██░ ██  ▄▄▄       ██▀███  ▓█████▄ ▓█████  ███▄    █ ▓█████ ▓█████▄ 
▓██░ ██▒▒████▄    ▓██ ▒ ██▒▒██▀ ██▌▓█   ▀  ██ ▀█   █ ▓█   ▀ ▒██▀ ██▌
▒██▀▀██░▒██  ▀█▄  ▓██ ░▄█ ▒░██   █▌▒███   ▓██  ▀█ ██▒▒███   ░██   █▌
░▓█ ░██ ░██▄▄▄▄██ ▒██▀▀█▄  ░▓█▄   ▌▒▓█  ▄ ▓██▒  ▐▌██▒▒▓█  ▄ ░▓█▄   ▌
░▓█▒░██▓ ▓█   ▓██▒░██▓ ▒██▒░▒████▓ ░▒████▒▒██░   ▓██░░▒████▒░▒████▓ 
 ▒ ░░▒░▒ ▒▒   ▓▒█░░ ▒▓ ░▒▓░ ▒▒▓  ▒ ░░ ▒░ ░░ ▒░   ▒ ▒ ░░ ▒░ ░ ▒▒▓  ▒ 

 ▄▄▄       ███▄    █  ▒█████   ███▄    █▓██   ██▓ ███▄ ▄███▓ ██▓▒███████▒▓█████ ▓█████▄ 
▒████▄     ██ ▀█   █ ▒██▒  ██▒ ██ ▀█   █ ▒██  ██▒▓██▒▀█▀ ██▒▓██▒▒ ▒ ▒ ▄▀░▓█   ▀ ▒██▀ ██▌
▒██  ▀█▄  ▓██  ▀█ ██▒▒██░  ██▒▓██  ▀█ ██▒ ▒██ ██░▓██    ▓██░▒██▒░ ▒ ▄▀▒░ ▒███   ░██   █▌
░██▄▄▄▄██ ▓██▒  ▐▌██▒▒██   ██░▓██▒  ▐▌██▒ ░ ▐██▓░▒██    ▒██ ░██░  ▄▀▒   ░▒▓█  ▄ ░▓█▄   ▌
 ▓█   ▓██▒▒██░   ▓██░░ ████▓▒░▒██░   ▓██░ ░ ██▒▓░▒██▒   ░██▒░██░▒███████▒░▒████▒░▒████▓ 

▓█████▄  ███▄    █   ██████  ▄████▄   ██▀███ ▓██   ██▓ ██▓███  ▄▄▄█████▓
▒██▀ ██▌ ██ ▀█   █ ▒██    ▒ ▒██▀ ▀█  ▓██ ▒ ██▒▒██  ██▒▓██░  ██▒▓  ██▒ ▓▒
░██   █▌▓██  ▀█ ██▒░ ▓██▄   ▒▓█    ▄ ▓██ ░▄█ ▒ ▒██ ██░▓██░ ██▓▒▒ ▓██░ ▒░
░▓█▄   ▌▓██▒  ▐▌██▒  ▒   ██▒▒▓▓▄ ▄██▒▒██▀▀█▄   ░ ▐██▓░▒██▄█▓▒ ▒░ ▓██▓ ░ 
░▒████▓ ▒██░   ▓██░▒██████▒▒▒ ▓███▀ ░░██▓ ▒██▒ ░ ██▒▓░▒██▒ ░  ░  ▒██▒ ░ 

 ██▓███   ██▀███   ▒█████  ▒██   ██▒▓██   ██▓
▓██░  ██▒▓██ ▒ ██▒▒██▒  ██▒▒▒ █ █ ▒░ ▒██  ██▒
▓██░ ██▓▒▓██ ░▄█ ▒▒██░  ██▒░░  █   ░  ▒██ ██░
▒██▄█▓▒ ▒▒██▀▀█▄  ▒██   ██░ ░ █ █ ▒   ░ ▐██▓░
▒██▒ ░  ░░██▓ ▒██▒░ ████▓▒░▒██▒ ▒██▒  ░ ██▒▓░

🛡️ Hardened-Anonymized-DNSCrypt-Proxy

「 Eradicate Surveillance From Your Network Stack 」

---

📡 Abstract

A military-grade DNS proxy implementation featuring cryptographic authentication channels and traffic anonymization layers. This project hardens the upstream DNSCrypt-Proxy with pre-configured security parameters optimized for maximum privacy and minimal attack surface.

