Enabling DNSCrypt as the Default Out-of-the-Box Feature: A Call to Enhance Security and Privacy

Hello, lovely Zorin OS community,

I have found myself wondering if it would be a good idea to implement DNSCrypt (dns-proxy) as a standard for Zorin OS. The integration of this innovative technology could significantly improve user privacy. Please let me know what you think of the idea.


Note: You can vote up to three times

  • dns-crypt by default
  • ask user during installation
  • prompt/pop-up on first boot after fresh install
  • nope, leave it as it is
0 voters

I tried to get DNScrypt working, and did, after a fashion... I could start it manually and it'd work alright, but only with a terminal window open. It absolutely refused to start automatically, it somehow couldn't find the .toml configuration file when starting automatically.


Referencing Mr_Magoo, if it affects stability it shouldn't come by default.

For example, Simple DNSCrypt works like a charm on Windows. I'm uncertain about the potential challenges that dns-proxy might pose if implemented as a default or optional choice, but I believe the chances of it being worth it are high.

What are the gains from encrypting DNS queries? And, is it just me or were you able to submit two votes? :thinking:

Encrypted DNS requests makes it far more difficult for man-in-the-middle attacks to take place (where a malicious third party answers your DNS queries and redirects you to a fake website, often one that looks identical to the website intended to be visited, as means of stealing passwords or bank log-in credentials).

It also makes it nearly impossible for state actors to monitor the queries you make and thus the websites you visit (predicated upon you not using an ISP such as AT&T which ships their traffic data straight to the Feds... and even then, encrypted traffic is difficult to get much info from, which is why you should enable HTTPS Everywhere).


There are many preferences and utilities that users may wish to install, configure and use on their own.

These are user case specific and can be confusing to a new user, especially a WIndows refugee.

If this was the Kali Linux forum, I might agree with the poll. But this is the Zorin Forum; where users learn how to develop their wings before learning to fly.


I think what Aravisian said summarizes how I feel about this. DNS is just one more piece to the "privacy online" puzzle and not even the most important one since even with everything encrypted Server Name Indication is still not encrypted (unless there has been an update on this? I haven't checked in a while).

Kudos to @Mr_Magoo for the great explanation. @zenzen Yes you are right, I submitted two votes. The poll allows for up to three votes per user. You can still adapt your vote if you wish.

1 Like

Oh, I see... I thought it was a single vote not a multiple-choice

Here's how I enabled ECH (Encrypted Client Hello... the successor to SNI encryption):

If you're using a Chromium-based browser:
Encrypted ClientHello ->  enabled 

Use Secure DNS ->  enabled 
with: OpenDNS

Right above that is where you enable HTTPS Everywhere:
Always use secure connections ->  enabled 

1 Like

How effective is ECH, really? From a quick search it looks like it requires TLS-over-HTTPS, has to be supported by the browser and the visited website. Using a VPN seems far more effective or at least provide better guarantees, and is easier to setup.

I'm not sure of its effectiveness... of course, there's always trade-offs with using a third party such as a VPN... you're trusting that the VPN provider isn't as 'spy-ish' as those you wish to block from spying on you... and it's my contention that many of the VPN providers are actually fronts put up by Feds for exactly the purpose of monitoring people (just as some Tor exit nodes were found, back in the day, to be run by the Feds to track people's activities... get two high-traffic, high-uptime, high-ranked Tor nodes run by the Feds in your hop route, and you might as well not even be using Tor (the longer you consistently run a Tor exit node and the higher the traffic you can transit, the higher your rank and the more traffic you'll get)). That's why I used to run a customized Tor exit node... no logs, anonymous TCP DNS resolution, and for my own hop route, it randomly varied from 4 to 8 hops rather than the standard 3.

I enabled ECH because once I get DNS-over-HTTPS (DoH) working, every packet will be encrypted, as it should be. The trick is to get DoH working... and I just couldn't do it with DNScrypt.


@Mr_Magoo Thank you for the excellent post. I'd like to seize this opportunity to share a Firefox tutorial, crafted with ChatGPT:

For Firefox users, here's a step-by-step guide:

1. Open a new tab in Firefox and type about:config in the address bar.

2. Accept the warning prompt.

3. In the search bar, type network.security.esni.enabled and ensure it is set to true. This setting is related to Encrypted SNI (Server Name Indication), similar to ECH.

4. For DNS over HTTPS (DoH), navigate to Firefox settings:
    a. Click on the menu button (three horizontal lines) and select "Preferences" (or "Options" on Windows).
    b. Scroll down to the "General" section.
    c. In the "Network Settings" section, click on "Settings" next to "Enable DNS over HTTPS."
    d. Choose the provider you want to use, or opt for a custom one.

These steps are somewhat equivalent to the "Use Secure DNS" setting in Chrome.

Just keep in mind that enabling DoH in the browser doesn't enable it machine-wide... it only works for that browser. The reason we want DNScrypt is because it's then enabled machine-wide.


The installation process should not be complicated by extra questions, just needs to be simple and reliable.
DNSCrypt should be left to the individual user to consider, after they have a working system and start to tailor to their needs.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.