OpenBSD DNSCrypt Howto


This Howto has been moved to the miniguide section and will be maintained there from now on.

h2. Introduction

This Howto describes setting up DNScrypt on OpenBSD using packages.

Installing dnscrypt_proxy  

Install dnscrypt-proxy from the FTP package repository with root permissions. Make sure to set the environment variable PKG_PATH properly.

# export PKG_PATH=`uname -r`/packages/`machine -a`/
# pkg_add -i dnscrypt-proxy

Configuring dnscrypt_proxy  

dnscrypt_proxy is listening on the loopback device lo0. dnscrypt_proxy is bound to port 5353 and logging is disabled. It uses one of the public IPredator resolvers with the IP address

Edit /etc/rc.conf.local and add the following lines to run dnscrypt_proxy at system startup:

dnscrypt_proxy_flags="-a --provider-key=F581:BDCD:C1F7:469C:6B55:A144:39AA:F2F6:3AD1:8C5F:AE57:7EE1:06C9:B2EC:D29E:6849 --resolver-address= -T -E -l /dev/null"

Starting dnscrypt_proxy  

To start the dnscrypt_proxy without rebooting your machine, invoke the startup script:

# /etc/rc.d/dnscrypt_proxy start

Testing dnscrypt_proxy  

Use dig to send a query for the A record of to the dnscrypt_proxy listening on

# dig @ -p 5353 +tcp

; <<>> DiG 9.4.2-P2 <<>> @ -p 5353 +tcp
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18123
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 0
;                  IN      A
;; ANSWER SECTION:           508     IN      A           508     IN      A
;; AUTHORITY SECTION:           599     IN      NS           599     IN      NS           599     IN      NS           599     IN      NS

;; Query time: 245 msec
;; WHEN: Mon Jun 29 23:45:52 2015
;; MSG SIZE  rcvd: 147

If you see results in the ANSWER SECTION like above, dnscrypt_proxy basically works. Now you need to setup your system to use dnscrypt_proxy with the unbound resolver.

Configure local DNS cache using Unbound  

Unbound is a DNS resolver and part of the OpenBSD base system.

Edit rc.conf.local to enable unbound at system startup:


For clarity, unbound_flags should go above the pkg_scripts variable in rc.conf.local. pkg_scripts is used to reference scripts installed by packages that should be invoked during system startup. Because unbound is part of the OpenBSD base system, its startup script does not get referred to in pkg_scripts.

Edit or create /var/unbound/etc/unbound.conf. unbound listens on on port 53 by default. Only queries originating from are permitted. All queries received by unbound are forwarded to dnscrypt_proxy listening on port 5353.

    username: _unbound
    directory: /var/unbound
    chroot: /var/unbound

    do-ip6: no

    access-control: allow
    hide-identity: yes
    hide-version: yes
    do-not-query-localhost: no

    tcp-upstream: yes


    name: "."

Start unbound:

# /etc/rc.d/unbound start

Now do the same query as before, but this time query the unbound resolver:

# dig @

; <<>> DiG 9.4.2-P2 <<>> @
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37537
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 0

;                  IN      A

;; ANSWER SECTION:           592     IN      A           592     IN      A

;; AUTHORITY SECTION:           592     IN      NS           592     IN      NS           592     IN      NS           592     IN      NS

;; Query time: 4 msec
;; WHEN: Tue Jun 30 00:16:36 2015
;; MSG SIZE  rcvd: 147

The outcome should be identical. Note the different SERVER in the answer, which is not dnscrypt_proxy running on port 5353.

System wide DNS configuration  

On OpenBSD DNS servers are configured in /etc/resolv.conf. Depending on whether your machine uses a statically configured or dynamically assigned address, you can either edit /etc/resolv.conf directly or configure dhclient via /etc/dhclient.conf to supersede the DNS server entries it receives during interface configuration.

DNS queries are to be sent to unbound listening on, which in turn forwards the queries to dnscrypt_proxy.

Statically configured IP address

Add as the only nameserver in /etc/resolv.conf. It is important to not have any other nameserver entries in this file, otherwise you are leaking DNS queries to these machines.

# echo "nameserver" > /etc/resolv.conf

Dynamically assigned IP address via DHCP

When using DHCP to configure your host's IP address, dhclient needs to supersede the nameservers it receives from local DHCP servers with You still receive an IP address from the network range your machine sits in as well es a default gateway, but all your DNS queries are safely piped through unbound and dnscrypt_proxy.

# echo "supersede domain-name-servers;" >> /etc/dhclient.conf

If you experience any problems after following this Howto, please contact For error corrections or feedback please write an email to Of course we are also available via our Online Chat.