To avoid your ISP eavesdropping on websites you visit and other urls you reach to, using a privacy friendly DNS server is a necessity.
dnscrypt-proxy supports the encryption of your DNS request over HTTPS, and makes use of the DNSCrypt protocol.
Here is a small guide to set this up alongside NetworkManager.
In its default config, NetworkManager overwrites
In order to stop this behaviour, create a configuration file under
> sudo systemctl restart NetworkManager.service
/etc/resolv.conf is now a dead symlink.
Remove the file and create a new one with nameserver pointing to your localhost.
> sudo rm /etc/resolv.conf > sudoedit /etc/resolv.conf
nameserver ::1 nameserver 127.0.0.1 options edns0 single-request-reopen
Make sure no other service makes use of port
:53 by running
> ss -lp 'sport = :domain'
If the command output something more than one line (starting with
Netid), a process is using the port 53 (common ones are
dnscrypt-proxy will chose the fastest resolver from the servers listed in
Optionally you can setup specific resolvers.
For an up-to-date list of server see the upstream page.
Enable and start the
> sudo systemctl start dnscrypt-proxy.service > sudo systemctl enable dnscrypt-proxy.service
Test your config
NetworkManager still shows the DNS server reported by your router:
> nmcli dev show | grep IP4.DNS
nslookup should show localhost on port 53 as the resolver:
> nslookup valcarce.fr Server: ::1 Address: ::1#53 Non-authoritative answer: Name: valcarce.fr Address: 188.8.131.52 Name: valcarce.fr Address: 2001:bc8:1824:e4e::1
Finally, you can test your DNS via dnsleak websites such as dnsleaktest.com or mullvad.net.
Notice for Firefox user: by default (in the US) Firefox uses DNS-over-HTTPS (DoH) and send all your DNS requests to CloudFlare. To prevent this, open Firefox
Preferences, search for
Network Settings, click on
Settings... and disable
Enable DNS over HTTPS.