openwrt DNScrypt


DNSCrypt offers a way to protect clients against attacks related to the modification and manipulation of DNS traffic — The main objective of DNSCrypt is authentication of the communication channel between the client (you) and a resolver supporting the protocol — This will protect the client fromman in the middle attacks. In addition, encryption of DNS communication improves the client’s privacy. DNSCrypt is the client-side version ofdnscrypt-wrapper.

The dnscrypt-proxy client project is maintained by Frank Denis jedisct1

DNSCrypt verifies that responses you get from a DNS provider have been actually sent by that provider, and haven’t been tampered with.

This is not a VPN. It doesn’t mask your IP address, and if you are using it with a public DNS service, be aware that it will (and has to) decrypt your queries.

If you are using it for privacy, it might do the opposite of what you are trying to achieve. If you are using it to prevent VPN “leaks”, this isn’t the right tool either: the proper way to prevent VPN “leaks” is to avoid sending data to yet another third party: use a VPN service that operates its own DNSresolvers.


dnscrypt-proxy and libsodium is in the official repository for Chaos Calmer 15.05 and up.

opkg update
opkg install dnscrypt-proxy
  • If installed skip to configuration.
  • If somehow you can’t install it that way, proceed with the following instructions.

ar71xx and Barrier Breaker

The OpenWrt package for ar71xx is maintained by black-roland.

Differences with OpenWrt packages:

Package Difference
dnscrypt-proxy Newest version for Chaos Calmer. Barrier Breaker support. Procd support and possibility of launching multiple instances.
libsodium Newest version for Chaos Calmer. Barrier Breaker support.
iodine Memory usage reduce patch.

This will install dnscrypt-proxy as well as any dependent libraries such as libsodium

Add third-party source to your opkg configuration file /etc/opkg.conf according to your OpenWRT version.

Chaos Calmer:

cd /tmp
wget ''
opkg-key add
echo 'src/gz exopenwrt' >> /etc/opkg.conf

Barrier Breaker:

And proceed with the installation itself:

opkg update
opkg install dnscrypt-proxy

Forum thread


DNSCrypt is listening on address and port: We need to set OpenWRT to send DNS request to that address.

Server configuration


The config file /etc/config/dnscrypt-proxy is simple and should be edited according to your needs. Possible values for the ‘resolver’ option are the first column in the list of public DNSCrypt resolvers.

config dnscrypt-proxy option address '' option port '5353' # option resolver 'cisco' # option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv' # option ephemeral_keys '1'


Name Type Required Default Description
address string yes The IP address of the proxy server.
port string yes 5353 Listening port for DNS queries.
resolver string no cisco DNS service for resolving queries. You can’t add more than one resolver.
resolvers_list string no /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv Location of CSV file containing list of resolvers.
ephemeral_keys boolean no 0 Improve privacy by using an ephemeral public key for each query. Recommended if you are not using your own server. Ephemeral keys option requires extra CPU cycles and can cause huge system load. Disable it in case of performance problems.

If you need to specify other options, you will have to edit the /etc/init.d/dnscrypt-proxy script.

Note: I’ve had a little bit of confusion at setup, so I want to remind you; address and port strings are for local proxy server, you just have to pick a dnscrypt server from the resolvers list, put its name in resolver string and comment out resolvers and resolvers list settings.

Now we will start DNSCrypt and enable auto boot for it:

/etc/init.d/dnscrypt-proxy enable
/etc/init.d/dnscrypt-proxy start

Note: If dnscrypt-proxy is not starting after a router reboot, it may be trying to start before the network interface is fully up. Add the following to /etc/rc.local, above the line “exit 0”:

