Problem with installing DNScrypt

I'm having a whole lot of trouble installing DNScrypt on Zorin 15.3 core. I'm suspicious that the issue is with Zorin. Can somebody else try to install it and confirm/disprove?


Can you describe what method of installation you used and what your troubles are?

I'm installing it via the sudo apt install dnscrypt-proxy command but mid-installation it gets stuck and finishes the installation with this error: Job for dnscrypt-proxy.service failed because a timeout was exceeded. I can't get it to work at all. Even tried it on a fresh Zorin installation but I get the same error.

1 Like

That sounds like a repo issue.
Can you remove existing files first:

sudo apt purge dnscrypt-proxy

Then add the repo, update and then install:

sudo add-apt-repository ppa:shevchuk/dnscrypt-proxy

sudo apt-get update

sudo apt install dnscrypt-proxy


Yes, you were right. I was not expecting it to be a repo issue! Thanks.

1 Like

Did you get it to work? Because I've been trying, but every time I stop and disable systemd-resolved (so only dnscrypt-proxy is listening on port 53), it won't resolve URLs.

I've got a long record of everything I did (see below). I even edited the .toml file so it was identical to the settings I had when I was running Simple DNSCrypt under Windows, and I edited resolve.conf to reflect the different listening IP address, and NetworkManager.conf (hoping that I could replace dns=dnsmasq with dns=dnscrypt-proxy)... all no joy.

I ended up purging dnscrypt and reenabling and restarting systemd-resolved, whereupon DNS resolution started working again.

Here's what I did:

First, we want to make sure everything is up to date, so we issue the command:

sudo apt update

... and if anything needs updating, we issue the command:

sudo apt upgrade

Then we can fetch DNSCrypt (latest version: 2.0.31) by issuing the command:

sudo apt install dnscrypt-proxy

We need to know if anything is listening on port 53, so we issue the command:

ss -lp 'sport = :domain'

You should see output like this:

Netid State   Recv-Q  Send-Q   Local Address:Port     Peer Address:Port Process 
udp   UNCONN  0       0  *            
udp   UNCONN  0       0*            
tcp   LISTEN  0       4096*            
tcp   LISTEN  0       4096*

Now issue the commands:

systemctl stop systemd-resolved
systemctl disable systemd-resolved

And just to be sure that only DNSCrypt is now listening on port 53, issue the command again:

ss -lp 'sport = :domain'

You should see output like this:

Netid State   Recv-Q  Send-Q   Local Address:Port     Peer Address:Port Process 
udp   UNCONN  0       0  *            
tcp   LISTEN  0       4096*

Now we need to configure the .toml configuration file. The easiest way of doing that is to start gedit as root:

sudo gedit

Then open the file at /usr/share/doc/dnscrypt-proxy/examples/example-dnscrypt-proxy.toml, edit it, then save it to /etc/dnscrypt-proxy/dnscrypt-proxy.toml (NOTE THE CHANGE IN FILE NAME). This gives you the chance to edit the file to your liking before saving it.

In that file, I changed:

listen_addresses = ['', '[::1]:53']


listen_addresses = []
Note: I first tried this with apparently making this blank is required because it installs systemd sockets instead of standard sockets. Alternatively, you can disable systemd sockets and keep the listen-addresses entries:


force_tcp = false


force_tcp = true


# log_level = 2


log_level = 6


# dnscrypt_ephemeral_keys = false


dnscrypt_ephemeral_keys = true


# tls_disable_session_tickets = false


tls_disable_session_tickets = true


ignore_system_dns = false


ignore_system_dns = true

and (because I'm on an IPv4 network)...

block_ipv6 = false


block_ipv6 = true

... and I uncommented:

lb_strategy = 'p2'
lb_estimator = true
use_syslog = true

Then issue the commands:

systemctl enable dnscrypt-proxy
systemctl start dnscrypt-proxy

Now we have to connect DNSCrypt to Network Manager:

sudo gedit

Open /etc/NetworkManager/NetworkManager.conf

... and change:




... then save that file.

Then we have to change the system DNS settings. Issue the command:

sudo gedit

... and open the file /etc/resolv.conf, and save it as /etc/resolv.conf.backup

Then go back and reopen /etc/resolv.conf and edit it so it shows the following:

options edns0 trust-ad

... and save that file.

Then we need to set up dnscrypt-proxy as a system service.

In Terminal, type:

cd /etc/dnscrypt-proxy
dnscrypt-proxy -service install
dnscrypt-proxy -service start

In your Network Settings, change DNS server from 'Automatic' to ''.

Then issue the command:

sudo systemctl restart NetworkManager.service

Then reboot your computer.

If you decide that DNSCrypt isn't for you, you can remove it by issuing:

dnscryptproxy -service stop
sudo apt purge dnscrypt-proxy
systemctl enable systemd-resolved
systemctl start systemd-resolved

Can anyone see what I'm doing wrong?

I think Comcast is doing DNS hijacking... even though I've got other DNS servers set up (on the computer and in the router, using regular DNS, not DoH nor encrypted DNS), Comcast's DNS servers always show up as what I'm using.

DNSCrypt will fix that (just as it did under Windows), if I can get it working.

1 Like

I would not be surprised... Very Glad that ComCast is not out where I am, monopolizing...

Well, it is better here in TX than in the SF Bay Area... you'd think the heart of silicon valley would have the fastest internet speeds... but the ISPs have set up non-compete clauses so a lot of places are only served by one ISP, and the fastest DSL we were provisioned for was 3 Mbps with 250 GB/month cap, but it was unstable because they've deferred maintenance on the telephone system, so they dropped us back to 1.5 Mbps. The slowest I could get here in TX was 300 Mbps with a 1 TB/month cap (and it's cheaper than the old DSL connection)... I don't know what to do with that kind of speed.

Move out here rural in TX and you'll find the average available is 10mb/s;)

At $400 per month.


We built a tower to avoid that. Tried Viasat for one month and said NOPE.

Anyway, I thought setting up DNSCrypt under Zorin OS would be pretty much the same as Simple DNSCrypt under Windows... disable the built-in DNS resolver service, set up DNSCrypt listening locally on the correct ports, redirect your Wifi or wired connection to connect to DNSCrypt, and you're up and running.

DNSCrypt-proxy is starting up alright, it's loading in the .toml configuration file, and I've got it configured so the Wifi connection connects to the local DNSCrypt-proxy, but something's not working. It can't be the firewall, as it doesn't work even with the firewall turned off.

I messed around with this again... still no joy. No matter what, as soon as you issue:

sudo systemctl disable systemd-resolved.service
sudo systemctl stop systemd-resolved.service

... DNS resolution stops, even with DNSCrypt-proxy running and listening on the correct port.

This is one of the last 'to-do's for this system... anyone got any ideas on how to get it working? I even tried to force it to work by editing resolve.conf and by manually setting a DNS IP address in Network Manager.