This page describes how to install and use dnscrypt on Artix Linux. For more information refer to Dnscrypt-proxy on Archwiki.


Install the dnscrypt-proxy-openrc package. dnscrypt-proxy will be installed as dependency.

 # pacman -S dnscrypt-proxy-openrc


[FATAL] listen udp bind: permission denied

Since dnscrypt-proxy is running as user dnscrypt, polkit settings prevent it from binding to a port that is below 1024. The workaround is to edit /etc/conf.d/dnscrypt-proxy to start the service as root. Change file contents from

 #DNSCRYPT_OPTS="--config /etc/dnscrypt-proxy/dnscrypt-proxy.toml"


 #DNSCRYPT_OPTS="--config /etc/dnscrypt-proxy/dnscrypt-proxy.toml"

Now, to mitigate the security risk of running dnscrypt as root we will ask dnscrypt to drop privileges upon startup. This can be done by editing /etc/dnscrypt-proxy/dnscrypt-proxy.toml. Find a line that says

 # user_name = 'nobody'

and uncomment it. This will cause dnscrypt to partially drop permissions after starting up as explained in the config file:

 Two processes will be running. The first one will keep root privileges, but is only a supervisor, that does nothing except create the sockets, manage the service, and restart it if it crashes. The second process is the service itself, and that one will always run as a different user.

To start dnscrypt run:

 # rc-service dnscrypt-proxy start

To enable it on system startup, add dnscrypt-proxy to the default runlevel:

 # rc-update add dnscrypt-proxy default

A negative side effect is the loss of write access to the logfile /var/log/dnscrypt-proxy/dnscrypt-proxy.log and thus a de-facto loss of logging functionality. Can be mitigated by using syslog-ng. For that edit /etc/dnscrypt-proxy/dnscrypt-proxy.toml to include the following option:

 use_syslog = true

Make sure that you have a logger installed and added to your default runlevel.