sleep 10
/etc/init.d/dnscrypt-proxy start


Assuming you are using dnsmasq, edit the bold lines in /etc/config/dhcp

config dnsmasq option domainneeded 1 option boguspriv 1 option filterwin2k 0 option localise_queries 1 option rebind_protection 1 option rebind_localhost 1 option local '/lan/' option domain 'lan' option expandhosts 1 option nonegcache 0 option authoritative 1 option readethers 1 option leasefile '/tmp/dhcp.leases' # option resolvfile '/tmp/' option noresolv 1 list server '' list server '/' # list server '' # list server ''
  • We have disabled /tmp/ file since it instruct dnsmasq to use your ISP’s DNS.
  • noresolv option also disables /etc/resolv.conf file for similar reason.
  • is the DNSCrypt address.
  • / adds an exception for, which will be resolved through the standard unencrypted DNS channel. DNSCrypt requires precise time, otherwise it will not resolve any domain, including So if your device’s time was incorrect, it could never update its time, and therefore DNSCrypt would never work. So we set this exception so that queries will always bypass DNSCrypt and resolve with the standard unencrypted OpenDNS method.

Reboot router or restart dnsmasq for the changes to take effect.

/etc/init.d/dnsmasq restart

Client configuration

Note: you may need admin privileges to run the commands below.


sudo /etc/init.d/nscd restart


sudo /etc/init.d/networking restart


ipconfig /flushdns

Mac OS X

  • Mac OSX 10.4 (Tiger)
    • lookupd -flushcache
  • Mac OSX 10.5/10.6 (Leopard/Snow Leopard)
    • dscacheutil -flushcache


How to check what features are supported by your resolver

  1. The DNS leak test or DNS randomness test will show the actual IP of your DNS. You can check here if the IP is associated with the service you are using (put the IP in the search field).
  2. DNSSEC resolver test determines whether your DNS resolver validates DNSSEC signatures.
  3. If you can access DNSCrypt.bit, your resolver can resolve domain names using Namecoin.

How to check if your DNS queries are using dnscrypt

On the router:

pkill -STOP dnscrypt-proxy

DNS resolution should not work any more.

To restore service, unfreeze the client proxy:

pkill -CONT dnscrypt-proxy

How to check if dnscrypt-proxy is set up and running

The easy way is to look in the log.

  1. Check if dnsmasq is using only dnscrypt. Only the last block of logged nameservers is relevant.
    • logread | grep -n "using nameserver"
    • 132:Jan  1 01:01:00 openwrt dnsmasq[1883]: using nameserver for domain
      133:Jan  1 01:01:00 openwrt dnsmasq[1883]: using nameserver
  2. Check that dnscrypt-proxy is working.
    • logread | grep "Proxying from"
    • Jul 1 12:00:00 openwrt dnscrypt-proxy[1831]: Proxying from to

Suspicious certificate received

A “suspicious” certificate can be reported:

root@OpenWrtRouter:/tmp# ./dnscrypt-proxy -R -a [INFO] Generating a new key pair [INFO] Done [ERROR] Suspicious certificate received [ERROR] No useable certificates found [INFO] Refetching server certificates [ERROR] Suspicious certificate received [ERROR] No useable certificates found

Check the date and time on your router: this kind of behavior is usually caused by a system clock that hasn’t been set properly.

Free and Public DNS Servers

Your ISP automatically assigns DNS servers when your router or computer connects to the Internet via DHCP… but you don’t have to use those.

Below are free DNS servers you can use instead of the ones assigned, the best and most reliable of which, from the likes of Google and OpenDNS, you can find below:

See How Do I Change DNS Servers? for help. More help is below the table.

Free & Public DNS Servers (Valid February 2016)

Provider Primary DNS Server Secondary DNS Server
Comodo Secure DNS
OpenDNS Home5
DNS Advantage
Norton ConnectSafe6
Alternate DNS11
Hurricane Electric14

Note: Primary DNS servers are sometimes called preferred DNS servers and secondary DNS servers are sometimes called alternate DNS servers. Primary and secondary DNS servers can be “mixed and matched” to provide another layer of redundancy.

Why Use Different DNS Servers?

One reason you might want to change from the DNS servers assigned by your ISP is if you suspect there’s a problem with the ones you’re using now.

An easy way to test for a DNS server issue is by typing a website’s IP address into the browser. If you can reach the website with the IP address, but not the name, then the DNS server is likely having issues.

Another reason to change DNS servers is if you’re looking for a better performing service. Many people complain that their ISP-maintained DNS servers are sluggish and contribute to a slower overall browsing experience.

