Using DNSCrypt with CleanBrowsing

Encrypt and Authenticate Your DNS Traffic with DNSCrypt

DNSCrypt encrypts and authenticates DNS traffic between your device and CleanBrowsing's servers. This guide covers installation and configuration of dnscrypt-proxy with CleanBrowsing stamps for all available filters.

Learn About Pricing

Step 1: What is DNSCrypt?

DNSCrypt is a protocol that encrypts and authenticates DNS traffic between a client and a DNS resolver. Unlike standard DNS (which sends queries in plaintext over UDP port 53), DNSCrypt wraps each query in an encrypted envelope, preventing eavesdropping, tampering, and man-in-the-middle attacks.

DNSCrypt differs from DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) in several important ways:

  • Authentication: DNSCrypt cryptographically verifies that responses come from the chosen resolver, not an impersonator.
  • Lightweight: It does not rely on the TLS/HTTPS stack, making it faster to establish connections.
  • Dedicated port: CleanBrowsing operates DNSCrypt on port 8443, separate from standard DNS traffic.

The most widely used DNSCrypt client is dnscrypt-proxy, an open-source tool available for Windows, macOS, Linux, and BSD. CleanBrowsing supports DNSCrypt across all its filters: Family, Adult, and Security.

Step 2: Install dnscrypt-proxy

The dnscrypt-proxy application is the standard client for connecting to DNSCrypt resolvers. Install it on your preferred platform:


Linux (Debian/Ubuntu)

sudo apt update
sudo apt install dnscrypt-proxy

Linux (Manual Installation)

Download the latest release from the dnscrypt-proxy GitHub releases page: 

wget https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.1.5/dnscrypt-proxy-linux_x86_64-2.1.5.tar.gz
tar xzf dnscrypt-proxy-linux_x86_64-2.1.5.tar.gz
cd linux-x86_64
sudo cp dnscrypt-proxy /usr/local/bin/
sudo cp example-dnscrypt-proxy.toml /etc/dnscrypt-proxy/dnscrypt-proxy.toml

macOS (Homebrew)

brew install dnscrypt-proxy

Windows

For Windows, download Simple DNSCrypt from simplednscrypt.org. It provides a graphical interface for managing dnscrypt-proxy and makes configuration straightforward. Alternatively, download the Windows binary from the GitHub releases page and run it as a service.

Step 3: CleanBrowsing DNSCrypt Stamps

DNSCrypt uses stamps to encode all the information needed to connect to a resolver: the IP address, port, provider name, and public key. CleanBrowsing provides stamps for each filter level.


Family Filter

Blocks adult content, malware, phishing, and enforces Safe Search.

Protocol Address
IPv4 185.228.168.168:8443
IPv6 [2a0d:2a00:1::]:8443

IPv4 Stamp:

sdns://AQMAAAAAAAAAFDE4NS4yMjguMTY4LjE2ODo4NDQzILysMvrVQ2kXHwJh1C0SRDAqBwYaC0TQDEhp-DcY-0fYHjIuZG5zY3J5cHQtY2VydC5jbGVhbmJyb3dzaW5n


IPv6 Stamp:

sdns://AQMAAAAAAAAAFFsyYTBkOjJhMDA6MTo6XTo4NDQzILysMvrVQ2kXHwgy1gdQJ8MgjO7w6OmflBjcd2Bl1I8pEWNsZWFuYnJvd3Npbmcub3Jn

Adult Filter

Blocks adult content and malware but does not enforce Safe Search or block mixed-content sites.

Protocol Address
IPv4 185.228.168.10:8443
IPv6 [2a0d:2a00:1::1]:8443

IPv4 Stamp:

sdns://AQMAAAAAAAAAEzE4NS4yMjguMTY4LjEwOjg0NDMgvKwy-tVDaRcfCDLWB1AnwyCM7vDo6Z-UGNx3YGXUjykRY2xlYW5icm93c2luZy5vcmc


IPv6 Stamp:

sdns://AQMAAAAAAAAAFVsyYTBkOjJhMDA6MTo6MV06ODQ0MyC8rDL61UNpFx8IMtYHUCfDIIzu8Ojpn5QY3HdgZdSPKRFjbGVhbmJyb3dzaW5nLm9yZw

Security Filter

Blocks only malware and phishing domains. No content filtering.

