Ade Malsasa Akbar contact
Senior author, Open Source enthusiast.
Monday, November 27, 2017 at 12:33

Installing dnscrypt-proxy v1.9.5 at Ubuntu 17.10 is not as easy as before anymore. You don't get automatic settings out-of-the-box, but, you must do a little manual configurations. This is difficult for new comers unless you have a step-by-step guide to do those all. Don't worry! This article explains 6 steps for beginners to install & configure dnscrypt-proxy with pictures. You also get a shell script at the end of this tutorial so you can later repeat the steps quickly. Enjoy!

Subscribe to UbuntuBuzz Telegram Channel to get article updates directly.

What You Will Do

REMEMBER: do any of these tutorial at your own risk.
You will replace the original DNS resolver service of Ubuntu (systemd-resolved.service) with DNSCrypt + change the IP Address of your DNSCrypt into (that is, your computer/localhost). For the sake of that you need to:
  • change .socket file of systemd, 
  • reload the daemon configs, 
  • change DNSCrypt resolver to 'cisco'
  • restart DNSCrypt service,
  • and disable the system default's DNS resolver. 
Why Because (in simplest sense) all applications will ask the DNS resolver at

The final result is DNSCrypt Proxy lives as default DNS resolver in your Ubuntu system (e.g. it starts every boot time).

1. Install DNSCrypt

First step is of course installing the program:
$ sudo apt-get install dnscrypt-proxy

2. Change Resolver to 'cisco'

Second step is changing the default DNS resolver into 'cisco'. This is so you can see the test correctly showing message "dnscrypt enabled".
$ sudo nano /etc/dnscrypt-proxy/dnscrypt-proxy.conf
Change the text 'ResolverName fvz-anyone' to become 'ResolverName cisco'
Save by pressing Ctrl+O then pressing Enter

3. Change DNSCrypt Local IP

Third step is changing into at dnscrypt-proxy.socket:
$ grep '127' /lib/systemd/system/dnscrypt-proxy.socket
$ sudo sed -i 's/' /lib/systemd/system/dnscrypt-proxy.socket
$ grep '127' /lib/systemd/system/dsncrypt-proxy.socket

4. Reload Daemon for DNSCrypt Configuration

This is simple but very crucial, you must do it:
$ sudo systemctl daemon-reload

5. Restart DNSCrypt Service

Fifth step is restarting the dnscrypt-proxy service once after changing the configuration:
$ sudo systemctl stop dnscrypt-proxy.socket
$ sudo systemctl start dnscrypt-proxy

6. Disable Default System's DNS Service

Edited 28 November 2017: adding rm resolv.conf

Sixth step is turning off permanently the default systemd-resolved DNS service so your system uses only dnscrypt-proxy:
$ sudo systemctl disable systemd-resolved.service
$ sudo systemctl stop systemd-resolved.service
$ sudo rm -v /etc/resolv.conf

Test If DNSCrypt Working

The sixth step above is the final configuration. Now, you should test (online) that dnscrypt-proxy working properly in your Ubuntu system. Basically, you just need 'dig' command below, but more commands I added to make test clearer.  

$ dig txt
That command should says "dnscrypt enabled".

$ nslookup -type=txt
That command should says same thing as dig command.

$ sudo lsof -i -n
That command should informs you dnscrypt exists and lives at

Quick Script

Edited 28 November 2017: adding rm resolv.conf

To automate all steps + testing quickly, use this short script. You may find this quick script useful while doing dnscrypt-proxy installation repeatedly (e.g. if you're often running Ubuntu LiveCD like me). This script is hosted at so you need JavaScript to view it.