Dnscrypt on OSX via Homebrew with custom resolver

dnscrypt provides encryption between clients and dns resolvers. Here’s how to install it on OSX via homebeew and how to change the default resolver to something else besides OpenDNS’ server.

brew install dnscrypt-proxy

Go to System Preferences -> network -> advanced -> dns and set 127.0.0.1 as DNS server

Launch dnscrypt-proxy and see if it works

sudo /usr/local/opt/dnscrypt-proxy/sbin/dnscrypt-proxy --local-address=127.0.0.1:53
nslookup google.com

if that works then time to test with an alternate server

sudo /usr/local/opt/dnscrypt-proxy/sbin/dnscrypt-proxy --local-address=127.0.0.1:53 --resolver-address=176.56.237.171:443 --provider-name=2.dnscrypt-cert.resolver1.dnscrypt.eu --provider-key=67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66

This is one of the servers made available on the dnscrypt page. There are a bunch of servers there to chose from (the closer, the better) or you can build your own dnscrypt-aware resolver. It all goes well it’s time to next copy the homebrew launchd plist file to its proper place so that dnscrypt starts at boot time.

Copy the supplied plist file in the right place:

sudo cp -fv /usr/local/opt/dnscrypt-proxy/homebrew.mxcl.dnscrypt-proxy.plist /Library/LaunchDaemons

Open the file with an editor and replace/append the parameters for dnscrypt-proxy. This step is required only if you are unhappy with the OpenDNS resolver. One of the major drawbacks of the opendns resolver (and the reason why I’ve stopped using opendns altogether ) is that it hijacks searches from the Firefox address bar and redirects them to their search engine.

My version of the file looks like this

< ?xml version="1.0" encoding="UTF-8"?>
< !DOCTYPE plist PUBLIC "-/Apple/DTD PLIST 1.0/EN" "http:/www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>Label</key>
    <string>homebrew.mxcl.dnscrypt-proxy</string>
    <key>KeepAlive</key>
    <true></true>
    <key>RunAtLoad</key>
    <true></true>
    <key>ProgramArguments</key>
    <array>
      <string>/usr/local/opt/dnscrypt-proxy/sbin/dnscrypt-proxy</string>
      <string>--local-address=127.0.0.1:53</string>
      <string>--resolver-address=176.56.237.171:443</string>
      <string>--provider-name=2.dnscrypt-cert.resolver1.dnscrypt.eu</string>
      <string>--provider-key=67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66</string>
      <string>--user=nobody</string>
    </array>
    <key>UserName</key>
    <string>root</string>
    <key>StandardErrorPath</key>
    <string>/dev/null</string>
    <key>StandardOutPath</key>
    <string>/dev/null</string>
  </dict>
</plist>

If you’re using a custom resolver, like above, you must supply all three parameters – resolver-address, provider-name and provider-key!

And now for the last step, enable dnscrypt-proxy in launchd:

sudo launchctl load /Library/LaunchDaemons/homebrew.mxcl.dnscrypt-proxy.plist

No more DNS leakage!

From here we could have further refinements, like installing unbound for local DNS caching and DNSSEC support, etc.

4 Comments

  1. Pingback: Unbound and Dnscrypt-proxy on OSX via homebrew | Cosu

Leave a Reply

Your email address will not be published. Required fields are marked *