Protocol Address
IPv4 185.228.168.9:8443
IPv6 [2a0d:2a00:1::2]:8443

Step 4: Configure dnscrypt-proxy

Edit the dnscrypt-proxy configuration file to use CleanBrowsing as your resolver. The configuration file is typically located at:

  • Linux: /etc/dnscrypt-proxy/dnscrypt-proxy.toml
  • macOS (Homebrew): /usr/local/etc/dnscrypt-proxy.toml
  • Windows: C:\Program Files\dnscrypt-proxy\dnscrypt-proxy.toml

Option A: Using the Stamp Directly

Open the configuration file and add CleanBrowsing as a static entry. This example uses the Family Filter: 

# At the top of dnscrypt-proxy.toml
server_names = ['cleanbrowsing-family']

# At the bottom, add a static server entry
[static]
  [static.'cleanbrowsing-family']
  stamp = 'sdns://AQMAAAAAAAAAFDE4NS4yMjguMTY4LjE2ODo4NDQzILysMvrVQ2kXHwJh1C0SRDAqBwYaC0TQDEhp-DcY-0fYHjIuZG5zY3J5cHQtY2VydC5jbGVhbmJyb3dzaW5n'

Option B: Using the Public Server List

CleanBrowsing is included in the default dnscrypt-proxy public server list. You can simply set the server name: 

server_names = ['cleanbrowsing-family']


Make sure the following sources are enabled in your configuration: 

[sources]
  [sources.'public-resolvers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md',
          'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
  cache_file = 'public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'

Additional Recommended Settings

listen_addresses = ['127.0.0.1:53']
max_clients = 250
ipv4_servers = true
ipv6_servers = false
dnscrypt_servers = true
doh_servers = false
require_dnssec = false
require_nolog = false
require_nofilter = false

Step 5: Start the Service

After configuring dnscrypt-proxy, start it and ensure it runs at boot.


Linux (systemd)

sudo systemctl enable dnscrypt-proxy
sudo systemctl start dnscrypt-proxy
sudo systemctl status dnscrypt-proxy

macOS

sudo brew services start dnscrypt-proxy

Windows

If using Simple DNSCrypt, the service is managed through the GUI. For the standalone binary, install and start the service: 

dnscrypt-proxy.exe -service install
dnscrypt-proxy.exe -service start

Point Your System DNS to localhost

After starting dnscrypt-proxy, configure your system to use 127.0.0.1 as the DNS server. This directs all DNS queries through the local dnscrypt-proxy, which forwards them encrypted to CleanBrowsing.

On Linux, update /etc/resolv.conf: 

nameserver 127.0.0.1


On macOS and Windows, set the DNS server to 127.0.0.1 in your network adapter settings.

Step 6: Verify Your Configuration

Confirm that DNS queries are being encrypted and filtered through CleanBrowsing.


Test DNS Resolution

dig cleanbrowsing.org @127.0.0.1


You should receive a valid response. On Windows, use nslookup instead: 

nslookup cleanbrowsing.org 127.0.0.1

Check dnscrypt-proxy Logs

View the dnscrypt-proxy log to confirm the connection to CleanBrowsing: 

sudo journalctl -u dnscrypt-proxy --no-pager -n 50


Look for a line similar to: 

[NOTICE] Server with the lowest initial latency: cleanbrowsing-family

Confirm Filtering is Active

Visit cleanbrowsing.org/checkfiltering in your browser to verify that CleanBrowsing filtering is active on your connection.


Troubleshooting

  • Port conflict: If port 53 is already in use (common with systemd-resolved on Linux), disable it: sudo systemctl disable --now systemd-resolved
  • Firewall: Ensure outbound traffic on port 8443 is not blocked by your firewall.
  • Stamp validation: Use the DNSCrypt stamp calculator to verify stamp contents.
  • Fallback: If dnscrypt-proxy cannot reach the server, check your internet connection and verify the stamp is current.

CleanBrowsing supports DNSCrypt, DoH, and DoT for encrypted DNS filtering on every platform.

What is DNS Filtering?