FreeBSD DNSCrypt Howto


This Howto has been moved to the miniguide section and will be maintained there from now on.

h2. Introduction

This Howto describes the configuration of DNScrypt on FreeBSD using dns/dnscrypt-proxy from the FreeBSD Ports collection.

Installing dnscrypt_proxy  

Install dns/dnscrypt-proxy from the ports collection with root permissions.

# cd /usr/ports/dns/dnscrypt-proxy
# make configure
# make configure-recursive
# make fetch-recursive
# make install clean

Configuring dnscrypt_proxy  

Edit /etc/rc.conf to run dnscrypt_proxy at system startup.

Here a secondary IP address is configured on the loopback device lo0. dnscrypt_proxy is bound to and logging is disabled. It uses one of the public IPredator resolvers with the IP address

# cat >> /etc/rc.conf << EOF
ifconfig_lo0_alias0="inet netmask 0xffffffff"
dnscrypt_proxy_flags="-a --provider-key=F581:BDCD:C1F7:469C:6B55:A144:39AA:F2F6:3AD1:8C5F:AE57:7EE1:06C9:B2EC:D29E:6849 --resolver-address= -T -E -l /dev/null"

Starting dnscrypt_proxy  

To start the dnscrypt_proxy without rebooting your machine, invoke the startup script:

# service dnscrypt-proxy start
Starting dnscrypt_proxy.

Testing dnscrypt_proxy  

Beginning with FreeBSD 10 Unbound is part of the FreeBSD base system. This adds the drill command to do DNS lookups.

Send a query for the A record of to the dnscrypt_proxy listening on

# drill -t @
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 53939
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 0
;;        IN      A

;; ANSWER SECTION:   600     IN      A   600     IN      A
;; AUTHORITY SECTION:   600     IN      NS   600     IN      NS   600     IN      NS   600     IN      NS


;; Query time: 245 msec
;; WHEN: Fri Jul  3 03:00:52 2015
;; MSG SIZE  rcvd: 147

If you see results in the ANSWER SECTION like above, dnscrypt_proxy basically works. Now you need to setup your system to use dnscrypt_proxy with the unbound resolver.

Configure local DNS cache using Unbound  

The unbound binary that is shipped with FreeBSD in the base system is referred to as local_unbound.

This Howto uses the shipped version of unbound. If you prefer to use unbound from the ports, install dns/unbound. To reference to this version in /etc/rc.conf, use the unbound_enable variable. The configuration file is /usr/local/etc/unbound/unbound.conf.

Configure unbound to be run during system startup:

# echo 'local_unbound_enable="YES"' >> /etc/rc.conf

Edit or create /var/unbound/unbound.conf. unbound listens on, only queries originating from are permitted. All queries received by unbound are forwarded to dnscrypt_proxy listening on

    username: unbound
    directory: /var/unbound
    chroot: /var/unbound
    do-ip6: no
    access-control: allow
    hide-identity: yes
    hide-version: yes
    do-not-query-localhost: no
    tcp-upstream: yes
    name: "."

Start unbound:

# service local_unbound start

Now do the same query as before, but this time query the unbound resolver:

    # drill @
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 16419
    ;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 0
    ;;        IN      A
    ;; ANSWER SECTION:   596     IN      A   596     IN      A
    ;; AUTHORITY SECTION:   596     IN      NS   596     IN      NS   596     IN      NS   596     IN      NS
    ;; Query time: 3 msec
    ;; SERVER:
    ;; WHEN: Fri Jul  3 03:51:11 2015 
    ;; MSG SIZE  rcvd: 147

The outcome should be identical. Note the different SERVER in the answer.

System wide DNS configuration  

On FreeBSD DNS servers are configured in /etc/resolv.conf. Depending on whether your machine uses a statically configured or dynamically assigned address, you can either edit /etc/resolv.conf directly or configure dhclient via /etc/dhclient.conf to supersede the DNS server entries it receives during interface configuration.

DNS queries are to be sent to unbound listening on, which in turn forwards the queries to dnscrypt_proxy.

Statically configured IP address

Add as the only nameserver in /etc/resolv.conf. It is important to not have any other nameserver entries in this file, otherwise you are leaking DNS queries to these machines.

# echo "nameserver" > /etc/resolv.conf

Dynamically assigned IP address via DHCP

When using DHCP to configure your host's IP address, dhclient needs to supersede the nameservers it receives from local DHCP servers with You still receive an IP address from the network range your machine sits in as well es a default gateway, but all your DNS queries are safely piped through unbound and dnscrypt_proxy.

# echo "supersede domain-name-servers;" >> /etc/dhclient.conf

If you experience any problems after following this Howto, please contact For error corrections or feedback please write an email to Of course we are also available via our Online Chat.