{"id":13775807,"url":"https://github.com/dnscrypt/dnscrypt-server-docker","last_synced_at":"2026-02-27T00:13:26.059Z","repository":{"id":34635210,"uuid":"38586494","full_name":"DNSCrypt/dnscrypt-server-docker","owner":"DNSCrypt","description":"A Docker image for a non-censoring, non-logging, DNSSEC-capable, DNSCrypt-enabled DNS resolver","archived":false,"fork":false,"pushed_at":"2024-08-17T15:42:40.000Z","size":1645,"stargazers_count":657,"open_issues_count":4,"forks_count":132,"subscribers_count":32,"default_branch":"master","last_synced_at":"2024-08-17T16:51:49.594Z","etag":null,"topics":["dns","dns-resolver","dnscrypt","dnscrypt-proxy","dnssec","docker","docker-image","doh"],"latest_commit_sha":null,"homepage":"https://dnscrypt.info","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"isc","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DNSCrypt.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2015-07-05T22:27:32.000Z","updated_at":"2024-08-17T15:42:42.000Z","dependencies_parsed_at":"2024-02-14T23:22:15.882Z","dependency_job_id":"9bca84b7-0205-4d5e-a1ee-d46b24b672a4","html_url":"https://github.com/DNSCrypt/dnscrypt-server-docker","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DNSCrypt%2Fdnscrypt-server-docker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DNSCrypt%2Fdnscrypt-server-docker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DNSCrypt%2Fdnscrypt-server-docker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DNSCrypt%2Fdnscrypt-server-docker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DNSCrypt","download_url":"https://codeload.github.com/DNSCrypt/dnscrypt-server-docker/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253540372,"owners_count":21924521,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dns","dns-resolver","dnscrypt","dnscrypt-proxy","dnssec","docker","docker-image","doh"],"created_at":"2024-08-03T17:01:50.666Z","updated_at":"2026-02-27T00:13:26.024Z","avatar_url":"https://github.com/DNSCrypt.png","language":"Shell","readme":"[![Gitter chat](https://badges.gitter.im/gitter.svg)](https://gitter.im/dnscrypt-operators/Lobby)\n[![DNSCrypt](https://raw.github.com/jedisct1/dnscrypt-server-docker/master/dnscrypt-small.png)](https://dnscrypt.info)\n\n# DNSCrypt server Docker image\n\nRun your own caching, non-censoring, non-logging, DNSSEC-capable,\n[DNSCrypt](https://dnscrypt.info)-enabled DNS resolver virtually anywhere!\n\nIf you are already familiar with Docker, it shouldn't take more than 5 minutes\nto get your resolver up and running.\n\nTable of contents:\n\n- [DNSCrypt server Docker image](#dnscrypt-server-docker-image)\n- [Example installation procedures](#example-installation-procedures)\n- [Installation](#installation)\n  - [Updating the container](#updating-the-container)\n  - [Anonymized DNS](#anonymized-dns)\n  - [Prometheus metrics](#prometheus-metrics)\n  - [TLS (including HTTPS and DoH) forwarding](#tls-including-https-and-doh-forwarding)\n  - [Filtering](#filtering)\n- [Join the network](#join-the-network)\n- [Usage with Docker Compose](#usage-with-docker-compose)\n- [Usage with Kubernetes](#usage-with-kubernetes)\n- [Customizing Unbound](#customizing-unbound)\n  - [Changing the Unbound configuration file](#changing-the-unbound-configuration-file)\n  - [Serving custom DNS records on a local network](#serving-custom-dns-records-on-a-local-network)\n  - [Troubleshooting](#troubleshooting)\n- [Deleting everything](#deleting-everything)\n- [Details](#details)\n\n# Example installation procedures\n\n- [How to setup your own DNSCrypt server in less than 10 minutes on Scaleway](https://github.com/dnscrypt/dnscrypt-proxy/wiki/How-to-setup-your-own-DNSCrypt-server-in-less-than-10-minutes)\n- [DNSCrypt server with vultr.com](https://github.com/dnscrypt/dnscrypt-proxy/wiki/DNSCrypt-server-with-vultr.com)\n\n# Installation\n\nThink about a name. This is going to be part of your DNSCrypt provider name.\nIf you are planning to make your resolver publicly accessible, this name will\nbe public.\nBy convention, it has to look like a domain name (`example.com`), but it doesn't\nhave to be an actual, registered domain.\n\nLet's pick `example.com` here.\n\nYou probably need to perform the following steps as `root`.\n\nDownload, create and initialize the container:\n\n```sh\ndocker run --name=dnscrypt-server -p 443:443/udp -p 443:443/tcp \\\n--restart=unless-stopped \\\n-v /etc/dnscrypt-server/keys:/opt/encrypted-dns/etc/keys \\\njedisct1/dnscrypt-server init -N example.com -E '192.168.1.1:443'\n```\n\nThis will only accept connections via DNSCrypt on the standard port (443). Replace\n`192.168.1.1` with the actual external IP address (not the internal Docker one)\nclients will connect to.