🛡️ dnscrypt-proxy-pihole

Secure DNS solution for your Raspberry Pi & Pi-hole setup.
Enhanced DNS encryption and privacy with pre-configured settings.

Overview • Features • Install • Scripts • Configuration • Verification • Uninstall

---

🔍 Overview

A preconfigured DNSCrypt-proxy package for Raspberry Pi and Pi-hole users that ensures secure, encrypted DNS queries through carefully selected DNSCrypt and DNS-over-HTTPS servers with strict no-logging policies.

📦 Compatibility

✅ Current Version:

• Raspberry Pi OS 64bit arm64
• Raspberry Pi OS 32bit armhf
• Pi-hole v6.0+
• DNS server: 127.0.0.1#53533

⚠️ Legacy Version:

• Raspberry Pi OS 11 (bullseye)

---

✨ Features

Feature	Description	Benefit
🔒 DNSCrypt	Advanced DNS encryption	Protects against DNS surveillance
🌐 DNS-over-HTTPS	Modern DNS protocol support	Additional security layer
🕵️ Privacy Focus	No-log DNS servers only	Ensures query privacy
🛡️ DNSSEC	Built-in validation	Prevents DNS spoofing
⚡ Optimized	Raspberry Pi tuned	Efficient resource usage

---

🚀 Install

Install with a single command:

curl -sSfL https://raw.githubusercontent.com/mapi68/dnscrypt-proxy-pihole/master/dnscrypt-proxy-pihole-install | bash

---

📜 Scripts

1. install-latest-dnscrypt-proxy.bash

Downloads and installs the latest dnscrypt-proxy package directly from official Debian repositories.

• Auto-detects system architecture
• Downloads latest version from Debian repos
• Handles all dependencies
• Multi-architecture support (amd64, arm64, armhf, ...)

curl -sSfL https://raw.githubusercontent.com/mapi68/dnscrypt-proxy-pihole/refs/heads/master/install-latest-dnscrypt-proxy.bash | bash

2. dnscrypt-proxy-pihole.bash

Sets up DNSCrypt-proxy for optimal use with Pi-hole.

• Configures secure DNS settings
• Sets up port 53533 for Pi-hole
• Enables DNSSEC validation
• Configures no-logging policy
• Optimizes caching

curl -sSfL https://raw.githubusercontent.com/mapi68/dnscrypt-proxy-pihole/refs/heads/master/dnscrypt-proxy-pihole.bash | bash

Installation Methods

Method	Description	When to Use
dnscrypt-proxy-pihole-install	Installs pre-configured package	Quick, automated setup
install-latest-dnscrypt-proxy.bash	Installs vanilla dnscrypt-proxy from Debian repos	Custom installations
dnscrypt-proxy-pihole.bash	Configures dnscrypt-proxy for Pi-hole	After manual installation

---

⚙️ Configuration

Pi-hole Setup

1. Access the Pi-hole admin interface
2. Navigate to Settings → DNS
3. Set Custom DNS: 127.0.0.1#53533
4. Disable DNSSEC (handled by DNSCrypt)

Important Files

File	Purpose
/etc/dnscrypt-proxy/dnscrypt-proxy.toml	Main configuration
/var/log/dnscrypt-proxy/query.log	Query log
/lib/systemd/system/dnscrypt-proxy.service	Systemd service

---

🔐 Verification

Monitor DNS Resolution

tail -f /var/log/dnscrypt-proxy/query.log

Check Service Status

journalctl -f -u dnscrypt-proxy

DNSSEC Validation Tests

Test 1 — Valid domain (should succeed):

dig +dnssec google.com @127.0.0.1 -p 53533

Expected: status: NOERROR — confirms connectivity and successful resolution.

Test 2 — Corrupt signature (should fail):

dig dnssec-failed.org @127.0.0.1 -p 53533

Expected: status: SERVFAIL — confirms active DNSSEC validation is blocking the corrupt signature.

Online Tests

• DNSLeakTest
• Cloudflare ESNI Check

---

🗑️ Uninstall

Remove completely with:

sudo apt --purge autoremove dnscrypt-proxy-pihole -y

---

📄 License

This project is licensed under the MIT License.

---

☕ Support

If you find this project useful, consider supporting the development:

---

Made with ❤️ for the Raspberry Pi community