Home > Blog > How to deploy your own DNSCrypt Proxy home server

How to deploy your own DNSCrypt Proxy home server

May 20, 2023 Gabriel Kheisa

DNS hijacking is when someone changes the address book that computers use to find websites on the internet. Imagine you have a big book that tells you where all your friends live. When you want to visit your friend’s house, you look in the book to find their address.

Now, imagine someone sneaks into your house and changes the book. They write down wrong addresses for your friends, so when you look in the book, you end up going to the wrong places. That’s like DNS hijacking!

Instead of going to your friend’s house, you might end up at someone else’s house or somewhere completely different. It can be very confusing and can make it hard to find the right websites on the internet. That’s why it’s important to keep the address book safe so that you can always find the right places you want to visit online.

By creating a DNSCrypt proxy server, and pointing your DNS server to your “home server” DNS server you can create a safe DNS resolver from DNS hijacking. In Indonesia, All ISPs must hijack outgoing traffic on port 53, which is a DNS query. Basically, setting up your unencrypted DNS server to Cloudflare’s 1.1.1.1 and Google’s 8.8.8.8 is meaningless, since you are not using Cloudflare or Google’s DNS resolver, but you are using an ISP resolver (hijacked resolver).

Additionally, it’s still hijacked even if you use random non-bogon IP DNS resolver.

Luckily, if you do a DNS query on port 53 inside a private or an internal network, it’s safe. DNSCrypt, such as DoH (DNS over HTTPS), uses outgoing port 443, which ISPs might not tamper it, since 443 is widely used as a regular HTTPS session. Also, all DNS queries over DNSCrypt are encrypted over port 443, meaning ISPs can’t read it at all and probably think it’s just a regular browsing session, and probably won’t be a “tryhard” enough to hijack it.


You can create a Docker installation for a DNSCrypt server with this configuration:

Copy Code
version: '3'

services:
  dnscrypt-proxy:
    image: klutchell/dnscrypt-proxy
    restart: always
    ports:
      - 53:5053/tcp
      - 53:5053/udp
    command: -config /config/dnscrypt-proxy.toml

volumes:
  dnscrypt-proxy-config:
    driver: local

After that, do docker-compose up -d to start a DNSCrypt container. Then, in your router page settings, change your DNS server to your home server’s IP, in my case, it’s 192.168.1.102. Also, if your DNS resolver fails, don’t forget to set the secondary DNS server, such as Cloudflare’s 1.1.1.1 and 1.0.0.1 (which is actually an ISP’s resolver).

Here are the results:

More Stories

How to Use Fail2ban and Nginx to Implement Temporary IP Bans and Rate Limiting

October 16, 2023 Gabriel Kheisa

Setting up a DNS over HTTPS (DoH) proxy for your OpenWrt router

August 27, 2023 Gabriel Kheisa

Setting up an OpenVPN client for your OpenWrt router

August 21, 2023 Gabriel Kheisa

Leave a Reply

Your email address will not be published. Required fields are marked *

You may have missed

The Science of Temperature and Humidity and Clouds

October 30, 2023 Gabriel Kheisa

Online games, metaverse, and the layer two of reality?

October 24, 2023 Gabriel Kheisa

How Living Things Reverse the Flow of Entropy?

October 18, 2023 Gabriel Kheisa

How to Use Fail2ban and Nginx to Implement Temporary IP Bans and Rate Limiting

October 16, 2023 Gabriel Kheisa

Setting up a DNS over HTTPS (DoH) proxy for your OpenWrt router

August 27, 2023 Gabriel Kheisa