The net/dnscrypt-proxy port

dnscrypt-proxy-2.0.42 – flexible DNS proxy with support for encrypted DNS protocols (source)


dnscrypt-proxy is a flexible DNS proxy with support for modern encrypted DNS
protocols, such as DNSCrypt v2 and DNS-over-HTTPS, and features:

- DNS traffic encryption and authentication. Supports DNS-over-HTTPS (DoH) and
- DNS query monitoring with separate log files for regular and suspicious
- Filtering: block ads, malware and other unwanted content. Compatible with all
  DNS services.
- Time-based filtering with a flexible weekly schedule.
- Transparent redirection of specific domains to specific resolvers.
- DNS caching to reduce latency and improve privacy.
- Local IPv6 blocking to reduce latency on IPv4-only networks.
- Load balancing: pick a set of resolvers, and dnscrypt-proxy will automatically
  measure their speeds in order to balance traffic among the fastest available.
- Cloaking: like a HOSTS file on steroids that can return preconfigured
  addresses for specific names or resolve and return the IP addresses of
  other names. This can be used for local development, as well as to
  enforce safe search results on Google, Yahoo and Bing.
- Automatic background updates of resolvers lists.
- Can force outgoing connections to use TCP.
- Supports SOCKS proxies.
- Compatible with DNSSEC.


$OpenBSD: README,v 1.3 2019/06/04 10:02:45 bket Exp $

| Running ${PKGSTEM} on OpenBSD

dnscrypt-proxy listens for DNS queries on a local address and forwards
them to a DNSCrypt resolver over an encrypted channel.

To use this package, several things are required.

Customizing dnscrypt-proxy.toml

Ensure that ${SYSCONFDIR}/dnscrypt-proxy.toml fits your needs.

Uncomment 'server_names' to have a smaller set of public resolvers to be used
for load balancing. If this line is commented, all registered servers matching
the require_* filters will be used for load balancing. Refer to
${LOCALSTATEDIR}/dnscrypt-proxy/ for a list of all public

Load balancing strategy
Note the load balancing strategy, controlled by 'lb_strategy'. It can be
set to one of the following values:
  - 'first' (always pick the fastest server in the list)
  - 'p2' (randomly choose between the top two fastest servers)
  - 'ph' (randomly choose between the top fastest half of all servers)
  - 'random' (just pick any random server from the list)

'p2' is the default option. For more information, see

Logging is disabled by default.

To log to /var/log/messages:
log_level = 2
use_syslog = true

To log to a custom file:
log_level = 2
log_file = '/var/log/dnscrypt-proxy.log'


Start the daemon:

# rcctl enable dnscrypt_proxy
# rcctl start dnscrypt_proxy


Set /etc/resolv.conf to perform queries from dnscrypt-proxy:

lookup file bind

Note: If your IP address is dynamically fetched, dhclient(8) will normally
update resolv.conf with network-provided DNS servers. This can be avoided by
using "ignore domain-name, domain-name-servers;" in /etc/dhclient.conf.

For more information, see


Nam Nguyen

Only for arches

aarch64 amd64 arm arm64 armv7 i386


lang/go net

Build dependencies


File Descr
Path Name
Category Maintainer