pyrox.dev
1<chapter xmlns="http://docbook.org/ns/docbook"
2 xmlns:xlink="http://www.w3.org/1999/xlink"
3 xmlns:xi="http://www.w3.org/2001/XInclude"
4 version="5.0"
5 xml:id="sec-dnscrypt-proxy">
6
7 <title>DNSCrypt client proxy</title>
8
9 <para>
10 The DNSCrypt client proxy relays DNS queries to a DNSCrypt enabled
11 upstream resolver. The traffic between the client and the upstream
12 resolver is encrypted and authenticated, mitigating the risk of MITM
13 attacks, DNS poisoning attacks, and third-party snooping (assuming the
14 upstream is trustworthy).
15 </para>
16
17 <sect1><title>Basic configuration</title>
18
19 <para>
20 To enable the client proxy, set
21 <programlisting>
22 services.dnscrypt-proxy.enable = true;
23 </programlisting>
24 </para>
25
26 <para>
27 Enabling the client proxy does not alter the system nameserver; to
28 relay local queries, prepend <literal>127.0.0.1</literal> to
29 <option>networking.nameservers</option>.
30 </para>
31
32 </sect1>
33
34 <sect1><title>As a forwarder for another DNS client</title>
35
36 <para>
37 To run the DNSCrypt proxy client as a forwarder for another
38 DNS client, change the default proxy listening port to a
39 non-standard value and point the other client to it:
40 <programlisting>
41 services.dnscrypt-proxy.localPort = 43;
42 </programlisting>
43 </para>
44
45 <sect2><title>dnsmasq</title>
46 <para>
47 <programlisting>
48 {
49 services.dnsmasq.enable = true;
50 services.dnsmasq.servers = [ "127.0.0.1#43" ];
51 }
52 </programlisting>
53 </para>
54 </sect2>
55
56 <sect2><title>unbound</title>
57 <para>
58 <programlisting>
59 {
60 services.unbound.enable = true;
61 services.unbound.forwardAddresses = [ "127.0.0.1@43" ];
62 }
63 </programlisting>
64 </para>
65 </sect2>
66
67 </sect1>
68
69</chapter>