manpagez: man pages & more
man dnscrypt-proxy(8)
Home | html | info | man
dnscrypt-proxy(8)                                            dnscrypt-proxy(8)




NAME

       dnscrypt-proxy - A DNSCrypt forwarder


SYNOPSIS

       dnscrypt-proxy <config file>

       dnscrypt-proxy [<option>, ...]


DESCRIPTION

       dnscrypt-proxy  accepts  DNS  requests, authenticates and encrypts them
       using dnscrypt and forwards them to a remote dnscrypt-enabled resolver.

       Replies from the resolver are expected to be authenticated or else they
       will be discarded.

       The proxy verifies the replies, decrypts them, and  transparently  for-
       wards them to the local stub resolver.

       dnscrypt-proxy listens to 127.0.0.1 / port 53 by default.


OPTIONS (ignored when a configuration file is provided)

       o   -R,  --resolver-name=<name>:  name of the resolver to use, from the
           list of available resolvers  (see  -L).  Or  random  for  a  random
           resolver  accessible  over  IPv4,  that  doesn't  log  and supports
           DNSSEC.

       o   -a, --local-address=<ip>[:port]: what local IP the daemon will lis-
           ten to, with an optional port. The default port is 53.

       o   -d,  --daemonize:  detach  from  the  current  terminal and run the
           server in background.

       o   -E, --ephemeral-keys: By default, queries are always sent with  the
           same  public key, allowing providers to link this public key to the
           different IP addresses you are using. This  option  requires  extra
           CPU  cycles,  but mitigates this by computing an ephemeral key pair
           for every query. Use it if you are not using your own  server,  and
           the  remote  server  is  logging  your activity, and your client IP
           address is frequently changing. Not enabled by default  because  it
           may be slow, especially on non-Intel CPUs.

       o   -K,  --client-key=<file>:  use a static client secret key stored in
           <file>.

       o   -L, --resolvers-list=<file>: path to the CSV  file  containing  the
           list of available resolvers, and the parameters to use them.

       o   -l,  --logfile=<file>: log events to this file instead of the stan-
           dard output.

       o   -m, --loglevel=<level>: don't log events with priority  above  this
           level  after  the  service  has  been started up. Default is 6, the
           value for LOG_INFO. Valid values are  0  (system  is  unusable),  1
           (action  must  be  taken  immediately),  2 (critical conditions), 3
           (error conditions), 4 (warning conditions), 5 (normal but  signifi-
           cant condition), 6 (informational) and 7 (debug-level messages).

       o   -p, --pidfile=<file>: write the PID number to a file.

       o   -X, --plugin=<plugin_name>[,<options>]: enable a plugin.

       o   -N,   --provider-name=<FQDN>:   the  fully-qualified  name  of  the
           dnscrypt certificate provider (for private resolvers).

       o   -k, --provider-key=<key>: specify the provider public key (for pri-
           vate resolvers).

       o   -r,  --resolver-address=<ip>[:port]: a DNSCrypt-capable resolver IP
           address with an optional port (for private resolvers). The  default
           port is 443.

       o   -S,  --syslog:  if  a log file hasn't been set, log diagnostic mes-
           sages to syslog  instead  of  printing  them.  --daemonize  implies
           --syslog.

       o   -Z,  --syslog-prefix=prefix:  specify a string of message to insert
           at the beginning of every line sent to syslog. This implies  --sys-
           log.

       o   -n, --max-active-requests=<count>: set the maximum number of simul-
           taneous active requests. The default value is 250.

       o   -u, --user=<user name>: chroot(2) to this user's home directory and
           drop privileges.

       o   -t, --test=<margin>: don't actually start the proxy, but check that
           a valid certificate can be retrieved from the server  and  that  it
           will  remain  valid for the next margin minutes. The exit code is 0
           if a valid certificate can be used, 2 if no valid certificates  can
           be  used,  3 if a timeout occurred, and 4 if a currently valid cer-
           tificate is going to expire before margin.  The  margin  is  always
           specified in minutes.

       o   -T,  --tcp-only:  always  use TCP. A connection made using UDP will
           get a truncated response, so that the (stub) resolver retries using
           TCP.

       o   -e, --edns-payload-size=<bytes>: transparently add an OPT pseudo-RR
           to outgoing queries in order to enable the EDNS0  extension  mecha-
           nism.  The  payload  size  is  the  size of the largest response we
           accept from the resolver before retrying over TCP. This feature  is
           enabled  by  default,  with a payload size of 1252 bytes. Any value
           below 512 disables it.

       o   -I, --ignore-timestamps: ignore timestamps when validating certifi-
           cates.  Never enable this option unless you know you really need it
           (routers without a clock battery).

       o   -V, --version: show version number.

       o   -h, --help: show usage.



       A public key is 256-bit long, and it has to be specified as a hexadeci-
       mal string, with optional columns.


COMMON USAGE EXAMPLE

       $ dnscrypt-proxy /etc/dnscrypt.conf


COMMON USAGE EXAMPLE WITHOUT A CONFIGURATION FILE

       $ dnscrypt-proxy --daemonize --resolver-name=...

       The resolver name is the first column (Name) in the CSV file.


BUGS AND SUPPORT

       Please      report      issues      with     DNSCrypt     itself     to
       https://dnscrypt.org/issues


SEE ALSO

       hostip(8)



                                 January 2017                dnscrypt-proxy(8)

dnscrypt-proxy 1.9.4 - Generated Sun Jan 22 06:35:34 CST 2017
© manpagez.com 2000-2024
Individual documents may contain additional copyright information.