1 dnscrypt-proxy(8) -- A DNSCrypt forwarder
2 =========================================
6 `dnscrypt-proxy` [<options>]
10 **dnscrypt-proxy** accepts DNS requests, authenticates and encrypts
11 them using dnscrypt and forwards them to a remote dnscrypt-enabled
14 Replies from the resolver are expected to be authenticated and
15 encrypted or else they will be discarded.
17 The proxy verifies the replies, decrypts them, and transparently
18 forwards them to the local stub resolver.
20 `dnscrypt-proxy` listens to `127.0.0.1` / port `53` by default.
24 **dnscrypt-proxy** is not a DNS cache. Unless your operating system
25 already provides a decent built-in cache (and by default, most systems
26 don't), clients shouldn't directly send requests to **dnscrypt-proxy**.
28 Intead, run a DNS cache like **Unbound**, and configure it to use
29 **dnscrypt-proxy** as a forwarder. Both can safely run on the same
30 machine as long as they use different IP addresses and/or different
35 * `-a`, `--local-address=<ip>[:port]`: what local IP the daemon will listen
36 to, with an optional port. The default port is 53.
38 * `-d`, `--daemonize`: detach from the current terminal and run the server
41 * `-e`, `--edns-payload-size=<bytes>`: transparently add an OPT
42 pseudo-RR to outgoing queries in order to enable the EDNS0
43 extension mechanism. The payload size is the size of the largest
44 response we accept from the resolver before retrying over TCP.
45 This feature is enabled by default, with a payload size of 1252
46 bytes. Any value below 512 disables it.
48 * `-h`, `--help`: show usage.
50 * `-k`, `--provider-key=<key>`: specify the provider public key (see below).
52 * `-L`, `--resolvers-list=<file>`: path to the CSV file containing
53 the list of available resolvers, and the parameters to use them.
55 * `-l`, `--logfile=<file>`: log events to this file instead of the
58 * `-m`, `--loglevel=<level>`: don't log events with priority above
59 this level after the service has been started up. Default is the value
62 * `-n`, `--max-active-requests=<count>`: set the maximum number of
63 simultaneous active requests. The default value is 250.
65 * `-p`, `--pidfile=<file>`: write the PID number to a file.
67 * `-R`, `--resolver-name=<name>`: name of the resolver to use, from
68 the list of available resolvers (see `-L`).
70 * `-r`, `--resolver-address=<ip>[:port]`: a DNSCrypt-capable resolver IP
71 address with an optional port. The default port is 443.
73 * `-t`, `--test=<margin>`: don't actually start the proxy, but check that
74 a valid certificate can be retrieved from the server and that it
75 will remain valid for the next <margin> minutes. The exit code is 0
76 if a valid certificate can be used, 2 if no valid certificates can be used,
77 3 if a timeout occurred, and 4 if a currently valid certificate is
78 going to expire before <margin>. The margin is always specificied in
81 * `-u`, `--user=<user name>`: chroot(2) to this user's home directory
84 * `-N`, `--provider-name=<FQDN>`: the fully-qualified name of the
85 dnscrypt certificate provider.
87 * `-T`, `--tcp-only`: always use TCP. A connection made using UDP
88 will get a truncated response, so that the (stub) resolver retries using
91 * `-V`, `--version`: show version number.
93 A public key is 256-bit long, and it has to be specified as a hexadecimal
94 string, with optional columns.
96 ## SIMPLE USAGE EXAMPLE
98 $ dnscrypt-proxy --daemonize --resolver-name=...
100 ## ADVANCED USAGE EXAMPLE
102 $ dnscrypt-proxy --provider-key=B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79 --provider-name=2.dnscrypt-cert.dnscrypt.org. --resolver-address=208.67.220.220:53 --daemonize