Implements modern encrypted DNS protocols:

Protocol	Specification	Status
DNSCrypt v2	dnscrypt.info/protocol	✅ Enabled
DNS-over-HTTPS	RFC 8484	❌ Disabled
Anonymized DNSCrypt	ANONYMIZED-DNSCRYPT.txt	✅ Enabled
ODoH	Oblivious DoH	❌ Disabled

---

🔬 Technical Architecture

┌─────────────────────────────────────────────────────────────────────────────────┐
│                              YOUR LOCALHOST                                     │
│                               127.0.0.1:53                                      │
└─────────────────────────────────────────────────────────────────────────────────┘
                                      │
                                      ▼
┌─────────────────────────────────────────────────────────────────────────────────┐
│                         DNSCrypt-Proxy Daemon                                   │
│  ┌─────────────────┐  ┌─────────────────┐  ┌─────────────────────────────────┐  │
│  │ Ephemeral Keys  │  │ DNSSEC Validate │  │ Blocklist/Allowlist Filtering   │  │
│  │ (Per-Query Gen) │  │ (Cryptographic) │  │ (Pattern Matching Engine)       │  │
│  └─────────────────┘  └─────────────────┘  └─────────────────────────────────┘  │
└─────────────────────────────────────────────────────────────────────────────────┘
                                      │
                          ┌───────────┴───────────┐
                          ▼                       ▼
              ┌─────────────────────┐ ┌─────────────────────┐
              │   RELAY NODE #1     │ │   RELAY NODE #2     │
              │  (Anonymization)    │ │  (Anonymization)    │
              │  ┌───────────────┐  │ │  ┌───────────────┐  │
              │  │ No Logs Policy│  │ │  │ No Logs Policy│  │
              │  │ TCP/443       │  │ │  │ TCP/443       │  │
              │  └───────────────┘  │ │  └───────────────┘  │
              └─────────────────────┘ └─────────────────────┘
                          │                       │
                          └───────────┬───────────┘
                                      ▼
              ┌─────────────────────────────────────────────┐
              │            DNSCrypt RESOLVER                │
              │  ┌─────────────────────────────────────┐    │
              │  │ • X25519-XSalsa20Poly1305 Encryption│    │
              │  │ • DNSSEC Validation                 │    │
              │  │ • No Client IP Visibility           │    │
              │  └─────────────────────────────────────┘    │
              └─────────────────────────────────────────────┘

---

⚙️ Features Matrix

📖 For comprehensive feature documentation, consult the OFFICIAL DOCUMENTATION

📦 All binaries sourced from OFFICIAL RELEASES (GPG verified)

---

🎯 Project Rationale

Manual configuration of DNSCrypt-Proxy on Linux involves significant overhead and potential for misconfiguration. This project delivers a turnkey, security-hardened solution with optimized defaults—because privacy shouldn't require a PhD in cryptography.

---

🐧 Supported Distributions

Distribution	Init System	Network Manager	Status
Arch Linux	SystemD	NetworkManager	✅ Supported
Arch-based Derivatives	SystemD	NetworkManager	✅ Supported

---

🔧 Hardened Configuration Delta

Cryptographic & Protocol Settings

Parameter	Default	Hardened	Rationale
doh_servers	true	false	DoH traffic pattern analysis mitigation; DNSCrypt provides superior anonymization
require_dnssec	false	true	Cryptographic validation of DNS responses (RFC 4033-4035)
force_tcp	false	true	Mitigates mobile carrier UDP fragmentation issues with anonymized routes (ref)
dnscrypt_ephemeral_keys	false	true	X25519 keypair regeneration per-query; prevents temporal correlation attacks
block_ipv6	false	true	Null response to AAAA queries; prevents IPv6 leak vectors

Response Handling

Parameter	Value	Description
blocked_query_response	'refused'	Returns REFUSED RCODE for blocked domains (RFC 8914 compliant)

Bootstrap Configuration

Parameter	Value	Service
bootstrap_resolvers	['9.9.9.9:53']	Quad9 - Threat-blocking, DNSSEC-validating resolver
netprobe_address	'9.9.9.9:53'	Network connectivity probe endpoint

Anonymization Layer

Parameter	Value	Security Implication
anonymized_dns	enabled	Traffic routed through relay nodes; resolver sees relay IP, not client IP
routes	2 relays/resolver	Redundant anonymization paths per upstream
skip_incompatible	true	Silently bypass resolvers lacking anonymization support
direct_cert_fallback	false	Never fallback to direct connection on cert retrieval failure

