DNSCrypt

AdGuard Home - DNSCrypt

• Generating a Configuration file
• Generating a DNSCrypt stamp
• Configuring devices to use DNSCrypt

Since v0.105.0, AdGuard Home is able to work as a DNSCrypt server. However, this feature is only available via configuration file, you cannot set it up using the Web UI. This guide explains how to do this.

Generating a configuration file

Here is how to generate a DNSCrypt configuration file and point AdGuard Home to it:

1. Important! Make sure that your TLS settings are valid and encryption is enabled.

2. Get the latest version of the dnscrypt utility for your system. Extract the archive and navigate to the resulting directory.

   • On Unix, using a POSIX-compatible shell:

     (Here and below, linux-amd64 is used as an example. Make sure to download and use the one for your platform.)

     1. tar -f ./dnscrypt-linux-amd64-v2.2.3.tar.gz -v -x -z

        Output example:

        linux-amd64/
        linux-amd64/README.md
        linux-amd64/LICENSE
        linux-amd64/dnscrypt
        

     2. cd ./linux-amd64/

     3. ./dnscrypt generate --provider-name '2.dnscrypt-cert.example.org'\
            --out ./dnscrypt.yaml

        Output example:

        2022/01/02 12:34:56 [info] Generating configuration for 2.dnscrypt-cert.example.org
        2022/02/02 12:34:56 [info] Configuration has been written to ./dnscrypt.yaml
        2022/02/02 12:34:56 [info] Go to https://dnscrypt.info/stamps to generate an SDNS stamp
        2022/02/02 12:34:56 [info] You can run a DNSCrypt server using the following command:
        2022/02/02 12:34:56 [info] dnscrypt server -c ./dnscrypt.yaml -f 8.8.8.8
        

   • On Windows, using PowerShell:

     (Here and below, windows-amd64 is used as an example. Make sure to download and use the one for your CPU architecture.)

     1. Expand-Archive -Path .\dnscrypt-windows-amd64-v2.2.3.zip

     2. Set-Location -Path .\dnscrypt-windows-amd64-v2.2.3\windows-amd64\

     3. .\dnscrypt.exe generate --provider-name '2.dnscrypt-cert.example.org' `
            --out .\dnscrypt.yaml

        Output example:

        2022/01/02 12:34:56 [info] Generating configuration for 2.dnscrypt-cert.example.org
        2022/02/02 12:34:56 [info] Configuration has been written to .\dnscrypt.yaml
        2022/02/02 12:34:56 [info] Go to https://dnscrypt.info/stamps to generate an SDNS stamp
        2022/02/02 12:34:56 [info] You can run a DNSCrypt server using the following command:
        2022/02/02 12:34:56 [info] dnscrypt server -c .\dnscrypt.yaml -f 8.8.8.8
        

   Where example.org is the name of your host and ./dnscrypt.yaml is the name of the configuration output file.

   You may add the path to the binary into your PATH/$env:PATH.

3. Before changing the configuration file, it is important to stop AdGuard Home. In your AdGuardHome configuration file (typically AdGuardHome.yaml), add the following lines:

   'tls':
     # N.B. The encryption must be enabled.
     'enabled': true
     # …
     'port_dnscrypt': 5443
     'dnscrypt_config_file': './dnscrypt.yaml'

   Where 5443 is the port for your DNSCrypt server and ./dnscrypt.yaml is the name of the configuration file generated in step 2.

   On Windows, it is recommended to use the full path to the configuration file. For example, C:\Users\Me\Files\dnscrypt.yaml.

Generating a DNSCrypt stamp

Here is how to generate a DNSCrypt stamp and check your installation:

1. Go to https://dnscrypt.info/stamps/.

2. Enter the data from your DNSCrypt configuration file. The Provider public key is the value of the public_key field in your DNSCrypt configuration file. Do not forget to enter the host with your custom port!

3. Now you have a stamp that looks something like this:

   sdns://AQcAAAAAAAAADTEyNy4wLjAuMTo0NDMg8R3bzEgX5UOEX93Uy4gYSbZCJvPeOXYlZp2HuRm8T7AbMi5kbnNjcnlwdC1jZXJ0LmV4YW1wbGUub3Jn
   

   Check your installation by running:

   ./dnscrypt lookup-stamp\
       --domain 'example.com'\
       --stamp 'sdns://AQcAAAAAAAAADTEyNy4wLjAuMTo0NDMg8R3bzEgX5UOEX93Uy4gYSbZCJvPeOXYlZp2HuRm8T7AbMi5kbnNjcnlwdC1jZXJ0LmV4YW1wbGUub3Jn'\
       --type 'a'

   Or, on Windows:

   .\dnscrypt.exe lookup-stamp `
       --domain 'example.com' `
       --stamp 'sdns://AQcAAAAAAAAADTEyNy4wLjAuMTo0NDMg8R3bzEgX5UOEX93Uy4gYSbZCJvPeOXYlZp2HuRm8T7AbMi5kbnNjcnlwdC1jZXJ0LmV4YW1wbGUub3Jn' `
       --type 'a'

   Where example.com is the domain name to lookup.

Configuring devices to use DNSCrypt

• All platforms: dnscrypt-proxy (reference implementation). DNSCrypt-Proxy is a command-line proxy for Linux, BSD, Windows, MacOS, Android, and more.

• Android: AdGuard for Android supports DNSCrypt.

• iOS: AdGuard for iOS supports DNSCrypt.

• iOS: DNSCloak uses dnscrypt-proxy internally and supports DNSCrypt.

• Windows: AdGuard for Windows supports DNSCrypt.

• Windows: Simple DNSCrypt is a simple management tool to configure and run dnscrypt-proxy on Windows.

You can find more implementations on the DNSCrypt website.