Install DNSCrypt on OpenWrt for Beginners

DNSCrypt is a tool for securing communications between a client and a DNS resolver using elliptic-curve cryptography in the same way the SSL turns HTTP web traffic into HTTPS encrypted web traffic.

With DNSCrypt it can prevent spying, spoofing, and man-in-the-middle attacks from cyber criminals or even bypass DNS censorship from ISP's DNSLeak.

Warning: It has been tested only on OpenWrt Attitude Adjustment (12.09).


Minimum free space size requirement = (256.00 KB)


Step 1: Install DNSCrypt
  1. Open OpenWrt's LuCI Web's Interface
  2. Select tabs System - Software
  3. Click Update List
  4. In download and install packages type "dnscrypt-proxy" then click ok

For x86 Platforms (New Method)

cd /tmp
opkg install dnscrypt-proxy*.ipk
rm -f dnscrypt-proxy*ipk

For x86 Platforms (Old Method)

Install the required dependency (libsodium library).
mkdir -p /etc/ssl/certs/
wget -P /etc/ssl/certs/
cd /tmp
curl -OL --cacert /etc/ssl/certs/cacert.pem
opkg install libsodium_0.4.5-1_x86.ipk
rm -f libsodium*.ipk
Install the dnscrypt-proxy package from GitHub.
cd /tmp
curl -OL --cacert /etc/ssl/certs/cacert.pem
opkg install dnscrypt-proxy_1.4.0-1_x86.ipk
rm -f dnscrypt-proxy*.ipk

For ar71xx

If dnscrypt-proxy doesn't exist on available packages, you can download manually from official OpenWrt packages site.
cd /tmp
opkg install dnscrypt-proxy_*.ipk
rm -f dnscrypt-proxy*.ipk

Step 2 : Now the dnscrypt-proxy already installed, you can check by doing following command or view on the software list on the OpenWrt web interface.
opkg status | grep -n "dnscrypt-proxy"
The command show output:
  • 217:Package: dnscrypt-proxy
  • 224: /etc/config/dnscrypt-proxy 7524801bccfc5504202a7c469f9fbc51
If the command doesn't show any output, maybe there is a problem with the installation of dnscrypt-proxy.


Step 3: Enable to run at startup and start the dnscrypt-proxy manually.
  1. Connect your router via web interface
  2. Select tabs System - Startup
  3. Find in initscript - dnscrypt-proxy
  4. Click enabled and start
Step 4: After that we need to configure OpenWrt to send DNS request through dnscrypt address ( or ( for x86 Platform.
  1. Select Tabs Network - DHCP and DNS
  2. Select General Setting tabs - select DNS Forwardings Fill the both column with and /
  3. Select Resolv and Hosts File - Check the Ignore Resolve file (Optional)
  4. Press Save & Apply
Step 5: Now restart dnsmasq service or the router.
  1. Select Tabs System - Startup
  2. Find in initscript - dnsmasq
  3. Click Restart
You've finished the steps!


On Router

- Run the following commands in the OpenWrt shell:
logread | grep -n "using nameserver"
logread | grep "Proxying from"
The command will show output:
  • 132:Jan  1 01:01:00 openwrt dnsmasq[1883]: using nameserver for domain
  • 133:Jan  1 01:01:00 openwrt dnsmasq[1883]: using nameserver
  • Jul 1 12:00:00 openwrt dnscrypt-proxy[1831]: Proxying from to

On Client

- In Windows 
Run following command on command prompt (cmd):
  1. nslookup
  2. set type=txt
- In Linux
Run following commands on terminal/konsole:
  1. dig txt
the output should be contain "dnscrypt enabled (7165343751484877)".


Update Notes

  • (15, June 2014) OpenWrt has been added "dnscrypt-proxy" packages into default packages (Attitude Adjustment 12.09 and higher)
  • (27, June 2014) Added x86 Platform and old versions installation steps (Thanks to locusf on Reddit)