File: dnscrypt-proxy.8.markdown

package info (click to toggle)
dnscrypt-proxy 1.9.4-1
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 8,024 kB
  • ctags: 6,330
  • sloc: ansic: 56,543; sh: 4,846; python: 1,427; makefile: 750; ruby: 38
file content (134 lines) | stat: -rw-r--r-- 5,152 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
 
dnscrypt-proxy(8) -- A DNSCrypt forwarder
=========================================

## SYNOPSIS

`dnscrypt-proxy <config file>`

`dnscrypt-proxy [<option>, ...]`

## DESCRIPTION

**dnscrypt-proxy** accepts DNS requests, authenticates and encrypts
them using dnscrypt and forwards them to a remote dnscrypt-enabled
resolver.

Replies from the resolver are expected to be authenticated or else
they will be discarded.

The proxy verifies the replies, decrypts them, and transparently
forwards them to the local stub resolver.

`dnscrypt-proxy` listens to `127.0.2.1` / port `53` by default.

## OPTIONS (ignored when a configuration file is provided)

  * `-R`, `--resolver-name=<name>`: name of the resolver to use, from
    the list of available resolvers (see `-L`). Or `random` for a random
    resolver accessible over IPv4, that doesn't log and supports DNSSEC.

  * `-a`, `--local-address=<ip>[:port]`: what local IP the daemon will listen
    to, with an optional port. The default port is 53.

  * `-d`, `--daemonize`: detach from the current terminal and run the server
    in background.

  * `-E`, `--ephemeral-keys`: By default, queries are always sent with the
    same public key, allowing providers to link this public key to the
    different IP addresses you are using. This option requires extra
    CPU cycles, but mitigates this by computing an ephemeral key pair for
    every query. Use it if you are not using your own server, and the
    remote server is logging your activity, and your client IP address is
    frequently changing. Not enabled by default because it may be slow,
    especially on non-Intel CPUs.

  * `-K`, `--client-key=<file>`: use a static client secret key stored in
    `<file>`.

  * `-L`, `--resolvers-list=<file>`: path to the CSV file containing
    the list of available resolvers, and the parameters to use them.

  * `-l`, `--logfile=<file>`: log events to this file instead of the
    standard output.

  * `-m`, `--loglevel=<level>`: don't log events with priority above
    this level after the service has been started up. Default is `6`,
    the value for `LOG_INFO`. Valid values are `0` (system is unusable),
    `1` (action must be taken immediately), `2` (critical conditions),
    `3` (error conditions), `4` (warning conditions),
    `5` (normal but significant condition), `6` (informational) and
    `7` (debug-level messages).

  * `-p`, `--pidfile=<file>`: write the PID number to a file.

  * `-X`, `--plugin=<plugin_name>[,<options>]`: enable a plugin.

  * `-N`, `--provider-name=<FQDN>`: the fully-qualified name of the
    dnscrypt certificate provider (for private resolvers).

  * `-k`, `--provider-key=<key>`: specify the provider public key
    (for private resolvers).

  * `-r`, `--resolver-address=<ip>[:port]`: a DNSCrypt-capable resolver IP
    address with an optional port (for private resolvers).
    The default port is 443.

  * `-S`, `--syslog`: if a log file hasn't been set, log diagnostic messages to
    syslog instead of printing them. `--daemonize` implies `--syslog`.

  * `-Z`, `--syslog-prefix=prefix`: specify a string of message to insert at
    the beginning of every line sent to syslog. This implies --syslog.

  * `-n`, `--max-active-requests=<count>`: set the maximum number of
    simultaneous active requests. The default value is 250.

  * `-u`, `--user=<user name>`: chroot(2) to this user's home directory
    and drop privileges.

  * `-t`, `--test=<margin>`: don't actually start the proxy, but check that
    a valid certificate can be retrieved from the server and that it
    will remain valid for the next <margin> minutes. The exit code is 0
    if a valid certificate can be used, 2 if no valid certificates can be used,
    3 if a timeout occurred, and 4 if a currently valid certificate is
    going to expire before <margin>. The margin is always specified in
    minutes.

  * `-T`, `--tcp-only`: always use TCP. A connection made using UDP
    will get a truncated response, so that the (stub) resolver retries using
    TCP.

  * `-e`, `--edns-payload-size=<bytes>`: transparently add an OPT
    pseudo-RR to outgoing queries in order to enable the EDNS0
    extension mechanism. The payload size is the size of the largest
    response we accept from the resolver before retrying over TCP.
    This feature is enabled by default, with a payload size of 1252
    bytes. Any value below 512 disables it.

  * `-I`, `--ignore-timestamps`: ignore timestamps when validating certificates.
    Never enable this option unless you know you really need it (routers without
    a clock battery).

  * `-V`, `--version`: show version number.

  * `-h`, `--help`: show usage.

A public key is 256-bit long, and it has to be specified as a hexadecimal
string, with optional columns.

## COMMON USAGE EXAMPLE

    $ dnscrypt-proxy /etc/dnscrypt.conf

## COMMON USAGE EXAMPLE WITHOUT A CONFIGURATION FILE

    $ dnscrypt-proxy --daemonize --resolver-name=...

The resolver name is the first column (Name) in the CSV file.

## BUGS AND SUPPORT

Please report issues with DNSCrypt itself to https://dnscrypt.org/issues

## SEE ALSO

hostip(8)