Yet another, increasingly common reason to use DNS servers from a third party is to prevent logging of your web activity and to circumvent the blocking of certain websites.

The Small Print

Don’t worry, this is good small print!

Many of the DNS providers listed above have varying levels of services (OpenDNS, Norton ConnectSafe, etc.), IPv6 DNS servers (Google, DNS.WATCH, etc.), and location specific servers you might prefer (OpenNIC).

While you don’t need to know anything beyond what I included in the table above, this bonus information might be helpful for some of you, depending on your needs:

[1] The free DNS servers listed above as Level3 will automatically route to the nearest DNS server operated by Level3 Communications, the company that provides most of the ISPs in the US their access to the Internet backbone.

[2] Verisign says this about their free DNS servers: “We will not sell your public DNS data to third parties nor redirect your queries to serve you any ads.” Verisign offers IPv6 public DNS servers as well: 2620:74:1b::1:1 and 2620:74:1c::2:2.

[3] Google also offers IPv6 public DNS servers: 2001:4860:4860::8888 and 2001:4860:4860::8844.

[4] DNS.WATCH also has IPv6 DNS servers at 2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b. In an uncommon but much appreciated move, DNS.WATCH publishes live statistics for both of their free DNS servers. Both servers are located in Germany which could impact performance if used from the US or other remote locations.

[5] OpenDNS also offers DNS servers that block adult content, called OpenDNS FamilyShield. Those DNS servers are and A premium DNS offering is also available, called OpenDNS Home VIP.

[6] The Norton ConnectSafe free DNS servers listed above block sites hosting malware, phishing schemes, and scams, and is called Policy 1. Use Policy 2 ( and to block those sites plus those with pornographic content. Use Policy 3 ( and to block all previously mentioned site categories plus those Norton deems “non-family friendly.” Be sure to check out the list of things blocked in Policy 3 – there are several controversial topics in there that you may find perfectly acceptable.

[7] GreenTeamDNS “blocks tens of thousands of dangerous websites which include malware, botnets, adult related content, aggressive/ violent sites as well as advertisements and drug-related websites ” according to their FAQ page. Premium accounts have more control.

[8] Register here with SafeDNS for content filtering options in several areas.

[9] The DNS servers listed here for OpenNIC are just two of many in the US and across the globe. Instead of using the OpenNIC DNS servers listed above, see their complete list of public DNS servers here and use two that are close to you or, better yet, let them tell you that automatically here. OpenNIC also offers some IPv6 public DNS servers.

[10] FreeDNS says that they “never log DNS queries.” Their free DNS servers are located in Austria.

[11] Alternate DNS says that their DNS servers “block unwanted ads” and that they engage in “no query logging.”

[12] Yandex’s Basic free DNS servers, listed above, are also available in IPv6 at 2a02:6b8::feed:0ff and 2a02:6b8:0:1::feed:0ff. Two more free tiers of DNS are available as well. The first is Safe, at and, or 2a02:6b8::feed:bad and 2a02:6b8:0:1::feed:bad, which blocks “infected sites, fraudulent sites, and bots.” The second is Family, at and, or 2a02:6b8::feed:a11 and 2a02:6b8:0:1::feed:a11, which blocks everything thatSafe does, plus “adult sites and adult advertising.”

[13] The DNS servers are uncensored, operated by a privately funded individual, and are physically located in Denmark. You can read more about them here. IPv6 DNS servers are also available at 2002:d596:2a92:1:71:53:: and 2001:67c:28a4::.

[14] Hurricane Electric also has an IPv6 public DNS server available: 2001:470:20::2.

[15] puntCAT is physically located near Barcelona, Spain. The IPv6 version of their free DNS server is 2a00:1508:0:4::9.

Best Free Public DNS Servers

google public dns

Looking to switch from your ISP DNS to another provider? I was surprised to find out that using a free public DNS server from a reputable company was far better than using my local ISP DNS, especially when travelling in foreign countries.

I was recently in India and was getting very frustrated with the constant Webpage cannot load errors followed by the website loading 5 seconds later. I kept seeing the DNS lookup failed message, so I figured let me try another DNS provider and that made an absolute world of difference.