\n\nIPv6 addresses should be enclosed in brackets; for example: `[2001:0db8::412f]:443`.\n\nMultiple comma-separated IPs and ports can be specified, as in `-E '192.168.1.1:443,[2001:0db8::412f]:443'`.\n\nIf you want to use a different port, replace all occurrences of `443` with the alternative port in the\ncommand above (including `-p ...`). But if you have an existing website that should be accessible on\nport `443`, the server can transparently relay non-DNS traffic to it (see below).\n\n`-v /etc/dnscrypt-server:/opt/encrypted-dns/etc/keys` means that the path `/opt/encrypted-dns/etc/keys`, internal to the container, is mapped to `/etc/dnscrypt-server/keys`, the directory we just created before. Do not change `/opt/encrypted-dns/etc/keys`. But if you created a directory in a different location, replace `/etc/dnscrypt-server/keys` accordingly in the command above.\n\n__Note:__ on MacOS, don't use `-v ...:...`. Remove that part from the command-line, as current versions of MacOS and Docker don't seem to work well with shared directories.\n\nThe `init` command will print the DNS stamp of your server.\n\nDone.\n\nYou can verify that the server is running with:\n\n```sh\ndocker ps\n```\n\nNote: if you previously created a container with the same name, and Docker complains that the name is already in use, remove it and try again:\n\n```sh\ndocker rm --force dnscrypt-server\n```\n\n## Updating the container\n\nIn order to install the latest version of the image, or change parameters, use the following steps:\n\n1. Update the image\n\n```sh\ndocker pull jedisct1/dnscrypt-server\n```\n\n2. Verify that the directory containing the keys actually has the keys (a `state` directory):\n\n```sh\nls -l /etc/dnscrypt-server/keys\n```\n\nIf you have some content here, skip to step 3.\n\nNothing here? Maybe you didn't use the `-v` option to map container files to a local directory when creating the container.\nIn that case, copy the data directly from the container:\n\n```sh\ndocker cp dnscrypt-server:/opt/encrypted-dns/etc/keys ~/keys\n```\n\n3. Stop the existing container:\n\n```sh\ndocker stop dnscrypt-server\ndocker ps # Check that it's not running\n```\n\n4. Rename the existing container:\n\n```sh\ndocker rename dnscrypt-server dnscrypt-server-old\n```\n\n5. Use the `init` command again and start the new container:\n\n```sh\ndocker run --name=dnscrypt-server -p 443:443/udp -p 443:443/tcp \\\n--restart=unless-stopped \\\n-v /etc/dnscrypt-server/keys:/opt/encrypted-dns/etc/keys \\\njedisct1/dnscrypt-server init -N example.com -E '192.168.1.1:443'\n# (adjust accordingly)\n\ndocker ps # Check that it's running\n```\n\n6. Delete old container:\n\n```sh\ndocker rm dnscrypt-server-old\n```\n\n7. Done!\n\nParameters differ from the ones used in the previous container.\n\nFor example, if you originally didn't activate relaying\nbut want to enable it, append `-A` to the command. Or if you want to enable\nmetrics, append `-M 0.0.0.0:9100` to the end, and `-p 9100:9100/tcp` after\n`-p 443:443/tcp` (see below).\n\n## Anonymized DNS\n\nThe server can be configured as a relay for the Anonymized DNSCrypt protocol by adding the `-A` switch to the `init` command.\n\nThe relay DNS stamp will be printed right after the regular stamp.\n\n## Prometheus metrics\n\nMetrics are accessible inside the container as http://127.0.0.1:9100/metrics.\n\nThey can be made accessible outside of the container by adding the `-M` option followed by the listening IP and port (for example: `-M 0.0.0.0:9100`).\n\nThese metrics can be indexed with [Prometheus](https://prometheus.io/) and dashboards can be created with [Grafana](https://grafana.com/).\n\n## TLS (including HTTPS and DoH) forwarding\n\nIf the DNS server is listening to port `443`, but you still want to have a web (or DoH) service accessible on that port, add the `-T` switch followed by the backend server IP and port to the `init` command (for example: `-T 10.0.0.1:4443`).\n\nThe backend server must support the HTTP/2 protocol.\n\n## Filtering\n\nThe server can be used block domains. For example, the `sfw.scaleway-fr` server uses that feature to provide a service that blocks websites possibly not suitable for children.\n\nIn order to do so, create a directory that will contain the blacklists:\n\n```sh\nmkdir -p /etc/dnscrypt-server/lists\n```\n\nAnd put the list of domains to block in a file named `/etc/dnscrypt-server/lists/blacklist.txt`, one domain per line.