Setup An init script and configuration file have been provided to run dnscrypt-wrapper as a daemon. To configure dnscrypt-wrapper, edit /etc/default/dnscrypt-wrapper with the desired settings. By default dnscrypt-wrapper will run on 0.0.0.0 (all interfaces), port 53, forwarding DNS queries to 8.8.8.8:53 (Google's DNS server). The configuration file is setup to use a dnscrypt user by default, and to chroot into that user's home directory to maximize security. In order to use the default configuration you should create a dnscrypt user and group with the following commands: groupadd -g 293 dnscrypt useradd -u 293 -g 293 -c "DNSCrypt" -d /run/dnscrypt -s /bin/false dnscrypt If you decide to use another user you should edit the CHROOTDIR and USER options in /etc/default/dnscrypt-wrapper (there are example settings provided for the user 'nobody'). dnscrypt-wrapper requires both provider and cryptographic public and secret keys, and a provider certificate. These can all be generated manually (see /usr/doc/dnscrypt-wrapper-@VERSION@/README.md ), or they can be generated automatically by configuring /etc/default/dnscrypt-wrapper and running /etc/rc.d/rc.dnscrypt-wrapper generate-keys /etc/rc.d/rc.dnscrypt-wrapper generate-cryptkeys /etc/rc.d/rc.dnscrypt-wrapper generate-cert You will need to note the provider key fingerprint(s) and/or stamp(s) when running that command, since clients will need them for identification/verification. Automatically generated keys have a 24-hour expiry period by default. Unless you change this to something longer in /etc/default/dnscrypt-wrapper, you will almost certainly need a key rotation mechanism to automatically update the encryption key and certificate. This can be done by running /etc/rc.d/rc.dnscrypt-wrapper rotate-keys This command backs up the old key/cert, creates a new key/cert, and restarts a running server to support both old and new key/cert. Since clients typically fetch new certificates hourly, support for the old key/cert should be removed an hour after the keys are rotated by restarting the server: /etc/rc.d/rc.dnscrypt-wrapper restart Typically one cron job, run daily, would rotate the keys, and another, run an hour later, would restart the server. In order for clients to forward queries through dnscrypt-wrapper, they will need to run dnscrypt-proxy configured to connect to the server running dnscrypt-wrapper. To start dnscrypt-wrapper automatically at system start, add the following to /etc/rc.d/rc.local: if [ -x /etc/rc.d/rc.dnscrypt-wrapper ]; then /etc/rc.d/rc.dnscrypt-wrapper start fi To properly stop dnscrypt-wrapper on system shutdown, add the following to /etc/rc.d/rc.local_shutdown: if [ -x /etc/rc.d/rc.dnscrypt-wrapper ]; then /etc/rc.d/rc.dnscrypt-wrapper stop fi