Skip to content

Instantly share code, notes, and snippets.

Last active July 7, 2023 09:27
Show Gist options
  • Star 62 You must be signed in to star a gist
  • Fork 21 You must be signed in to fork a gist
  • Save ahmozkya/8456503 to your computer and use it in GitHub Desktop.
Save ahmozkya/8456503 to your computer and use it in GitHub Desktop.
Homebrew with DNSMasq + DNSCrypt-proxy (OpenDNS)

Do not use this guide. The dnscrypt protocol and dnscrypt-proxy configuration file have changed a lot since I wrote this gist. Check the following links for help:

Install & Configure

  1. Install DNSMasq
$ brew install dnsmasq
  1. Install DNSCrypt-proxy
$ brew install dnscrypt-proxy
  1. Configure

  2. /usr/local/etc/dnsmasq.conf ⬇

  3. /Library/LaunchDaemons/homebrew.mxcl.dnscrypt-proxy.plist ⬇

  4. /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist ⬇

  5. Reload dnscrypt-proxy service

    $ cd /Library/LaunchDaemons/
    $ sudo launchctl unload homebrew.mxcl.dnscrypt-proxy.plist && sudo launchctl load homebrew.mxcl.dnscrypt-proxy.plist
  6. Reload dnsmasq service

    $ sudo launchctl unload homebrew.mxcl.dnsmasq.plist && sudo launchctl load homebrew.mxcl.dnsmasq.plist
  7. Set DNS IP:


DNS Configuration

$ scutil --dns
resolver #1
  search domain[0] : openvpn
  nameserver[0] :
  flags    : Request A records, Request AAAA records
  reach    : Reachable,Local Address


$ nslookup -type=txt

Non-authoritative answer:	text = "server 7.ams"	text = "flags 20 0 2f4 800000000000000"	text = "id 0"	text = "source"	text = "dnscrypt enabled (xxxxxxxxxxxxxxxx)"

Authoritative answers can be found from:

Useful links:

# Configuration file for dnsmasq.
# Format is one option per line, legal options are the same
# as the long options legal on the command line. See
# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
# Custom development domains
# Upstream DNSCrypt
# Don't read the hostnames in /etc/hosts.
# Do not go into the background at startup but otherwise run as
# normal.
# Do not provide DHCP or TFTP on the loopback interface.
# Only listen on the loopback interface.
# Only bind to interfaces dnsmasq is listening on.
# Never forward addresses in the non-routed address spaces.
# Don't read /etc/resolv.conf.
# Reject (and log) addresses from upstream nameservers which are in
# the private IP ranges. This blocks an attack where a browser behind
# a firewall is used to probe machines on the local network.
# Exempt from rebinding checks. This address range is
# returned by realtime black hole servers, so blocking it may disable
# these services.
# Never forward plain names (without a dot or domain part).
# domain-needed
# Set the cache size here. If you don't use spam blocking add-ons such
# Adblock Plus or Ghostery, you may want to increase this value as you
# will be resolving more domain names.
# Pass through DNSSEC validation results from dnscrypt-proxy.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-/Apple/DTD PLIST 1.0/EN" "http:/">
<plist version="1.0">
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "">
<plist version="1.0">
Copy link

when you install dnsmasq and dnscrypt-proxy, dont they install and setup sensible defaults in the .conf file and others? Why the need for customization? What is the diffs between them and yours posted here? Thanks

Copy link

@jamesacampbell This might be very late to the game, but I just came across this and I think by default you can't make dsnmasq and dnscrypt-proxy work together, for a simple reason that they both want to listen to port 53. This gist points out that all you need to do is to make dnscrypt-proxy on another port (here is 40), then point dnsmasq to for upstream DNS server, while NOT trying any other DNS servers specified in the system.

Copy link

@ngocphamm I can confirm that both dnsmasq and dnscrypt-proxy can indeed work together. I just having trouble to get dnscrypt-proxy to work alone in fresh-installed macOS Sierra, and this gist helps me a lot. I just didn't copy-paste the whole dnsmasq.conf though

Copy link

willsalz commented Dec 5, 2019

qq: why are you running dnsmasq && dnscrypt-proxy? Aren't they doing essentially the same thing?

Copy link

@willsalz dnscrypt-proxy encrypts your requests, dnsmasq caches your requests.

Copy link

@ngocphamm as of the current version of Mac OS in 2022, I just install both out of the box and it works fine. I updated and tested my fresh mac os installer baseline here if anyone is interested:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment