bionic (8) dnscrypt-proxy.8.gz

Provided by: dnscrypt-proxy_1.9.5-1build1_amd64 bug

NAME
       dnscrypt-proxy - A DNSCrypt forwarder


SYNOPSIS
       dnscrypt-proxy <config file>

       dnscrypt-proxy [<option>, ...]


DESCRIPTION
       dnscrypt-proxy  accepts DNS requests, authenticates and encrypts them using dnscrypt and forwards them to
       a remote dnscrypt-enabled resolver.

       Replies from the resolver are expected to be authenticated or else they will be discarded.

       The proxy verifies the replies, decrypts  them,  and  transparently  forwards  them  to  the  local  stub
       resolver.

       dnscrypt-proxy listens to 127.0.2.1 / port 53 by default.


OPTIONS (ignored when a configuration file is provided)
-R,  --resolver-name=<name>:  name  of the resolver to use, from the list of available resolvers (see
           -L). Or random for a random resolver accessible over IPv4, that doesn´t log and supports DNSSEC.

       •   -a, --local-address=<ip>[:port]: what local IP the daemon will listen to, with an optional port.  The
           default port is 53.

       •   -d, --daemonize: detach from the current terminal and run the server in background.

       •   -E,  --ephemeral-keys:  By  default,  queries  are  always  sent  with  the same public key, allowing
           providers to link this public key to the different IP addresses you are using. This  option  requires
           extra  CPU  cycles,  but mitigates this by computing an ephemeral key pair for every query. Use it if
           you are not using your own server, and the remote server is logging your activity, and your client IP
           address  is  frequently  changing.  Not  enabled  by  default  because  it may be slow, especially on
           non-Intel CPUs.

       •   -K, --client-key=<file>: use a static client secret key stored in <file>.

       •   -L, --resolvers-list=<file>: path to the CSV file containing the list of available resolvers, and the
           parameters to use them.

       •   -l, --logfile=<file>: log events to this file instead of the standard output.

       •   -m,  --loglevel=<level>:  don´t  log events with priority above this level after the service has been
           started up. Default is 6, the value for LOG_INFO. Valid values are 0 (system is unusable), 1  (action
           must  be taken immediately), 2 (critical conditions), 3 (error conditions), 4 (warning conditions), 5
           (normal but significant condition), 6 (informational) and 7 (debug-level messages).

       •   -p, --pidfile=<file>: write the PID number to a file.

       •   -X, --plugin=<plugin_name>[,<options>]: enable a plugin.

       •   -N, --provider-name=<FQDN>: the fully-qualified  name  of  the  dnscrypt  certificate  provider  (for
           private resolvers).

       •   -k, --provider-key=<key>: specify the provider public key (for private resolvers).

       •   -r, --resolver-address=<ip>[:port]: a DNSCrypt-capable resolver IP address with an optional port (for
           private resolvers). The default port is 443.

       •   -S, --syslog: if a log file hasn´t been set, log diagnostic messages to syslog  instead  of  printing
           them. --daemonize implies --syslog.

       •   -Z, --syslog-prefix=prefix: specify a string of message to insert at the beginning of every line sent
           to syslog. This implies --syslog.

       •   -n, --max-active-requests=<count>: set the  maximum  number  of  simultaneous  active  requests.  The
           default value is 250.

       •   -u, --user=<user name>: chroot(2) to this user´s home directory and drop privileges.

       •   -t,  --test=<margin>:  don´t  actually  start  the  proxy,  but check that a valid certificate can be
           retrieved from the server and that it will remain valid for the next margin minutes. The exit code is
           0  if  a  valid  certificate  can  be  used,  2  if no valid certificates can be used, 3 if a timeout
           occurred, and 4 if a currently valid certificate is going to expire  before  margin.  The  margin  is
           always specified in minutes.

       •   -T,  --tcp-only:  always  use TCP. A connection made using UDP will get a truncated response, so that
           the (stub) resolver retries using TCP.

       •   -e, --edns-payload-size=<bytes>: transparently add an OPT pseudo-RR to outgoing queries in  order  to
           enable  the EDNS0 extension mechanism. The payload size is the size of the largest response we accept
           from the resolver before retrying over TCP. This feature is enabled by default, with a  payload  size
           of 1252 bytes. Any value below 512 disables it.

       •   -I,  --ignore-timestamps:  ignore  timestamps  when validating certificates. Never enable this option
           unless you know you really need it (routers without a clock battery).

       •   -V, --version: show version number.

       •   -h, --help: show usage.

       A public key is 256-bit long, and it has to be specified as a hexadecimal string, with optional columns.


COMMON USAGE EXAMPLE
       $ dnscrypt-proxy /etc/dnscrypt.conf


COMMON USAGE EXAMPLE WITHOUT A CONFIGURATION FILE
       $ dnscrypt-proxy --daemonize --resolver-name=...

       The resolver name is the first column (Name) in the CSV file.


BUGS AND SUPPORT
       Please report issues with DNSCrypt itself to https://dnscrypt.org/issues


SEE ALSO
       hostip(8)

                                                  January 2018                                 DNSCRYPT-PROXY(8)