🌐 Resolver Fleet

Click to expand resolver list (20 nodes across 12 countries)

Resolver	Country	Region
ams-dnscrypt-nl	🇳🇱 NLD	Europe
d0wn-tz-ns1	🇹🇿 TZA	Africa
dct-nl	🇳🇱 NLD	Europe
dct-ru	🇷🇺 RUS	Europe
dnscrypt.be	🇧🇪 BEL	Europe
dnscrypt.pl	🇵🇱 POL	Europe
dnscrypt.uk-ipv4	🇬🇧 GBR	Europe
dnswarden-uncensor-dc-swiss	🇨🇭 CHE	Europe
meganerd	🇳🇱 NLD	Europe
openinternet	🇺🇸 USA	North America
plan9dns-fl	🇺🇸 USA	North America
plan9dns-mx	🇲🇽 MEX	North America
plan9dns-nj	🇺🇸 USA	North America
pryv8boi	🇩🇪 DEU	Europe
sby-limotelu	🇮🇩 IDN	Asia
scaleway-ams	🇳🇱 NLD	Europe
scaleway-fr	🇫🇷 FRA	Europe
serbica	🇳🇱 NLD	Europe
techsaviours.org-dnscrypt	🇩🇪 DEU	Europe
v.dnscrypt.uk-ipv4	🇬🇧 GBR	Europe

---

🚀 Deployment

Installation Vector

# Clone the repository
git clone https://github.com/D357R0Y3R/Hardened-Anonymized-DNSCrypt-Proxy

# Navigate to project root
cd Hardened-Anonymized-DNSCrypt-Proxy

# Build package (clean, rebuild, force, sync, skip checksums)
makepkg -Ccrfs --noconfirm

# Deploy to system
sudo pacman -U *.zst

Removal Procedure

# Purge package + dependencies + configs (recursive, nosave, cascade, unneeded)
sudo pacman -Rcnsu Hardened-Anonymized-DNSCrypt-Proxy

---

🛠️ Post-Installation Configuration

Configuration File Location

/etc/dnscrypt-proxy/dnscrypt-proxy.toml

Service Management

# Check service status
systemctl status dnscrypt-proxy

# Restart after config changes
sudo systemctl restart dnscrypt-proxy

# View real-time logs
journalctl -fu dnscrypt-proxy

📚 Advanced Configuration: Consult the Official Wiki

---

🧱 Filters [Optional Module]

The integrated filtering engine provides granular control over DNS resolution:

Filter Type	Function	Use Case
Blocklists	Pattern-based domain blocking	Ads, trackers, malware, telemetry
Allowlists	Whitelist override	False positive mitigation
IP Blocklists	Response IP filtering	Malicious IP blocking
Cloaking	Custom A/AAAA responses	Local DNS overrides

📖 Documentation: DNSCrypt-Proxy Filters Wiki

---

🔍 Verification & Testing

DNS Leak Test

Tool	URL	Tests
dnscheck.tools	dnscheck.tools	Leak detection, DNSSEC validation, resolver identification

Local Verification Commands

# Verify listening socket
ss -tulnp | grep 53

# Test DNSSEC validation
dig +dnssec cloudflare.com

# Query via dnscrypt-proxy
dig @127.0.0.1 example.com

# Check resolver being used
dig +short txt whoami.ds.akahelp.net

---

📊 Security Considerations

┌────────────────────────────────────────────────────────────────┐
│                    THREAT MODEL COVERAGE                       │
├────────────────────────────────────────────────────────────────┤
│ ✅ DNS Query Encryption          (X25519-XSalsa20Poly1305)     │
│ ✅ DNS Response Authentication   (DNSSEC / Ed25519)            │
│ ✅ Traffic Analysis Mitigation   (Anonymized DNS Routes)       │
│ ✅ Temporal Correlation Defense  (Ephemeral Keys)              │
│ ✅ IPv6 Leak Prevention          (AAAA Query Blocking)         │
│ ✅ Resolver Logging Mitigation   (No-Log Policy Resolvers)     │
└────────────────────────────────────────────────────────────────┘

---

🙏 Acknowledgments

Frank Denis DNSCrypt Creator

All Contributors DNSCrypt-Proxy Team

---

🔐 "Privacy is not about having something to hide. Privacy is about having something to protect."

_{Made with 🖤 for the privacy-conscious community}