A pfSense package providing a full GUI for DNSCrypt Proxy, an encrypted DNS client supporting DNSCrypt v2 and DNS-over-HTTPS (DoH) protocols.
Note: This is a community-maintained package and is not affiliated with or supported by Netgate.
Run this command in the pfSense shell (via SSH or Console):
pkg-static add https://github.com/nopoz/pfsense-dnscrypt-proxy/releases/latest/download/pfSense-pkg-dnscrypt-proxy.pkgpkg-static -C /dev/null add https://github.com/nopoz/pfsense-dnscrypt-proxy/releases/latest/download/pfSense-pkg-dnscrypt-proxy.pkgReplace latest/download/pfSense-pkg-dnscrypt-proxy.pkg with download/vX.X.X/pfSense-pkg-dnscrypt-proxy-X.X.X.pkg:
pkg-static add https://github.com/nopoz/pfsense-dnscrypt-proxy/releases/download/v1.0.0/pfSense-pkg-dnscrypt-proxy-1.0.0.pkgSee all available versions on the Releases page.
After installation, navigate to Services > DNSCrypt Proxy in the pfSense web interface.
pkg delete pfSense-pkg-dnscrypt-proxyIf normal uninstall doesn't fully clean up, or you need a fresh start:
# From your local machine (requires SSH access to pfSense)
./uninstall.sh pfsense.localThis removes all package files, runtime artifacts, and pfSense registrations while preserving your settings in config.xml.
- Full GUI Configuration - 7 configuration tabs accessible from the pfSense web interface
- Multiple Protocols - Supports DNSCrypt v2, DNS-over-HTTPS (DoH), and Anonymized DNS
- Popular Providers - Pre-configured servers from Cloudflare, Quad9, Google, AdGuard, NextDNS, Mullvad, OpenDNS, CleanBrowsing, and more
- Custom Resolvers - Add custom servers via DNS stamps
- Domain Filtering - Block and allow lists, forwarding rules, and cloaking
- Query Logging - Built-in query log viewer with filtering
- Multi-Architecture - Supports both amd64 and arm64 (auto-detected)
- Service Integration - Managed via Status > Services like native pfSense services
Click to expand screenshots
- Install the package using the command above
- Navigate to Services > DNSCrypt Proxy
- Check Enable DNSCrypt Proxy
- Select your preferred DNS servers from the Server Selection tab
- Click Save
Forward Unbound queries through DNSCrypt Proxy:
- Go to Services > DNS Resolver > General Settings
- Add the following to Custom options:
server:
do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@5300
- Click Save and Apply Changes
To use DNSCrypt Proxy directly via System > General Setup:
- Disable DNS Resolver: Go to Services > DNS Resolver, uncheck Enable, and click Save
- Configure DNSCrypt Proxy to listen on port 53
- Go to System > General Setup > DNS Server Settings and set DNS Server to
127.0.0.1
Note: The pfSense DNS Server Settings only accepts IP addresses and assumes port 53.
Requirements: FreeBSD with pkg tools, or a pfSense instance for remote builds.
# Clone the repository
git clone https://github.com/nopoz/pfsense-dnscrypt-proxy.git
cd pfsense-dnscrypt-proxy
# Build the package (requires FreeBSD)
./build.sh build
# Or build and deploy directly to pfSense via SSH
./build.sh deploy pfsense.local
# Clean build artifacts
./build.sh clean| Script | Purpose |
|---|---|
build.sh build |
Build .pkg file (requires FreeBSD) |
build.sh deploy [host] |
Build on pfSense via SSH and install |
build.sh clean |
Remove local build artifacts |
uninstall.sh [host] |
Completely remove package from pfSense |
| Variable | Default | Description |
|---|---|---|
DEPLOY_HOST |
pf |
SSH hostname for pfSense |
PORTVERSION |
1.0.0 |
Package version to build |
This package is also submitted to the official pfSense FreeBSD-ports repository:
- DNSCrypt Proxy - The upstream project
- pfSense Redmine #9315 - Original feature request
ISC License - See LICENSE for details.