proxy - https://dnscrypt.info --- Source: https://tokrepo.com/en/workflows/asset-660dfb70 Author: AI Open Source