HostuxDNS

HostuxDNS with dnscrypt-proxy

Overview

dnscrypt-proxy is a local DNS forwarder that can encrypt queries before they leave your machine or network. It is useful on Linux, macOS, Raspberry Pi, or behind tools such as Pi-hole when you want encrypted upstream DNS without depending on browser settings.

HostuxDNS exposes encrypted resolvers compatible with dnscrypt-proxy via DNS stamps. The examples below use DoQ and declare the servers statically, so the setup works even if the public resolver list does not include HostuxDNS.

Declare HostuxDNS static servers

Open dnscrypt-proxy.toml and add the following block in the [static] section: 

[static.'hostuxdns-front1-v4']
stamp = 'sdns://BAcAAAAAAAAAEjQ2LjIyNi4xMDguMTczOjg1MwAOZG5zLmhvc3R1eC5uZXQ'

[static.'hostuxdns-front1-v6']
stamp = 'sdns://BAcAAAAAAAAAKVsyMDAxOjRiOTg6ZGMyOjQxOjIxNjozZWZmOmZlMTY6MTA4MF06ODUzAA5kbnMuaG9zdHV4Lm5ldA'

[static.'hostuxdns-front2-v4']
stamp = 'sdns://BAcAAAAAAAAAETQ2LjIyNi4xMDkuODI6ODUzAA5kbnMuaG9zdHV4Lm5ldA'

[static.'hostuxdns-front2-v6']
stamp = 'sdns://BAcAAAAAAAAAKVsyMDAxOjRiOTg6ZGMyOjQxOjIxNjozZWZmOmZlY2U6M2U1NV06ODUzAA5kbnMuaG9zdHV4Lm5ldA'

These four entries cover both HostuxDNS frontends over IPv4 and IPv6.

Enable the servers in the main configuration

In the main section of the same file, set:

server_names = ['hostuxdns-front1-v4', 'hostuxdns-front1-v6', 'hostuxdns-front2-v4', 'hostuxdns-front2-v6']

If you use dnscrypt-proxy as a local upstream for another service, keep the default local listener or set one explicitly, for example: 

listen_addresses = ['127.0.0.1:5053']

Tools such as Pi-hole can then forward queries to 127.0.0.1:5053.

Restart and verify

Restart the service after saving the file:

systemctl restart dnscrypt-proxy

Then test local resolution:

dig @127.0.0.1 -p 5053 example.com

You can also test the upstream directly with Knot DNS:

kdig @dns.hostux.net example.com +quic

If the local query works, your applications can use dnscrypt-proxy as their local DNS resolver while HostuxDNS handles the encrypted upstream hop.

Notes

Resolver list
Static stamps are the most reliable option when you want to pin a specific upstream and avoid depending on the public source list.
Ad blocking
The /ads HostuxDNS filtering endpoint is a DoH path and is not exposed through the DoQ stamps shown here.
Official documentation
dnscrypt-proxy documentation

See also

HostuxDNS with AdGuard Home HostuxDNS on OpenWrt DoH vs DoT