Provided by: dnscrypt-proxy_1.6.1-1_i386 bug


       dnscrypt-proxy - A DNSCrypt forwarder


       dnscrypt-proxy [options]


       dnscrypt-proxy  accepts  DNS  requests, authenticates and encrypts them
       using dnscrypt and forwards them to a remote dnscrypt-enabled resolver.

       Replies from the resolver are expected to be authenticated or else they
       will be discarded.

       The  proxy  verifies  the  replies,  decrypts  them,  and transparently
       forwards them to the local stub resolver.

       dnscrypt-proxy listens to / port 53 by default.


       dnscrypt-proxy is not a DNS cache. Unless your operating system already
       provides  a decent built-in cache (and by default, most systems don´t),
       clients shouldn´t directly send requests to dnscrypt-proxy.

       Intead, run  a  DNS  cache  like  Unbound,  and  configure  it  to  use
       dnscrypt-proxy  as a forwarder. Both can safely run on the same machine
       as long as they use different IP addresses and/or different ports.


       ·   -a, --local-address=<ip>[:port]: what  local  IP  the  daemon  will
           listen to, with an optional port. The default port is 53.

       ·   -d,  --daemonize:  detach  from  the  current  terminal and run the
           server in background.

       ·   -E, --ephemeral-keys: By default, queries are always sent with  the
           same  public key, allowing providers to link this public key to the
           different IP addresses you are using. This  option  requires  extra
           CPU  cycles,  but mitigates this by computing an ephemeral key pair
           for every query.

       ·   -e, --edns-payload-size=<bytes>: transparently add an OPT pseudo-RR
           to  outgoing  queries  in  order  to  enable  the  EDNS0  extension
           mechanism. The payload size is the size of the largest response  we
           accept  from the resolver before retrying over TCP. This feature is
           enabled by default, with a payload size of 1252  bytes.  Any  value
           below 512 disables it.

       ·   -h, --help: show usage.

       ·   -k,  --provider-key=<key>:  specify  the  provider  public key (see

       ·   -K, --client-key=<file>: use a static client secret key  stored  in

       ·   -L,  --resolvers-list=<file>:  path  to the CSV file containing the
           list of available resolvers, and the parameters to use them.

       ·   -l, --logfile=<file>: log  events  to  this  file  instead  of  the
           standard output.

       ·   -m,  --loglevel=<level>:  don´t log events with priority above this
           level after the service has been started  up.  Default  is  6,  the
           value  for  LOG_INFO.  Valid  values  are 0 (system is unusable), 1
           (action must be taken  immediately),  2  (critical  conditions),  3
           (error   conditions),   4   (warning  conditions),  5  (normal  but
           significant  condition),  6  (informational)  and  7   (debug-level

       ·   -n,   --max-active-requests=<count>:  set  the  maximum  number  of
           simultaneous active requests. The default value is 250.

       ·   -p, --pidfile=<file>: write the PID number to a file.

       ·   -R, --resolver-name=<name>: name of the resolver to use,  from  the
           list of available resolvers (see -L).

       ·   -r,  --resolver-address=<ip>[:port]: a DNSCrypt-capable resolver IP
           address with an optional port. The default port is 443.

       ·   -S, --syslog: if  a  log  file  hasn´t  been  set,  log  diagnostic
           messages  to  syslog  instead of printing them. --daemonize implies

       ·   -t, --test=<margin>: don´t actually start the proxy, but check that
           a  valid  certificate  can be retrieved from the server and that it
           will remain valid for the next margin minutes. The exit code  is  0
           if  a valid certificate can be used, 2 if no valid certificates can
           be used, 3 if a timeout  occurred,  and  4  if  a  currently  valid
           certificate  is going to expire before margin. The margin is always
           specificied in minutes.

       ·   -u, --user=<user name>: chroot(2) to this user´s home directory and
           drop privileges.

       ·   -N,   --provider-name=<FQDN>:   the  fully-qualified  name  of  the
           dnscrypt certificate provider.

       ·   -T, --tcp-only: always use TCP. A connection made  using  UDP  will
           get a truncated response, so that the (stub) resolver retries using

       ·   -V, --version: show version number.

       A public key is  256-bit  long,  and  it  has  to  be  specified  as  a
       hexadecimal string, with optional columns.


       $ dnscrypt-proxy --daemonize --resolver-name=...

       The resolver name is the first column (Name) in the CSV file.


       $ dnscrypt-proxy --daemonize --provider-key=... --provider-name=... --resolver-address=...


       Please      report      issues      with     DNSCrypt     itself     to



                                 February 2016               DNSCRYPT-PROXY(8)