File README.openSUSE of Package dnscrypt-proxy

*                                                                         *
*        README.openSUSE last edited by cunix for version 2.0.45          *
*                                                                         *

Some hints:

Configure /etc/dnscrypt-proxy/dnscrypt-proxy.toml for your use case first!

If dnscrypt-proxy should act as your primary resolver and only listen at, start as root once with

      $ systemctl start dnscrypt-proxy.socket

  and if you don't want to repeat this after next boots, do

      $ systemctl enable dnscrypt-proxy.socket

If you have some other resolver listening on that should forward
queries to dnscrypt-proxy it is recommended to create as root the directory


and copy the file


into the created directory.
An example  file should be available in this doc directory:

Afterwards you have to start/enable the socket unit as described above in A.
Additionally your primary resolver has to be configured to forward requests to
the address specified in file dnscrypt-proxy.socket.conf - for

Alternatively the unit dnscrypt-proxy.service can be used the same way as the
socket unit described in A. for starting and enabling.

This will require you to set "listen_addresses" in file


In this case dnscrypt-proxy has to setup the sockets itself and because it is
by default executed as user "dnscrypt" it is not allowed to listen on
ports < 1024.

If dnscrypt-proxy should listen on these lower ports
a) the socket unit should be used or
b) the program has to be started directly by root or
c) the user and group settings in the service unit have to be overridden
   as described in B. with files ending with ".conf"
   in a to be created directory at


To make applications aware of the local domain name resolver and
to make the setups described above operational, you might have
to add a line like for example


to the file


If dnscrypt-proxy should be started by socket activation as described
in A. or B. and step D. should be automated, "resolvconf" can be utilized:

- Package "openresolv" has to be installed.

- Instead of the unit dnscrypt-proxy.socket or dnscrypt-proxy.service ,
  the systemd unit dnscrypt-proxy-resolvconf.service has to be used.

- The file /etc/resolv.conf will be edited temporarily.
  Do not use this approach if this unintended.

- You should be aware of and ready to deal with possible fallout taking this
  not really tested route.
  For example manual edits to /etc/resolv.conf will be lost if resolvconf is
  in control of this file, the clean-up on shutdown might fail, custom
  or invalid resolvconf configuration might prevent startup of dnscrypt-proxy
  and possibly more, ...

Make sure the other units are deactivated (as root):

      $ systemctl stop dnscrypt-proxy.socket

      $ systemctl disable dnscrypt-proxy.socket

      $ systemctl stop dnscrypt-proxy.service

      $ systemctl disable dnscrypt-proxy.service

Now start, and if you don't want to restart manually after reboot,
enable (as root):

      $ systemctl start dnscrypt-proxy-resolvconf.service

      $ systemctl enable dnscrypt-proxy-resolvconf.service

This will not work as intended for a setup as described in C., where
the "listen_addresses" is not configured through the socket unit.

The socket OR one of the service unit should be started/enabled - not all
and not two of them.

If the socket unit is used, it will start the dnscrypt-proxy.service unit
when queries are sent to one of its configured addresses.

On the other hand dnscrypt-proxy-resolvconf.service can be made responsible for
activating dnscrypt-proxy.socket.

If using systemd, the PID should be available in file


openSUSE Build Service is sponsored by