Setting Up DNSCrypt By OpenDNS On An Ubuntu 13.04 System

So I’ve just spent the time getting DNSCrypt working on my system. It was a bit of a pain but now that I got it done it shouldn’t be hard to recreate. I thought I’d write up a short guide explaining how to get it done.

Note that all double “-“s are turned into single ones. This is a WordPress issue. You’ll have to manually type them in, sorry.

Step 1: Setting Up A DNSCrypt User

sudo adduser --system --quiet --home /run/dnscrypt --shell /bin/false --group --disabled-password --disabled-login dnscrypt

That’s all one command. This is so that DNSCrypt can run as another user with no rights, and chroot itself into the directory.

Step 2: Install DNSCrypt

Find the right DNSCrypt version for you at this link:

You’re going to have to unzip it and compile it. Traverse to the folder you’ve just unzippzed and run the following commands:

  • ./configure
  • make
  • make install

I personally have to run “make install” twice. No clue why.

Step 3: Configure DNS

Change your DNS settings to in your network manager. Click the “wifi” area in the top right corner wifi and go to “edit connections”.  Select the network, and hit ‘Edit…’ then go to IPV4 Settings.

Make sure the Method is “Automatic (DHCP) Addresses Only” and set DNS Servers to

Step 4: Run DNSCrypt

Run the following command

dnscrypt-proxy --daemonize --user=dnscrypt

Step 5:

You can add the above command to /etc/rc.local so that it runs at bootup. You should also add the following command:

mkdir /run/dnscrypt

That way there’s a folder to move to.

That should be all it takes. Let me know how it works.


edit: You may need to install libsodium in newer versions, info here:

31 thoughts on “Setting Up DNSCrypt By OpenDNS On An Ubuntu 13.04 System

  1. –local-port has been deprecated. You can just use -a although 53 is already the default port. Also, –tcp-only is probably useless in most cases, since port 443 is used by default.

    So, well, your command-line should probably just be: exec /usr/sbin/dnscrypt-proxy -a –edns-payload-size=4096 –pidfile=/run/ –user=dnscrypt

  2. The Link to download the right DNSCrypt version, only shows “There aren’t any uploads for this repository”.
    Any ideas?

        • If you mean from their github (you didn’t link anything?) then it’ll possibly work, but I don’t know. I haven’t tried.

      • They don’t provide official .deb packages anymore so I’ve packaged DNSCrypt and set up a PPA by myself. Here is is:

        Your guide is invaluable, thank you so much for writing it! I’d have never made that package without it. The package already includes Upstart job with all the configs, I’ll see if I can integrate your AppArmor profile as well.

        • Nice work. I personally prefer to compile my own packages, as I tend to test them out a lot with various things changed, but I’m sure that PPA will be very helpful for many.

          When I compile the latest version it fails because there’s no, do you know if I just need to compile/ install that?

          • I’m having the same error. Even after compiling libsodium 0.4.5 dnscrypt displays:

            dnscrypt-proxy: error while loading shared libraries: cannot open shared object file: No such file or directory

            even though is in /usr/local/lib …

            I’ve tried the linked PPA but no luck there either.

            • OK it seems ‘sudo ldconfig’ solved the dependency problem. However when I run dnscrypt-proxy I get either

              [ERROR] Unable to bind (UDP) [Permission denied]


              [ERROR] Unable to bind (UDP) [Address already in use]

              • Sorry for spamming, but I finally figured it out. I had to disable dnsmasq (not needed now anyway) by editing /etc/NetworkManager/NetworkManager.conf -> #dns=dnsmasq

                then run: sudo restart network-manager

                Phew. And me thinking Linux would make my life easier. 😉

  3. Pingback: Apparmor Profile For DNSCrypt - InsanityBit

  4. After downloading the file, it’s not a bad idea to check its integrity.

    To do so, type:

    dig +short +dnssec TXT @

    (replace 1.3.2 with the version you downloaded)

    This displays the SHA256 digest of the file.

  5. Pingback: Hardening DNSCrypt - InsanityBit

  6. the parameter –user= did not work for me, any ideas or suggestions? I have to run it as root, I’m using version 1.3.1 on Ubuntu 12.04.


    • What error do you get? Run
      dnscrypt-proxy –user=dnscrypt

      And let me know the output. If you set up a user with another name use that.

    • Upsets the router how? That’s very odd. Perhaps you have DNS set on your router? Static IP shouldn’t be necessary.

  7. I was wondering why you have the home directory of dnscrypt in /run/dnscrypt and not /home/dnscrypt?

    The problem I seem to have is that the dnscrypt directory is removed on reboot so when I try and run dnscrypt-proxy I get an error because the directory doesn’t exist:

    [ERROR] Unable to chroot to [/run/dnscrypt]

  8. Pingback: 翻墙教程之DNSCrypt-proxy+unbound | codeplayer‘s blog

  9. Pingback: 翻墙教程之DNSCrypt+unbound | codeplayer‘s blog

  10. Pingback: Ubuntu 安装使用 DNSCrypt | slblog

  11. Hi,

    I installed DNSCrypt 1.4.1 on Ubuntu 14.04 using these instructions, but I changed the name server directly in the resolv.conf and /etc/resolvconf/resolv.conf.d/base files to I started DNSCrypt, but when I tried to use the web, Firefox couldn’t open any webpages.

Leave a Reply

Your email address will not be published. Required fields are marked *