Skip to content

Instantly share code, notes, and snippets.

Forked from ahmozkya/
Created April 9, 2018 04:21
Show Gist options
  • Save ngocphamm/720c4bbc4f41320893fd3c71529f0ff5 to your computer and use it in GitHub Desktop.
Save ngocphamm/720c4bbc4f41320893fd3c71529f0ff5 to your computer and use it in GitHub Desktop.
Homebrew with DNSMasq + DNSCrypt-proxy (OpenDNS)

Install & Configure

  1. Install DNSMasq
$ brew install dnsmasq
  1. Install DNSCrypt-proxy
$ brew install dnscrypt-proxy
  1. Configure

  2. /usr/local/etc/dnsmasq.conf ⬇

  3. /Library/LaunchDaemons/homebrew.mxcl.dnscrypt-proxy.plist ⬇

  4. /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist ⬇

  5. Reload dnscrypt-proxy service

    $ cd /Library/LaunchDaemons/
    $ sudo launchctl unload homebrew.mxcl.dnscrypt-proxy.plist && sudo launchctl load homebrew.mxcl.dnscrypt-proxy.plist
  6. Reload dnsmasq service

    $ sudo launchctl unload homebrew.mxcl.dnsmasq.plist && sudo launchctl load homebrew.mxcl.dnsmasq.plist
  7. Set DNS IP:


DNS Configuration

$ scutil --dns
resolver #1
  search domain[0] : openvpn
  nameserver[0] :
  flags    : Request A records, Request AAAA records
  reach    : Reachable,Local Address


$ nslookup -type=txt

Non-authoritative answer:	text = "server 7.ams"	text = "flags 20 0 2f4 800000000000000"	text = "id 0"	text = "source"	text = "dnscrypt enabled (xxxxxxxxxxxxxxxx)"

Authoritative answers can be found from:

Useful links:

# Configuration file for dnsmasq.
# Format is one option per line, legal options are the same
# as the long options legal on the command line. See
# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
# Custom development domains
# Upstream DNSCrypt
# Don't read the hostnames in /etc/hosts.
# Do not go into the background at startup but otherwise run as
# normal.
# Do not provide DHCP or TFTP on the loopback interface.
# Only listen on the loopback interface.
# Only bind to interfaces dnsmasq is listening on.
# Never forward addresses in the non-routed address spaces.
# Don't read /etc/resolv.conf.
# Reject (and log) addresses from upstream nameservers which are in
# the private IP ranges. This blocks an attack where a browser behind
# a firewall is used to probe machines on the local network.
# Exempt from rebinding checks. This address range is
# returned by realtime black hole servers, so blocking it may disable
# these services.
# Never forward plain names (without a dot or domain part).
# domain-needed
# Set the cache size here. If you don't use spam blocking add-ons such
# Adblock Plus or Ghostery, you may want to increase this value as you
# will be resolving more domain names.
# Pass through DNSSEC validation results from dnscrypt-proxy.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-/Apple/DTD PLIST 1.0/EN" "http:/">
<plist version="1.0">
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "">
<plist version="1.0">
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment