Installation and Configuration of dnscrypt-proxy + dnsmasq in Archlinux


What is dnscrypt-proxy?
- DNSCrypt encrypts and authenticates DNS traffic between the user and DNS resolver, prevents local spoofing of DNS queries, ensuring that DNS responses are sent by the server of choice. (Wiki)

What is dnsmasq?
- dnsmasq provides services such as DNS cache and DHCP server. As a domain name server (DNS), it can cache DNS queries to improve connection speeds to previously visited sites, and, as a DHCP server, dnsmasq can be used to provide internal IP addresses and routes to computers on a LAN. One or both of these services can be implemented. dnsmasq is considered lightweight and easy to configure; It is designed for use on a personal computer or for use on a network with fewer than 50 computers. It also comes with a PXE server. (Wiki)

What did I use ?:
- To edit the configuration files I used dwarf.
- At all times I did it with my root account, but if they have configured sudo, they can use it quietly.
- To check the cache with the dig command, it is found in bind-tools
within the official repositories, pacman -S bind-tools : )


  • As root or using sudo in our terminal or tty we install the dnscrypt-proxy and dnsmasq packages like this:
  • The warning message is because I already have them installed, you just have to confirm by pressing Enter:


1 - Let's enable dnscrypt-proxy (remember as root or using sudo):
2 - Now we edit the file / Etc / resolv.conf and in nameserver we delete what is there and put (if they want they can make a backup of the file) and it should look like this:

  • Taking into account that NetworkManager writes the resolv.conf file, what we are going to do is protect it against writing with the following command:
    3 - Now what we are going to do is look for a server that is closest to our location, but you can use the one that comes by default which is, the list can be opened with localc is here: / usr / share / dnscrypt-proxy / dnscrypt-resolvers.csv like this:
  • If we want to modify the server that resolves the default DNS we can edit like this:
  • At the end of the file in the [Service] section we modify what is selected in gray and we place the server that we already selected in the list:
    4 - By default dnscrypt-proxy uses port 53, since dnsmasq does too, so what we are going to do is change it using again with:
    systemctl edit dnscrypt-proxy.service –full and in the [Socket] section we leave it as follows:
We save the changes and close.

5 - Now we configure dnsmasq, we are going to edit the /etc/dnsmasq.conf file and add these three lines at the end:

server = # 40
listen-address =

We save the changes and close.

6 - Now we do the following:
- We restart dnscrypt-proxy:
systemctl restart dnscrypt-proxy
- We activate dnsmasq:
systemctl enable dnsmasq
- We execute dnsmasq:
systemctl start dnsmasq
- We restart our internet connection:
systemctl restart NetworkManager

7 - Well now we test if it really works with a ping for example to

8 - We check if the dns cache works with the dig command:

- Here we take into account that the first dig I do there is a delay of 349 msec and when I do the query again with dig, what happens? 0 msec, so it caches correctly.

9 - Ready dnscrypt-proxy and dnsmasq configured and working properly!

Final report: I want to clarify after searching in several places it did not work for me in any way that they showed in the arch wiki, the Spanish version is poorly translated (it will be a question if someone translates well or I will do it at some point) so I used the version in English. So I basically relied on said wiki, all credits to them. In this case, these are the steps I used and it worked for ME.
Any questions or problems they have let me know and we will talk about it until it works!

Goal hug! 😀

The content of the article adheres to our principles of editorial ethics. To report an error click here!.

8 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *



  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   nameless said

    I do not notice any difference with dnsmasq, maybe with more users the cache will work, at least with only my computer I did not see changes in the speed.

    dig times with and without dnsmasq stay the same, maybe someone knows about another method and share it.

    1.    ice said

      as seen on the screen, you can see a LOT of difference, I suppose it will depend on the bandwidth too ... 🙂

  2.   nameless said

    Attached image :
    imgur .com / 9RQ7yhF.png

  3.   DanielSc3 said

    How long are dns addresses cached with dnsmasq? I remember trying it some time ago and after a few minutes, 10 or 5, dnsmasq forgets everything

    1.    ice said

      I didn't really get to see that ... good point. It will be consulted, maybe some scholar knows and will answer us 🙂

  4.   wisse said

    Hello when I give him as root "systemctl start dnsmasq" I get an error, when I give the command "systemctl status dnsmasq.service" this is what I get:

    ● dnsmasq.service - A lightweight DHCP and caching DNS server
    Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; vendor preset: disabled)
    Active: failed (Result: exit-code) since Mon 2016-03-07 11:41:41 ART; 18s ago
    Docs: man: dnsmasq (8)
    Process: 7747 ExecStart = / usr / bin / dnsmasq -k –enable-dbus –user = dnsmasq –pid-file (code = exited, status = 2)
    Process: 7742 ExecStartPre = / usr / bin / dnsmasq –test (code = exited, status = 0 / SUCCESS)
    Main PID: 7747 (code = exited, status = 2)

    Tue 07 11:41:41 Wisdom systemd [1]: Starting A lightweight DHCP and caching DNS server…
    Tue 07 11:41:41 Wisdom dnsmasq [7742]: dnsmasq: syntax check OK.
    Tue 07 11:41:41 Wisdom dnsmasq [7747]: dnsmasq: failed to create listening socket for port 53: Address already in use
    Tue 07 11:41:41 Wisdom systemd [1]: dnsmasq.service: Main process exited, code = exited, status = 2 / INVALIDARGUMENT
    Tue 07 11:41:41 Wisdom systemd [1]: Failed to start A lightweight DHCP and caching DNS server.
    Tue 07 11:41:41 Wisdom systemd [1]: dnsmasq.service: Unit entered failed state.
    Tue 07 11:41:41 Wisdom systemd [1]: dnsmasq.service: Failed with result 'exit-code'.

    What should I do? Thank you.

    1.    ice said

      I followed the steps to the letter, check the original tutorial on my blog. I left a video too.

  5.   gonza said

    @ice ice, comparing this post and your video made on it I can see that there is an error in step number 4 written here. And the error is that the file to be edited is not "systemctl edit dnscrypt-proxy.service –full", but must be edited "systemctl edit dnscrypt-proxy.socket –full". (Note that instead of .service you must write .socket).

    That's why @wisse wisse gets that error message when wanting to start the dnsmasq service (since the same thing happened to me too).