A small image based on alpine linux that downloads the latest version of dnscrypt-proxy and sets the environment to run the proxy.
The configuration must be stored in /etc/dnscrypt-proxy
. The rest of files (like logs) can be located in other places if you want. By default, will try to read the configuration from /etc/dnscrypt-proxy/dnscrypt-proxy.toml
. If that's not your case, you can modify the arguments and the environment variable CONFIG_PATH
. Remember that every relative path in the files referenced from the configuration will be located in the same directory as the configuration.
Note: The proxy will always run as unprivileged user. In your configuration, you should use a port higher than
1024
(like5353
) and then, you can expose the port as53
or whatever other you want. This is done for you by default when the config volume is empty.
In Docker Hub, you can find these tags for melchor9000/dnscrypt-proxy
:
latest
: all supported architecturesamd64
: x86_64/amd64arm
: armhf (armv7)arm64
: aarch64 (armv8 64-bit)- VERSION: select one version of dnscrypt-proxy to use (e.g.:
2.0.42
)
All images are based on alpine image to have low size images.
The configuration files are written to the volume when you run for the first time the dnscrypt-proxy
(only this one). My recomendation is to run the container for the first time, to let the configuration be written to the volume, and then stop it. Now, you can modify everything you want easily.
This first run also modifies some values of the configuration that you can modify, if you know what are you doing. As mentioned before, the proxy is run in a unprivileged user, so by default it will listen to port 5353. Also, the public resolvers list will be downloaded in the folder /etc/dnscrypt-proxy/resolvers
.
This initial configuration is good enough to start doing things. But, for a production environment, it is recommended to modify some of the configuration files. These files have comments that will help you modify them. But feel free to go to the official wiki to extend the knowledge.
- Do not modify the
listen_addresses
, it's ok - Do not uncomment or set
user_name
- If docker has enabled IPv6 connectivity and you have IPv6 to the internet, you should set to
true
the lineipv6_servers
- Do not set a
log_file
noruse_syslog
, let docker manage the log :) - Could be a good idea to change the
fallback_resolver
, by default is9.9.9.9:53
- Could be a good idea to check the
cache
options
The first one environment variable that can be configured is CONFIG_PATH
. By default is /etc/dnscrypt-proxy
, but if you want to change that, you can. This variable is to tell the init script where is the configuration folder inside the container. It is not recommended to change that, as the default value is valid, but you can change that if you need to.
There is another environment variable which is DNSCRYPT_PROXY_RULES
which enables for you the following rules and filters: forwarding
, cloaking
, blocked-names
, blocked-ips
, allowed-names
, allowed-ips
, captive-portals
and local-doh
. Supported values are a comma-sepparated list of the rules/filters to enable. By default, will not enable anything.
NOTE: When enabling cloaking rules; the file cloaking-rules.txt
comes with some pre-defined rules which can block access to certain websites video/search content such as Youtube, Google and Yandix. You should modify the file first to adapt to your needs before enabling cloaking
using the environment variable DNSCRYPT_PROXY_RULES
.
docker container run --rm -d -v $PWD/config:/etc/dnscrypt-proxy -p 53:5353/udp melchor9000/dnscrypt-proxy
The listen address is ['0.0.0.0:5353']
.
version: '3.6'
services:
server:
image: melchor9000/dnscrypt-proxy
ports:
- target: 5353
published: 53
protocol: udp
mode: host
# enable this only if local DoH is going to be used
- target: 8443
published: 443
protocol: tcp
mode: host
restart: always
volumes:
#Here I have the toml and txt files
#The cache is stored in another folder, but is not persisted
- "./conf:/etc/dnscrypt-proxy"
deploy:
mode: replicated
replicas: 2