Encrypting DNS Traffic

SSsshhh! Nothing to see here!

Your ISP or anyone who is sniffing your network traffic can log everything what you do online… which websites you visit… Invading your privacy. This is what you need to do to stop this!

By Fahad Usman

How do we protect our online browsing history? How do we keep our own ISP’s nose out of our online footprint? The answer… DNSCrypt

Here is the normal DNS query:

This is how you could see your own DNS queries:

  1. open terminal
  2. check "cat /etc/resolv.conf" to see nameserver settings
  3. obtain new nameserver from https://servers.opennic.org/
  4. "vi /etc/resolv.conf" – comment other lines in there and copy nameserver ip from https://servers.opennic.org/
    if cant edit /etc/resolv.conf then enter the following commands
    lsattr /etc/resolv.conf
    chattr -i /etc/resolv.conf
    lsattr /etc/resolv.conf
  5. Now you can edit resolv.conf

Now if you fire up the wireshark and start capturing packets. Filtering on DNS, you will note that your DNS queries are going to your new nameservers that you added above.

Anyone who is sniffing your network traffic can see what sites you are visiting anytime. Monitoring DNS is a common technique used to catch employees doing forbidden Web surfing at work. To maintain privacy, this traffic should be encrypted, but there is no option within DNS protocol to enable privacy.

This is why you could use something called DNSCrypt. It is a specification implemented in various softwares such as dnscrypt-proxy.

In the above screenshot, you can see I was going www.ebay.co.uk!! tut tut tut!!

Why use DNSCrypt?

  • DNS traffic encryption and authentication. Supports DNS-over-HTTPS (DoH) and DNSCrypt.
  • DNS query monitoring, with separate log files for regular and suspicious queries
  • Filtering: block ads, malware, and other unwanted content. Compatible with all DNS services
  • Time-based filtering, with a flexible weekly schedule
  • Transparent redirection of specific domains to specific resolvers
  • DNS caching, to reduce latency and improve privacy
  • Local IPv6 blocking to reduce latency on IPv4-only networks
  • Load balancing: pick a set of resolvers, dnscrypt-proxy will automatically measure and keep track of their speed, and balance the traffic across the fastest available ones.
  • Cloaking: like a HOSTS file on steroids, that can return preconfigured addresses for specific names, or resolve and return the IP address of other names. This can be used for local development as well as to enforce safe search results on Google, Yahoo and Bing.
  • Automatic background updates of resolvers lists
  • Can force outgoing connections to use TCP
  • Supports SOCKS proxies
  • Compatible with DNSSEC


“Setting up DNSCrypt on Kali and Mac follow the similar process. Just follow the instructions line and you would be fine!”

Setting it up on Macbook

If you are using Macbook, here is how you could Encrypt your DNS traffic…

Step 1: Get a root shell

Launch the Terminal.app app to get a command-line prompt, then type the following command to get a root shell:

sudo -s
mkdir dns-crypt
cd dns-crypt

You may have to enter your system password when asking for sudo privilege.

Step 2: download and run dnscrypt-proxy

Download dnscrypt-proxy here: dnscrypt-proxy binaries.

There are quite a few files here, but dnscrypt-proxy-macos-*.tar.gz is the one you want.

At the time of this writing, I downloaded the https://github.com/jedisct1/dnscrypt-proxy/releases/download/2.0.17/dnscrypt-proxy-macos-2.0.17.tar.gz

I used wget https://github.com/jedisct1/dnscrypt-proxy/releases/download/2.0.17/dnscrypt-proxy-macos-2.0.17.tar.gz you might need to install brew by running the command:

ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

and then wget by:

brew install wget --with-libressl

I think its worth doing that if you want to download internet files using command line.

Now get into the dir where you downloaded the file. I downloaded on desktop.

You need to extract it by: 

tar xzvf dnscrypt-proxy-macos-2.0.17.tar.gz
cd macos

The ls -l command should print a bunch of files, among which dnscrypt-proxy and example-dnscrypt-proxy.toml.

Create a configuration file based on the example one:

cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml

And now,  to run it just type:


Does it look like it started properly? If not, try to find out why. Here are some hints:

  • dnscrypt-proxy.toml: no such file or directory: copy the example configuration file as dnscrypt-proxy.toml as documented above.
  • not found ELF - not found - Syntax error: ")" unexpected or something similiar: you didn’t downlaod the correct file for your operating system and CPU.
  • listen udp bind: permission denied: you are not using a root shell (see step 1). Use sudo -s to get one. Or su if sudo doesn’t exist on your system.
  • listen udp bind: address already in use: something is already listening to the DNS port. Maybe something else, maybe a previous instance of dnscrypt-proxy that you didn’t stop before starting a new one.

This is what it will look like:

Don’t close the terminal window yet. We’re going to change the system DNS settings.

Step 3: change the system DNS settings

Open the network preferences pane, by holding the alt (options) key on the mac and clicking the wi-fi icon at the top. then click Open Network Preferences… button.  Then, click the Advanced... button.

There should be a DNS tab. Select it, and click the - button to remove all the present addresses. Then click + and add this one:

If you don’t feel confident and want to fail over a non-authenticated DNS system just in case dnscrypt-proxy doesn’t work, add on a second line, after You can always remove that line later if everything works fine.

Back to the terminal.

Let’s check that everything works by opening up a new terminal window and sending a first query using dnscrypt-proxy:

./dnscrypt-proxy -resolve fahadusman.com

Looks like it was successfully able to resolve fahadusman.com? Great! Try a few more things: web browsing, file downloads, use your system normally and see if you can still connect without any DNS-related issues.

If anything ever goes wrong and you want to revert everything, open the network preferences pane, and delete all the DNS addresses you manually entered.

This is what the output will look like:

Did you notice that your resolver IP is no longer y our ISP? and all the DNS queries are not going (As we setup in the previous stage?)

It’s true… no place is like 🙂

Step 4: Tweak the configuration file

Hit Control and C in the dnscrypt-proxy terminal window to stop it.

You must still be in the dnscrypt-proxy directory at this point.

The dnscrypt-proxy.toml file has plenty of options you can tweak. Tweak them if you like. But tweak them one by one, so that if you ever screw up, you will know what exact change made this happen.

The message bare keys cannot contain '\n' typically means that there is a syntax error in the configuration file.

Type ./dnscrypt-proxy to start the server, and ControlC to stop it. Test, tweak, stop, test, tweak, stop until you are satisfied.

Are you satisfied? Good, let’s jump to step 5!

Step 5: install the proxy as a system service

Hit Control and C in the dnscrypt-proxy terminal window to stop the proxy.

Now, register this as a system service (still with root privileges):

./dnscrypt-proxy -service install


This assumes that the executable and the configuration file are in the same directory. If you didn’t follow these recommendations, you’re on your own modifiying the /Library/LaunchDaemons/dnscrypt-proxy.plist file to add the required -config option.

If it doesn’t spit out any errors, this is great! Your Linux distribution is compatible with the built-in installer.

Now that it’s installed, it can be started:

./dnscrypt-proxy -service start



Want to stop the service?
./dnscrypt-proxy -service stop
Want to restart the currently running service after a configuration file change?
./dnscrypt-proxy -service restart
Want to uninstall the service?
./dnscrypt-proxy -service uninstall
Want to check that DNS resolution works?
./dnscrypt-proxy -resolve fahadusman.com
Want to completely delete that thing? Delete the directory. Done.


In order to install a new version, just replace the executable file (dnscrypt-proxy) with the new version, and restart the service.

Controlling dnscrypt-proxy usage from the menu bar

Bitbar is a really nice tool to add very useful features to your macOS menu bar. Click on the “GetBitBar” link and download the latest version. Unzip and move it to the applications folder on the mac. Open up the BitBar app and it will ask you set the plugins directly. I created a directly in my /Documents folder. Now to get the DNSCrypt switcher, Go back to https://getbitbar.com and type dnscrypt in the search bar and it will download open up Frank’s dnscrypt-proxy switcher So you can keep dnscrypt-proxy always running as a background service, and just toggle it on and off using this menu bar tool. You should see a lock appearing at the top bar as shown below indicating that the switcher is now installed and working.

If you move the folder location after installation:

I downloaded the folder on Desktop. And after installation and everything above, I moved it on a different location. It stopped working after a reboot! I had to manually configure 
/Library/LaunchDaemons/dnscrypt-proxy.plist file
. just do
vi /Library/LaunchDaemons/dnscrypt-proxy.plist
and update the path in the file. Save and close. You should be fine after that! bind: address already in use

mDNSResponder listens to port 53 when applications using the native hypervisor run. Docker is an example of an application using this.

mDNSResponser also listens to port 53 when Internet sharing has been enabled.

This is quite annoying, because at the same time, OSX doesn’t allow specifying a specific port for DNS queries. And mDNSResponder‘s DNS proxy listens to all IPs, effectively preventing another local resolver or proxy from running.

Fortunately, mDNSResponder‘s DNS proxy can be disabled in its configuration file: /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist





But that file being in /System, changing it requires disabling SIP.

Another workaround is to listen to a different port, and use a local firewall rule to redirect port 53 to it.


Now if you fireup the wireshark again, and log the DNS traffic, it has been encrypted:

If you use DiG again, you will see the resolver is 🙂

Setting it up on Kali Linux

If you are using Kali, here is how you could Encrypt your DNS traffic…

        1. Goto: https://dnscrypt.info/implementations
        2. You will find Installation and Downloads links there
        3. uname -a to see if you are running a 32 or 64 bit OS. I will be downloading 64 bit in step 4.
        4. Open terminal in Kali terminal and download : wget https://github.com/jedisct1/dnscrypt-proxy/releases/download/2.0.1/dnscrypt-proxy-linux_x86_64-2.0.1.tar.gz
        5. extract downloaded file: tar xzvf dnscrypt-proxy-linux_x86_64-2.0.1.tar.gz
        6. get into the extracted folder: cd linux-x86_64
        7. copy .toml file: cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml
        8. change ownership: chown 2000:2000 dnscrypt-proxy.toml
        9. nano dnscrypt-proxy.toml
        10. You now need to edit dnscrypt-proxy.toml file
          1. Look for: # server_names = ['scaleway-fr', 'google', 'yandex']
          2. Change to the servers you would like to use and remove the leading #.
          3. Example: server_names = ['google','cisco-ipv6']
          4. You could use DNS server sources available at: https://github.com/jedisct1/dnscrypt-proxy/wiki/DNS-server-sources#opennic-servers
          5. I will be using the Opennic one because some of them don’t log dns requests and support dnscrypt like luggs server at opennic, List maintained by Frank Denis at: https://download.dnscrypt.info/dnscrypt-resolvers/v2/opennic.md
                1. To use that list, add this to the `[sources]` section of your
                  `dnscrypt-proxy.toml` configuration file:
                      url = 'http://download.dnscrypt.info/resolvers-list/v2/opennic.md'
                      minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
                      cache_file = 'opennic.md'
                2. Now choose the servers that you wish to use from this dnscrypt-resolvers/v2/opennic.md file
                3. For example I am using: server_names = ['opennic-famicoman', 'opennic-luggs']
        11. Now we are ready to install and start dnscrypt-proxy
        12. ./dnscrypt-proxy -service install
      1. we also need to point local name-servers to localhost by:
        1. nano /etc/resolv.conf
        2. Comment all the lines and add nameserver and save the file
      2. Now start the service ./dnscrypt-proxy -service start

Now if you fireup the wireshark again, and log the DNS traffic, it has been encrypted:

This Post Has 3 Comments

  1. Hi. Is the DNS traffic encryption necessary if connected to VPN? Are the DNS queries visible in this case?

    1. Hi Chris,

      You should go to dnsleaktest.com and run a standard test. If you could see any DNS IP’s which don’t belong to your VPN service provider then you have something called “DNS Leak”. It depends what the policy is of your VPN service provider i.e. if they log your DNS queries or not etc. I personally, still use dnscrypt and I have not experienced any service degradation at all! Hopefully, it helps! thanks for asking

      1. Thank you for your reply. So, even if I am using a VPN, dnsencrypt is recommended for extra protection, just in case the VPN provider has DNS leaks.

Leave a Reply

Close Menu