██░ ██ ▄▄▄ ██▀███ ▓█████▄ ▓█████ ███▄ █ ▓█████ ▓█████▄
▓██░ ██▒▒████▄ ▓██ ▒ ██▒▒██▀ ██▌▓█ ▀ ██ ▀█ █ ▓█ ▀ ▒██▀ ██▌
▒██▀▀██░▒██ ▀█▄ ▓██ ░▄█ ▒░██ █▌▒███ ▓██ ▀█ ██▒▒███ ░██ █▌
░▓█ ░██ ░██▄▄▄▄██ ▒██▀▀█▄ ░▓█▄ ▌▒▓█ ▄ ▓██▒ ▐▌██▒▒▓█ ▄ ░▓█▄ ▌
░▓█▒░██▓ ▓█ ▓██▒░██▓ ▒██▒░▒████▓ ░▒████▒▒██░ ▓██░░▒████▒░▒████▓
▒ ░░▒░▒ ▒▒ ▓▒█░░ ▒▓ ░▒▓░ ▒▒▓ ▒ ░░ ▒░ ░░ ▒░ ▒ ▒ ░░ ▒░ ░ ▒▒▓ ▒
▄▄▄ ███▄ █ ▒█████ ███▄ █▓██ ██▓ ███▄ ▄███▓ ██▓▒███████▒▓█████ ▓█████▄
▒████▄ ██ ▀█ █ ▒██▒ ██▒ ██ ▀█ █ ▒██ ██▒▓██▒▀█▀ ██▒▓██▒▒ ▒ ▒ ▄▀░▓█ ▀ ▒██▀ ██▌
▒██ ▀█▄ ▓██ ▀█ ██▒▒██░ ██▒▓██ ▀█ ██▒ ▒██ ██░▓██ ▓██░▒██▒░ ▒ ▄▀▒░ ▒███ ░██ █▌
░██▄▄▄▄██ ▓██▒ ▐▌██▒▒██ ██░▓██▒ ▐▌██▒ ░ ▐██▓░▒██ ▒██ ░██░ ▄▀▒ ░▒▓█ ▄ ░▓█▄ ▌
▓█ ▓██▒▒██░ ▓██░░ ████▓▒░▒██░ ▓██░ ░ ██▒▓░▒██▒ ░██▒░██░▒███████▒░▒████▒░▒████▓
▓█████▄ ███▄ █ ██████ ▄████▄ ██▀███ ▓██ ██▓ ██▓███ ▄▄▄█████▓
▒██▀ ██▌ ██ ▀█ █ ▒██ ▒ ▒██▀ ▀█ ▓██ ▒ ██▒▒██ ██▒▓██░ ██▒▓ ██▒ ▓▒
░██ █▌▓██ ▀█ ██▒░ ▓██▄ ▒▓█ ▄ ▓██ ░▄█ ▒ ▒██ ██░▓██░ ██▓▒▒ ▓██░ ▒░
░▓█▄ ▌▓██▒ ▐▌██▒ ▒ ██▒▒▓▓▄ ▄██▒▒██▀▀█▄ ░ ▐██▓░▒██▄█▓▒ ▒░ ▓██▓ ░
░▒████▓ ▒██░ ▓██░▒██████▒▒▒ ▓███▀ ░░██▓ ▒██▒ ░ ██▒▓░▒██▒ ░ ░ ▒██▒ ░
██▓███ ██▀███ ▒█████ ▒██ ██▒▓██ ██▓
▓██░ ██▒▓██ ▒ ██▒▒██▒ ██▒▒▒ █ █ ▒░ ▒██ ██▒
▓██░ ██▓▒▓██ ░▄█ ▒▒██░ ██▒░░ █ ░ ▒██ ██░
▒██▄█▓▒ ▒▒██▀▀█▄ ▒██ ██░ ░ █ █ ▒ ░ ▐██▓░
▒██▒ ░ ░░██▓ ▒██▒░ ████▓▒░▒██▒ ▒██▒ ░ ██▒▓░
A military-grade DNS proxy implementation featuring cryptographic authentication channels and traffic anonymization layers. This project hardens the upstream DNSCrypt-Proxy with pre-configured security parameters optimized for maximum privacy and minimal attack surface.
