DNSCrypt client proxy
The DNSCrypt client proxy relays DNS queries to a DNSCrypt enabled
upstream resolver. The traffic between the client and the upstream
resolver is encrypted and authenticated, mitigating the risk of MITM
attacks, DNS poisoning attacks, and third-party snooping (assuming the
upstream is trustworthy).
Basic configuration
To enable the client proxy, set
services.dnscrypt-proxy.enable = true;
Enabling the client proxy does not alter the system nameserver; to
relay local queries, prepend 127.0.0.1 to
.
As a forwarder for a caching DNS client
By default, DNSCrypt proxy acts as a transparent proxy for the
system stub resolver. Because the client does not cache lookups, this
setup can significantly slow down e.g., web browsing. The recommended
configuration is to run DNSCrypt proxy as a forwarder for a caching DNS
client. To achieve this, change the default proxy listening port to
a non-standard value and point the caching client to it:
services.dnscrypt-proxy.localPort = 43;
dnsmasq
{
services.dnsmasq.enable = true;
services.dnsmasq.servers = [ "127.0.0.1#43" ];
}
unbound
{
networking.nameservers = [ "127.0.0.1" ];
services.unbound.enable = true;
services.unbound.forwardAddresses = [ "127.0.0.1@43" ];
services.unbound.extraConfig = ''
do-not-query-localhost: no
'';
}