There are a bunch of public DNS servers you can use, but I won’t bother mentioning them all as the top 5 to 10 will cover the needs for pretty much everyone. Some DNS servers provide additional benefits like filtering out phishing scams, blocking porn sites, etc. and I’ll be sure to mention the features for each service.

Also, be sure to read my post on finding the fastest public DNS server from your location using free utilities. Once you have chosen a DNS service, read my post on how to change your DNS servers in Windows.

1. Google Public DNS

google public dns

Google being Google, they have massive scale, load-balancing, redundancy and DNS servers distributed all over the world. They also support the latest technologies and security mechanisms like IPv6 DNS servers and DNSSEC. Their DNS servers are also well protected against DoS attacks and cache poisoning attacks.

It’s worth noting that Google Public DNS does not perform any blocking or filtering on the DNS requests, as some of the other services do. They state that only under extraordinary circumstances would they block anything. For me, this is a good option because I use other tools to filter out malware sites, etc and don’t necessarily want my DNS service to be involved.

The main benefit for using Google is their global data center and the fact that they have DNS servers located around the world. Some other services only have DNS servers located in one part of the world, so the performance will suffer considerably.

The main downside to using Google is that they are all about tracking and logging everything anyone does on the Internet and this is no exception. If you are leery of Google having too much information, I would suggest using a different DNS server.

Google Public DNS IPv4 Addresses:


Google Public DNS IPv6 Addresses:

  • 2001:4860:4860::8888
  • 2001:4860:4860::8844

2. Level 3 DNS

level 3

Level 3 is the company that provides a lot of ISPs their connection to the Internet backbone, so they are huge, reliable and secure. There is no filtering with Level 3, just like Google DNS, so it’s mostly used for performance and reliability.

Depending on your location in the world, any of the public DNS servers I mention here could be the fastest, so that’s why it’s necessary to read the link above on finding the fastest DNS server for your connection.

Level 3 Public DNS Server Addresses:


3. OpenDNS


OpenDNS has been around for a very long time and they are a reputable company. OpenDNS provides several services including Enhanced DNS and Parental Controls, both of which are free.

OpenDNS is also the first public DNS that I have mentioned that does automatic blocking and filtering against phishing attacks and identity theft. This is a great option if you have kids and want to prevent them from landing on malware-infested sites or if you have older family members who sometimes click on spam links in emails.

They also have a VIP service for $20 a month that gives you a bunch Internet usage statistics for all the devices on your network.

OpenDNS IP Addresses:


4. Norton ConnectSafe DNS

norton connectsafe

Norton ConnectSafe is the public DNS service provided by Norton. Like OpenDNS, Norton also has automatic filtering and blocking based on their database of sites. Using the free DNS speed tools I mentioned, it’s also one of the fastest public DNS servers.

Norton DNS has a couple of different DNS servers, depending on the type of protection you want. They have three options:

A – Protection against malware, phishing sties and scam sites

B – A + Pornography

C – A +Pornography + Other

Other will basically block sites related to mature content, gambling, hate, suicide, tobacco, drugs, alcohol, etc. Obviously, that could block a lot of sites, so us that option as you see fit.

Norton DNS IP Addresses:

Option A:


Option B:


Option C:

  • DNSDNSDNS199.85.126.30

5. OpenNIC DNS


Lastly, another one I like to use is OpenNIC. They have servers all of the world run by their own members and exist to provide a democratic, non-national network that protects your privacy. The link above will show you a list of all of their Tier 2 DNS servers around the world, but you can go to thehomepage and it will tell you the closest servers to your IP automatically at the top right.

When looking at the list of servers, you can choose one that fits your privacy needs. A lot of them keep no logs, have logs completely disabled or keep anonymous logs.

So those are my top recommendations for public DNS servers that are reliable, fast, and provide extra security and filtering for those that need it. Even though most people use their ISP for DNS, it’s really much better to use a third-party. If you have any questions, let us know in the comments. Enjoy!