Implements modern encrypted DNS protocols:
| Protocol | Specification | Status |
|---|---|---|
| DNSCrypt v2 | dnscrypt.info/protocol | ✅ Enabled |
| DNS-over-HTTPS | RFC 8484 | ❌ Disabled |
| Anonymized DNSCrypt | ANONYMIZED-DNSCRYPT.txt | ✅ Enabled |
| ODoH | Oblivious DoH | ❌ Disabled |
┌─────────────────────────────────────────────────────────────────────────────────┐
│ YOUR LOCALHOST │
│ 127.0.0.1:53 │
└─────────────────────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────────────────────┐
│ DNSCrypt-Proxy Daemon │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────────────────────┐ │
│ │ Ephemeral Keys │ │ DNSSEC Validate │ │ Blocklist/Allowlist Filtering │ │
│ │ (Per-Query Gen) │ │ (Cryptographic) │ │ (Pattern Matching Engine) │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────────────────────┘
│
┌───────────┴───────────┐
▼ ▼
┌─────────────────────┐ ┌─────────────────────┐
│ RELAY NODE #1 │ │ RELAY NODE #2 │
│ (Anonymization) │ │ (Anonymization) │
│ ┌───────────────┐ │ │ ┌───────────────┐ │
│ │ No Logs Policy│ │ │ │ No Logs Policy│ │
│ │ TCP/443 │ │ │ │ TCP/443 │ │
│ └───────────────┘ │ │ └───────────────┘ │
└─────────────────────┘ └─────────────────────┘
│ │
└───────────┬───────────┘
▼
┌─────────────────────────────────────────────┐
│ DNSCrypt RESOLVER │
│ ┌─────────────────────────────────────┐ │
│ │ • X25519-XSalsa20Poly1305 Encryption│ │
│ │ • DNSSEC Validation │ │
│ │ • No Client IP Visibility │ │
│ └─────────────────────────────────────┘ │
└─────────────────────────────────────────────┘
📖 For comprehensive feature documentation, consult the OFFICIAL DOCUMENTATION
📦 All binaries sourced from OFFICIAL RELEASES (GPG verified)
Manual configuration of DNSCrypt-Proxy on Linux involves significant overhead and potential for misconfiguration. This project delivers a turnkey, security-hardened solution with optimized defaults—because privacy shouldn't require a PhD in cryptography.
| Distribution | Init System | Network Manager | Status |
|---|---|---|---|
 Arch Linux |
SystemD | NetworkManager | ✅ Supported |
| Arch-based Derivatives | SystemD | NetworkManager | ✅ Supported |
| Parameter | Default | Hardened | Rationale |
|---|---|---|---|
doh_servers |
true |
false |
DoH traffic pattern analysis mitigation; DNSCrypt provides superior anonymization |
require_dnssec |
false |
true |
Cryptographic validation of DNS responses (RFC 4033-4035) |
force_tcp |
false |
true |
Mitigates mobile carrier UDP fragmentation issues with anonymized routes (ref) |
dnscrypt_ephemeral_keys |
false |
true |
X25519 keypair regeneration per-query; prevents temporal correlation attacks |
block_ipv6 |
false |
true |
Null response to AAAA queries; prevents IPv6 leak vectors |
| Parameter | Value | Description |
|---|---|---|
blocked_query_response |
'refused' |
Returns REFUSED RCODE for blocked domains (RFC 8914 compliant) |
| Parameter | Value | Service |
|---|---|---|
bootstrap_resolvers |
['9.9.9.9:53'] |
Quad9 - Threat-blocking, DNSSEC-validating resolver |
netprobe_address |
'9.9.9.9:53' |
Network connectivity probe endpoint |
| Parameter | Value | Security Implication |
|---|---|---|
anonymized_dns |
enabled |
