DNSCrypt server Docker image
Run your own caching, non-censoring, non-logging, DNSSEC-capable,
DNSCrypt-enabled DNS resolver virtually anywhere!
If you are already familiar with Docker, it shouldn't take more than 5 minutes
to get your resolver up and running.
Think about a name. This is going to be part of your DNSCrypt provider name.
If you are planning to make your resolver publicly accessible, this name will
It has to look like a domain name (
example.com), but it doesn't have to be
a registered domain.
Download, create and initialize the container, once and for all:
$ docker run --name=dnscrypt-server -p 443:443/udp -p 443:443/tcp --net=host \ jedisct1/unbound-dnscrypt-server init -N example.com
This will only accept connections via DNSCrypt on the standard port (443).
--net=host provides the best network performance, but may have to be
removed on some shared containers hosting services.
Now, to start the whole stack:
$ docker start dnscrypt-server
To check that your DNSCrypt-enabled DNS resolver is accessible, run the
DNSCrypt client proxy on another host:
# dnscrypt-proxy \ --provider-key=<provider key, as displayed when the container was initialized> \ --resolver-address=<dnscrypt resolver public IP address> \ --provider-name=2.dnscrypt-cert.example.com
And try using
127.0.0.1 as a DNS resolver.
Note that the actual provider name for DNSCrypt is
example.com as initially entered. The full name has to start with
2.dnscrypt-cert. for the client and the server to use the same version of the
Let the world know about your server
Is your brand new DNS resolver publicly accessible?
- Caching resolver: Unbound, with DNSSEC, prefetching,
and no logs. The number of threads and memory usage are automatically adjusted.
Latest stable version, compiled from source. qname minimisation is enabled.
- LibreSSL - Latest stable version, compiled from source.
- libsodium - Latest stable version,
minimal build compiled from source.
- dnscrypt-wrapper - Latest stable version,
compiled from source.
- dnscrypt-proxy - Latest stable version,
compiled from source.
Keys and certificates are automatically rotated every 12 hour.
Coming up next
- Namecoin support, by linking a distinct image with namecore and ncdns.
- Better isolation of the certificate signing process, in a dedicated container.