[![Build Status](https://travis-ci.org/jedisct1/dnscrypt-proxy.svg?branch=master)](https://travis-ci.org/jedisct1/dnscrypt-proxy?branch=master) # ![dnscrypt-proxy 2](https://raw.github.com/jedisct1/dnscrypt-proxy/master/logo.png?2) A modern client implementation of the [DNSCrypt](https://github.com/DNSCrypt/dnscrypt-protocol/blob/master/DNSCRYPT-V2-PROTOCOL.txt) protocol. ## [dnscrypt-proxy 2.0.0alpha10 is available for download!](https://github.com/jedisct1/dnscrypt-proxy/releases/latest) ## Installation ### Initial configuration 1) Modify the `dnscrypt-proxy.toml` configuration file according to your needs. 2) Make sure that nothing else is already listening to port 53 on your system and run (in a console with elevated privileges on Windows) the `dnscrypt-proxy` application. Change your DNS settings to the configured IP address and check that everything works as expected. A DNS query for `resolver.00f.net` should return one of the chosen DNS servers instead of your ISP's resolver. ### Installation as a system service (Windows, Linux, MacOS) Type `dnscrypt-proxy -service install` to register dnscrypt-proxy as a system service, and `dnscrypt-proxy -service start` to start it. Done. It will automatically start at boot. This setup procedure is compatible with Windows, Linux (systemd, Upstart, SysV), and macOS (launchd). Other commands include `stop`, `restart` (useful after a configuration change) and `uninstall`. ## Current status/features The current 2.0.0 alpha version includes all the major features from dnscrypt-proxy 1.9.5 (support for dnscrypt v2, synthetic IPv6 responses, logging, blocking, forwarding and caching), with improved reliability, flexbility, usability and performance. | Features | dnscrypt-proxy 1.x | dnscrypt-proxy 2.x | | ----------------------------------------------------------- | ---------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------- | | Status | Old PoC, barely maintained any more | Very new, but quickly evolving | | Code quality | Big ugly mess | Readable, easy to work on | | Reliability | Poor, due to completely broken handling of edge cases | Excellent | | Security | Written in C, bundles patched versions from old branches of system libraries | Written in standard and portable Go | | Dependencies | Specific versions of dnscrypt-proxy, libldns and libtool | None | | Upstream connections using TCP | Catastrophic, requires client retries | Implemented as anyone would expect, works well with TOR | | XChaCha20 support | Only if compiled with recent versions of libsodium | Yes, always available | | Support of links with small MTU | Unreliable due to completely broken padding | Reliable, properly implemented | | Support for multiple servers | Nonexistent | Yes, with automatic failover and load-balancing | | Custom additions | C API, requires libldns for sanity | Simple Go structures using miekg/dns | | AAAA blocking for IPv4-only networks | Yes | Yes | | DNS caching | Yes, with ugly hacks for DNSSEC support | Yes, without ugly hacks | | EDNS support | Broken with custom records | Yes | | Asynchronous filters | Lol, no, filters block everything | Of course, thanks to Go | | Session-local storage for extensions | Impossible | Yes | | Multicore support | Nonexistent | Yes, thanks to Go | | Efficient padding of queries | Couldn't be any worse | Yes | | Multiple local sockets | Impossible | Of course. IPv4, IPv6, as many as you like | | Automatically picks the fastest servers | Lol, it supports only one at a time, anyway | Yes, out of the box | | Official, always up-to-date pre-built libraries | None | Yes, for many platforms. See below. | | Automatically downloads and verifies servers lists | No. Requires custom scripts, cron jobs and dependencies (minisign) | Yes, built-in, including signature verification | | Advanced expressions in blacklists (ads*.example[0-9]*.com) | No | Yes | | Forwarding with load balancing | No | Yes | | Built-in system installer | Only on Windows | Install/uninstall/start/stop/restart as a service on Windows, Linux/(systemd,Upstart,SysV), and macOS/launchd | ## Planned features * New super simple (to copy&paste), extensible format for servers parameters: "stamps" * Offline responses * Local DNSSEC validation * Flexible logging * Windows support that doesn't suck * [DNS-over-HTTPS (DoH)](https://datatracker.ietf.org/wg/doh/about/), the successor to DNS-over-TLS * Support for the V1 plugin API * Some real documentation ## Pre-built binaries Up-to-date, pre-built binaries are available for: * Dragonfly BSD * FreeBSD/x86 * FreeBSD/x86_64 * Linux/arm * Linux/arm64 * Linux/mips * Linux/mips64 * Linux/mips64le * Linux/x86 * Linux/x86_64 * MacOS X * NetBSD/x86 * NetBSD/x86_64 * OpenBSD/x86 * OpenBSD/x86_64 * Windows * Windows 64 bit