https://github.com/mapi68/dnscrypt-proxy-pihole
Preconfigured deb package for every Raspberry Pi and Pi-hole to use only best DNSCrypt, DNS-over-HTTPS and No-Log servers
https://github.com/mapi68/dnscrypt-proxy-pihole
armv7 dns dns-over-https dns-privacy dns-resolver dns-server dnscrypt pi-hole proxy raspberry-pi raspbian-os
Last synced: 1 day ago
JSON representation
Preconfigured deb package for every Raspberry Pi and Pi-hole to use only best DNSCrypt, DNS-over-HTTPS and No-Log servers
- Host: GitHub
- URL: https://github.com/mapi68/dnscrypt-proxy-pihole
- Owner: mapi68
- Created: 2020-07-04T07:53:09.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2025-10-08T00:42:09.000Z (3 months ago)
- Last Synced: 2025-10-08T02:28:40.923Z (3 months ago)
- Topics: armv7, dns, dns-over-https, dns-privacy, dns-resolver, dns-server, dnscrypt, pi-hole, proxy, raspberry-pi, raspbian-os
- Language: Shell
- Homepage:
- Size: 25.3 MB
- Stars: 42
- Watchers: 3
- Forks: 3
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# 🛡️ dnscrypt-proxy-pihole
[](https://opensource.org/licenses/MIT)
[](https://pi-hole.net/)
[](https://www.raspberrypi.org/)
📢 Secure DNS solution for your Raspberry Pi & Pi-hole setup
Enhanced DNS encryption and privacy for Pi-hole with pre-configured settings
---
## 📋 Table of Contents
[🔍 Overview](#overview) •
[✨ Features](#features) •
[🚀 Install](#install) •
[📜 Scripts](#scripts) •
[⚙️ Configuration](#configuration) •
[🔐 Verification](#verification) •
[🗑️ Uninstall](#uninstall)
---
A preconfigured DNSCrypt-proxy package for Raspberry Pi and Pi-hole users that ensures secure, encrypted DNS queries through carefully selected DNSCrypt and DNS-over-HTTPS servers with strict no-logging policies.
### 🎯 Key Benefits
- Encrypts all DNS queries for enhanced privacy
- Protects against DNS spoofing and MITM attacks
- Seamless integration with Pi-hole
- Pre-configured for optimal security and performance
### 📦 Compatibility
✅ **CURRENT VERSION:**
- [Raspberry Pi OS 64bit arm64](https://github.com/mapi68/dnscrypt-proxy-pihole/raw/refs/heads/master/dnscrypt-proxy-pihole_latest_arm64.deb)
- [Raspberry Pi OS 32bit armhf](https://github.com/mapi68/dnscrypt-proxy-pihole/raw/refs/heads/master/dnscrypt-proxy-pihole_latest_armhf.deb)
- Pi-hole v6.0+
- DNS server: `127.0.0.1#53533`
⚠️ **LEGACY VERSION:**
- [Raspberry Pi OS 11 (bullseye)](https://github.com/mapi68/dnscrypt-proxy-pihole/raw/refs/heads/master/dnscrypt-proxy-pihole_bullseye_armhf.deb)
Feature
Description
Benefit
🔒 DNSCrypt
Advanced DNS encryption
Protects against DNS surveillance
🌐 DNS-over-HTTPS
Modern DNS protocol support
Additional security layer
🕵️ Privacy Focus
No-log DNS servers only
Ensures query privacy
🛡️ DNSSEC
Built-in validation
Prevents DNS spoofing
⚡ Optimized
Raspberry Pi tuned
Efficient resource usage
### Quick Install
```bash
curl -sSfL https://raw.githubusercontent.com/mapi68/dnscrypt-proxy-pihole/master/dnscrypt-proxy-pihole-install | bash
```
### 1. `install-latest-dnscrypt-proxy.bash`
🔄 Automated Installer
Downloads and installs the latest dnscrypt-proxy package from official Debian repositories.
**Features:**
- Auto-detects system architecture
- Downloads latest version from Debian repos
- Handles all dependencies
- Multi-architecture support (amd64, arm64, armhf, ...)
**Usage:**
```bash
curl -sSfL https://raw.githubusercontent.com/mapi68/dnscrypt-proxy-pihole/refs/heads/master/install-latest-dnscrypt-proxy.bash | bash
```
### 2. `dnscrypt-proxy-pihole.bash`
🔧 Configuration Script
Sets up DNSCrypt-proxy for optimal use with Pi-hole.
**Features:**
- Configures secure DNS settings
- Sets up port 53533 for Pi-hole
- Enables DNSSEC validation
- Configures no-logging policy
- Optimizes caching
**Usage:**
```bash
curl -sSfL https://raw.githubusercontent.com/mapi68/dnscrypt-proxy-pihole/refs/heads/master/dnscrypt-proxy-pihole.bash | bash
```
### Installation Methods
Method
Description
When to Use
dnscrypt-proxy-pihole-install
Installs pre-configured package
For quick, automated setup
install-latest-dnscrypt-proxy.bash
Installs vanilla dnscrypt-proxy from Debian repos
For custom installations
dnscrypt-proxy-pihole.bash
Configures dnscrypt-proxy for Pi-hole
After manual installation
### Pi-hole Setup
1. Access Pi-hole admin interface
2. Navigate to Settings → DNS
3. Configure:
- Set Custom DNS: `127.0.0.1#53533`
- Disable DNSSEC (handled by DNSCrypt)
Pi-hole DNS Configuration
### Important Files
- Configuration: `/etc/dnscrypt-proxy/dnscrypt-proxy.toml`
- Query Log: `/var/log/dnscrypt-proxy/query.log`
- Service: `/lib/systemd/system/dnscrypt-proxy.service`
### DNS Resolution:
```bash
tail -f /var/log/dnscrypt-proxy/query.log
```
### Service Status:
```bash
journalctl -f -u dnscrypt-proxy
```
### DNSSEC Validation Check (The Security Test):
```bash
dig +dnssec google.com @127.0.0.1 -p 53533
```
**Expected Status:** `status: NOERROR`
**Security Confirmation:** Confirms connectivity and successful resolution of a signed domain.
```bash
dig dnssec-failed.org @127.0.0.1 -p 53533
```
**Expected Status:** `status: SERVFAIL`
**Security Confirmation:** **Confirms active DNSSEC Validation.** The resolver blocks the corrupt signature, protecting the system.
### Online Tests
- [DNSLeakTest](https://www.dnsleaktest.com)
- [Cloudflare ESNI Check](https://www.cloudflare.com/ssl/encrypted-sni)
Successful Cloudflare DNSSEC Validation
Remove completely with:
```bash
sudo apt --purge autoremove dnscrypt-proxy-pihole -y
```