Traffic routed through relay nodes; resolver sees relay IP, not client IP |
routes |
2 relays/resolver |
Redundant anonymization paths per upstream |
skip_incompatible |
true |
Silently bypass resolvers lacking anonymization support |
direct_cert_fallback |
false |
Never fallback to direct connection on cert retrieval failure |
Click to expand resolver list (20 nodes across 12 countries)
| Resolver | Country | Region |
|---|---|---|
ams-dnscrypt-nl |
🇳🇱 NLD | Europe |
d0wn-tz-ns1 |
🇹🇿 TZA | Africa |
dct-nl |
🇳🇱 NLD | Europe |
dct-ru |
🇷🇺 RUS | Europe |
dnscrypt.be |
🇧🇪 BEL | Europe |
dnscrypt.pl |
🇵🇱 POL | Europe |
dnscrypt.uk-ipv4 |
🇬🇧 GBR | Europe |
dnswarden-uncensor-dc-swiss |
🇨🇭 CHE | Europe |
meganerd |
🇳🇱 NLD | Europe |
openinternet |
🇺🇸 USA | North America |
plan9dns-fl |
🇺🇸 USA | North America |
plan9dns-mx |
🇲🇽 MEX | North America |
plan9dns-nj |
🇺🇸 USA | North America |
pryv8boi |
🇩🇪 DEU | Europe |
sby-limotelu |
🇮🇩 IDN | Asia |
scaleway-ams |
🇳🇱 NLD | Europe |
scaleway-fr |
🇫🇷 FRA | Europe |
serbica |
🇳🇱 NLD | Europe |
techsaviours.org-dnscrypt |
🇩🇪 DEU | Europe |
v.dnscrypt.uk-ipv4 |
🇬🇧 GBR | Europe |
# Clone the repository
git clone https://github.com/D357R0Y3R/Hardened-Anonymized-DNSCrypt-Proxy
# Navigate to project root
cd Hardened-Anonymized-DNSCrypt-Proxy
# Build package (clean, rebuild, force, sync, skip checksums)
makepkg -Ccrfs --noconfirm
# Deploy to system
sudo pacman -U *.zst# Purge package + dependencies + configs (recursive, nosave, cascade, unneeded)
sudo pacman -Rcnsu Hardened-Anonymized-DNSCrypt-Proxy/etc/dnscrypt-proxy/dnscrypt-proxy.toml
# Check service status
systemctl status dnscrypt-proxy
# Restart after config changes
sudo systemctl restart dnscrypt-proxy
# View real-time logs
journalctl -fu dnscrypt-proxy📚 Advanced Configuration: Consult the Official Wiki
The integrated filtering engine provides granular control over DNS resolution:
| Filter Type | Function | Use Case |
|---|---|---|
| Blocklists | Pattern-based domain blocking | Ads, trackers, malware, telemetry |
| Allowlists | Whitelist override | False positive mitigation |
| IP Blocklists | Response IP filtering | Malicious IP blocking |
| Cloaking | Custom A/AAAA responses | Local DNS overrides |
📖 Documentation: DNSCrypt-Proxy Filters Wiki
| Tool | URL | Tests |
|---|---|---|
| dnscheck.tools | dnscheck.tools | Leak detection, DNSSEC validation, resolver identification |
# Verify listening socket
ss -tulnp | grep 53
# Test DNSSEC validation
dig +dnssec cloudflare.com
# Query via dnscrypt-proxy
dig @127.0.0.1 example.com
# Check resolver being used
dig +short txt whoami.ds.akahelp.net┌────────────────────────────────────────────────────────────────┐
│ THREAT MODEL COVERAGE │
├────────────────────────────────────────────────────────────────┤
│ ✅ DNS Query Encryption (X25519-XSalsa20Poly1305) │
│ ✅ DNS Response Authentication (DNSSEC / Ed25519) │
│ ✅ Traffic Analysis Mitigation (Anonymized DNS Routes) │
│ ✅ Temporal Correlation Defense (Ephemeral Keys) │
│ ✅ IPv6 Leak Prevention (AAAA Query Blocking) │
│ ✅ Resolver Logging Mitigation (No-Log Policy Resolvers) │
└────────────────────────────────────────────────────────────────┘
 Frank Denis DNSCrypt Creator |
All Contributors DNSCrypt-Proxy Team |