\n\nThen, follow the upgrade procedure, adding the following option to the `docker run` command: `-v /etc/dnscrypt-server/lists:/opt/encrypted-dns/etc/lists`.\n\n# Join the network\n\nIf you want to help against DNS centralization and surveillance,\nannounce your server and/or relay on the list of [public DNS DoH and DNSCrypt servers](https://dnscrypt.info/public-servers).\n\nThe best way to do so is to send a pull request to the\n[dnscrypt-resolvers](https://github.com/DNSCrypt/dnscrypt-resolvers/) repository.\n\n# Usage with Kubernetes\n\nKubernetes configurations are located in the `kube` directory. Currently these assume\na persistent disk named `dnscrypt-keys` on GCE. You will need to adjust the volumes\ndefinition on other platforms. Once that is setup, you can have a dnscrypt server up\nin minutes.\n\n- Create a static IP on GCE. This will be used for the LoadBalancer.\n- Edit `kube/dnscrypt-init-job.yml`. Change `example.com` to your desired hostname\nand `127.0.0.1` to your static IP.\n- Edit `kube/dnscrypt-srv.yml` and change `loadBalancerIP` to your static IP in both locations.\n- Run `kubectl create -f kube/dnscrypt-init-job.yml` to setup your keys.\n- Run `kubectl create -f kube/dnscrypt-deployment.yml` to deploy the dnscrypt server.\n- Run `kubectl create -f kube/dnscrypt-srv.yml` to expose your server to the world.\n\nTo get your public key just view the logs for the `dnscrypt-init` job. The public\nIP for your server is merely the `dnscrypt` service address.\n\n# Usage with Docker Compose\n\nYou can setup a server very quickly with Docker Compose.\n\n- Run `docker-compose up`\n- Ctrl-C after keys are setup.\n- Edit `docker-compose.yml` to use the start command.\n- Run `docker-compose up`\n\nNow you will have a local server running on port 5443.\n\n# Customizing Unbound\n\n## Changing the Unbound configuration file\n\nTo add new configuration to Unbound, add files to the `/opt/unbound/etc/unbound/zones`\ndirectory. All files ending in `.conf` will be processed. In this manner, you\ncan add any directives to the `server:` section of the Unbound configuration.\n\n## Serving custom DNS records on a local network\n\nWhile Unbound is not a full authoritative name server, it supports resolving\ncustom entries in a way that is serviceable on a small, private LAN. You can use\nunbound to resolve private hostnames such as `my-computer.example.com` within\nyour LAN.\n\nTo support such custom entries using this image, first map a volume to the zones\ndirectory. Add this to your `docker run` line:\n\n```text\n-v /etc/dnscrypt-server/zones:/opt/unbound/etc/unbound/zones\n```\n\nThe whole command to create and initialize a container would look something like\nthis:\n\n```sh\ndocker run --name=dnscrypt-server \\\n    -v /etc/dnscrypt-server/zones:/opt/unbound/etc/unbound/zones \\\n    -p 443:443/udp -p 443:443/tcp --net=host \\\n    jedisct1/dnscrypt-server init -N example.com -E '192.168.1.1:443'\n```\n\nCreate a new `.conf` file:\n\n```sh\ntouch /etc/dnscrypt-server/zones/example.conf\n```\n\nNow, add one or more unbound directives to the file, such as:\n\n```zone\nlocal-zone: \"example.com.\" static\nlocal-data: \"my-computer.example.com. IN A 10.0.0.1\"\nlocal-data: \"other-computer.example.com. IN A 10.0.0.2\"\n```\n\n## Troubleshooting\n\nIf Unbound doesn't like one of the newly added directives, it\nwill probably not respond over the network. In that case, here are some commands\nto work out what is wrong:\n\n```sh\ndocker logs dnscrypt-server\ndocker exec dnscrypt-server /opt/unbound/sbin/unbound-checkconf\n```\n\n# Deleting everything\n\nIn order to delete everything (containers and images), type:\n\n```sh\ndocker rm --force dnscrypt-server ||:\ndocker rmi --force jedisct1/dnscrypt-server ||:\n```\n\n# Details\n\n- A minimal Ubuntu Linux as a base image.\n- Caching resolver: [Unbound](https://www.unbound.net/), with DNSSEC, prefetching,\nand no logs. The number of threads and memory usage are automatically adjusted.\nLatest stable version, compiled from source. qname minimisation is enabled.\n- [encrypted-dns-server](https://github.com/jedisct1/encrypted-dns-server).\nCompiled from source.\n\nKeys and certificates are automatically rotated every 8 hour.\n","funding_links":[],"categories":["\u003ca id=\"d03d494700077f6a65092985c06bf8e8\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"6381920f17576b07cc87a8dc619123aa\"\u003e\u003c/a\u003eDNS"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdnscrypt%2Fdnscrypt-server-docker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdnscrypt%2Fdnscrypt-server-docker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdnscrypt%2Fdnscrypt-server-docker/lists"}