肩章 领章
sboard01.gif (4817 bytes) scolar01.gif (5224 bytes)





肩章 领章 迷彩服臂章
sboard02.gif (2825 bytes) scolar02.gif (5172 bytes) hs02.gif (1311 bytes)




党卫队一级总队长 党卫军大将约瑟夫·迪特里希

党卫队一级总队长 党卫军大将:保罗.豪塞尔 

党卫队一级总队长 警察大将:库尔特.达吕格尔 

党卫队一级总队长 纳粹党司库长:弗兰茨.施瓦茨


党卫军全国副总指挥 / 武装党卫军二级上将(上级集团领袖)
1942年前肩章 1942年后肩章 迷彩服臂章
sboard21.gif (2252 bytes) sboard03.gif (5437 bytes)
1942年前领章 1942年后领章 hs03.gif (1007 bytes)
scolar03b.gif (5831 bytes) scolar03.gif (4938 bytes)








1942年前肩章 1942年后肩章 迷彩服臂章
sboard21.gif (2252 bytes) sboard04.gif (2309 bytes)
1942年前领章 1942年后领章 hs04.gif (932 bytes)
scolar04b.gif (5493 bytes) scolar04.gif (4937 bytes)



1942年前肩章 1942年后肩章 迷彩服臂章
sboard21.gif (2252 bytes) sboard05.gif (2154 bytes)
1942年前领章 1942年后领章 hs05.gif (747 bytes)
scolar05b.gif (5653 bytes) scolar05.gif (4815 bytes)



肩章 1942年前领章 1942年后领章 迷彩服臂章
sboard06.gif (2444 bytes) scolar06b.gif (5377 bytes) scolar06.gif (4299 bytes) hs06.gif (1539 bytes)


党卫队旗队长 (旗队领袖)/党卫军上校(装甲部队)

肩章 1942年前领章 1942年后领章 迷彩服臂章
sboard07.gif (2456 bytes) scolar07b.gif (2401 bytes) scolar07.gif (3701 bytes) hs07.gif (1461 bytes)


党卫队一级突击队大队长 /武装党卫军中校(步兵)

肩章 领章 迷彩服臂章

sboard08.gif (2305 bytes)

scolar08.gif (4108 bytes)

hs08.gif (1393 bytes)





肩章 领章 迷彩服臂章
sboard09.gif (2230 bytes) scolar09.gif (3258 bytes) hs09.gif (1292 bytes)



肩章 领章 迷彩服臂章
sboard10.gif (2079 bytes) scolar10.gif (3249 bytes) hs10.gif (998 bytes)

二战中最优秀的坦克指挥官武装党卫队上尉:米歇尔 魏特曼


肩章 领章 迷彩服臂章
sboard11.gif (1568 bytes) scolar11.gif (4678 bytes) hs11.gif (944 bytes)



肩章 领章 迷彩服臂章
sboard12.gif (1369 bytes) scolar12.gif (3306 bytes) hs12.gif (826 bytes)



肩章 领章 迷彩服臂章
sboard13.gif (1719 bytes) scolar13.gif (2653 bytes) hs13.gif (826 bytes)



肩章 领章 迷彩服臂章
sboard14.gif (1510 bytes) scolar14.gif (2610 bytes) hs14.gif (738 bytes)



肩章 领章 迷彩服臂章
sboard15.gif (1372 bytes) scolar15.gif (2483 bytes) hs15.gif (535 bytes)



肩章 领章 迷彩服臂章
sboard16.gif (1120 bytes) scolar16.gif (2472 bytes) hs16.gif (438 bytes)


肩章 领章 迷彩服臂章
sboard17.gif (1148 bytes) scolar17.gif (2229 bytes) hs17.gif (263 bytes)



肩章 领章 臂章
sboard18.gif (1004 bytes) scolar18.gif (1378 bytes) sarmb01.gif (1406 bytes)



肩章 领章 臂章
sboard18.gif (1004 bytes) scolar19.gif (1295 bytes) sarmb02.gif (951 bytes)



肩章 领章 臂章
sboard18.gif (1004 bytes) scolar20.gif (1163 bytes) sarmb03.gif (930 bytes)


肩章 领章 臂章
sboard18.gif (1004 bytes) scolar20.gif (1163 bytes) ——