Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Homebrew with DNSMasq + DNSCrypt-proxy (OpenDNS)

Install & Configure

  1. Install DNSMasq
$ brew install dnsmasq
  1. Install DNSCrypt-proxy
$ brew install dnscrypt-proxy
  1. Configure

  2. /usr/local/etc/dnsmasq.conf

  3. /Library/LaunchDaemons/homebrew.mxcl.dnscrypt-proxy.plist

  4. /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist

  5. Reload dnscrypt-proxy service

    $ cd /Library/LaunchDaemons/
    $ sudo launchctl unload homebrew.mxcl.dnscrypt-proxy.plist && sudo launchctl load homebrew.mxcl.dnscrypt-proxy.plist
  6. Reload dnsmasq service

    $ sudo launchctl unload homebrew.mxcl.dnsmasq.plist && sudo launchctl load homebrew.mxcl.dnsmasq.plist
  7. Set DNS IP:


DNS Configuration

$ scutil --dns
resolver #1
  search domain[0] : openvpn
  nameserver[0] :
  flags    : Request A records, Request AAAA records
  reach    : Reachable,Local Address


$ nslookup -type=txt

Non-authoritative answer:	text = "server 7.ams"	text = "flags 20 0 2f4 800000000000000"	text = "id 0"	text = "source"	text = "dnscrypt enabled (xxxxxxxxxxxxxxxx)"

Authoritative answers can be found from:

Useful links:

# Configuration file for dnsmasq.
# Format is one option per line, legal options are the same
# as the long options legal on the command line. See
# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
# Custom development domains
# Upstream DNSCrypt
# Don't read the hostnames in /etc/hosts.
# Do not go into the background at startup but otherwise run as
# normal.
# Do not provide DHCP or TFTP on the loopback interface.
# Only listen on the loopback interface.
# Only bind to interfaces dnsmasq is listening on.
# Never forward addresses in the non-routed address spaces.
# Don't read /etc/resolv.conf.
# Reject (and log) addresses from upstream nameservers which are in
# the private IP ranges. This blocks an attack where a browser behind
# a firewall is used to probe machines on the local network.
# Exempt from rebinding checks. This address range is
# returned by realtime black hole servers, so blocking it may disable
# these services.
# Never forward plain names (without a dot or domain part).
# domain-needed
# Set the cache size here. If you don't use spam blocking add-ons such
# Adblock Plus or Ghostery, you may want to increase this value as you
# will be resolving more domain names.
# Pass through DNSSEC validation results from dnscrypt-proxy.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-/Apple/DTD PLIST 1.0/EN" "http:/">
<plist version="1.0">
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "">
<plist version="1.0">

This comment has been minimized.

Copy link

@jamesacampbell jamesacampbell commented Dec 11, 2017

when you install dnsmasq and dnscrypt-proxy, dont they install and setup sensible defaults in the .conf file and others? Why the need for customization? What is the diffs between them and yours posted here? Thanks


This comment has been minimized.

Copy link

@ngocphamm ngocphamm commented Apr 9, 2018

@jamesacampbell This might be very late to the game, but I just came across this and I think by default you can't make dsnmasq and dnscrypt-proxy work together, for a simple reason that they both want to listen to port 53. This gist points out that all you need to do is to make dnscrypt-proxy on another port (here is 40), then point dnsmasq to for upstream DNS server, while NOT trying any other DNS servers specified in the system.


This comment has been minimized.

Copy link

@ianmustafa ianmustafa commented Apr 12, 2018

@ngocphamm I can confirm that both dnsmasq and dnscrypt-proxy can indeed work together. I just having trouble to get dnscrypt-proxy to work alone in fresh-installed macOS Sierra, and this gist helps me a lot. I just didn't copy-paste the whole dnsmasq.conf though


This comment has been minimized.

Copy link

@willsalz willsalz commented Dec 5, 2019

qq: why are you running dnsmasq && dnscrypt-proxy? Aren't they doing essentially the same thing?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment