DNSCrypt client proxy The DNSCrypt client proxy relays DNS queries to a DNSCrypt enabled upstream resolver. The traffic between the client and the upstream resolver is encrypted and authenticated, mitigating the risk of MITM attacks, DNS poisoning attacks, and third-party snooping (assuming the upstream is trustworthy). Basic configuration To enable the client proxy, set services.dnscrypt-proxy.enable = true; Enabling the client proxy does not alter the system nameserver; to relay local queries, prepend 127.0.0.1 to . As a forwarder for a caching DNS client By default, DNSCrypt proxy acts as a transparent proxy for the system stub resolver. Because the client does not cache lookups, this setup can significantly slow down e.g., web browsing. The recommended configuration is to run DNSCrypt proxy as a forwarder for a caching DNS client. To achieve this, change the default proxy listening port to a non-standard value and point the caching client to it: services.dnscrypt-proxy.localPort = 43; dnsmasq { services.dnsmasq.enable = true; services.dnsmasq.servers = [ "127.0.0.1#43" ]; } unbound { networking.nameservers = [ "127.0.0.1" ]; services.unbound.enable = true; services.unbound.forwardAddresses = [ "127.0.0.1@43" ]; services.unbound.extraConfig = '' do-not-query-localhost: no ''; }