Help Setting Up DNSCrypt with PiHole



Firstly, apologies if what I am writing here is redundant as I did search and see other entries for DNSCrypt, but none really addressing the issue I am having. Apologies also if this is outside of the scope of this PiHole forum, but I am at my wits end trying to get this figured out.

Now, for the issue. I’ve followed the guide posted here several times (the latest of which was a complete OS re-install) to a T and have gotten absolutely nowhere.

I have previously gotten to the point where I at least had DNSCrypt running separately from PiHole (and was able to ping and resolve using command line), but it seems like presently it’s failing out with some kind of error, but I have no understanding on how to figure out what the error is or how to fix it.

When running “sudo systemctl status dnscrypt-proxy” I get:

● dnscrypt-proxy.service - Encrypted/authenticated DNS proxy
Loaded: loaded (/etc/systemd/system/dnscrypt-proxy.service; enabled; vendor preset: enabled)
Active: activating (auto-restart) (Result: exit-code) since Mon 2018-05-14 13:18:05 PDT; 24s ago
Process: 1248 ExecStart=/opt/dnscrypt-proxy/dnscrypt-proxy (code=exited, status=255)
Main PID: 1248 (code=exited, status=255)

May 14 13:18:05 Corpus_Colossus systemd[1]: dnscrypt-proxy.service: Failed with result ‘exit-code’.

The other thing, which I am finding separately odd, is that I moved to the FTLDNS branch of PiHole explicitly in hopes of finding the “Local DNS server on custom port” option in the admin interface, but it is still not there (and I did confirm that I was on latest FTL for both core and admin console). The only thing I can think of is this option isn’t available if the DNSCrypt service isn’t running, but otherwise its absence is baffling to me as I’ve seen screenshots where it exists.

To help save the sanity of anyone trying to help, I’m not super familiar with *nix standards and practices, but on this latest attempt I made sure to make duplicate original files and document all changes that I made before editing, so I at least have that going for me.

Also, because I am a novice, please don’t assume that I will know about ANY step or command that is not explicitly called out. I can follow instructions no problem, but I’m in the early stages where you don’t know what you don’t know, if that makes sense.

Thank you very much for your time/insight!


I’m not sure about DNSCrypt, but the local DNS option was modified so that all the custom DNS fields can now take on a port number (host#port).


Well that at least explains one part of the mystery, so thank you for that!

Edit: Is that only on the FTLDNS branch that it was setup to do that? Trying to figure out the pros and cons of staying where I am vs reverting back to the standard version.

Edit the sequel: Maybe I’m a bit of a simpleton, but it might be cool to have a little tooltip or something saying that? I was losing my mind trying to figure out why the option that I’d seen screenshots of didn’t exist at all.


Yes, most recent development is only available on the development branches in in the FTLDNS beta testing branch.



I think you’re running dnscrypt-proxy 2.0.12, right?

What’s the output of

dnscrypt-proxy -check


Yes, running 2.0.12

The check command returned the following:

[2018-05-14 23:44:35] [NOTICE] Source [] loaded
[2018-05-14 23:44:35] [NOTICE] Configuration successfully checked

Edit: Only semi-related, but I am trying to learn as much from this as I can along the way to getting what I actually want working. I had to add “./” before “dnscrypt-proxy -check” to get it to run. Is there a simple explanation for why? My understanding is that tells the system that the command is being run from the current working directory, but isn’t that obvious since I’m in that directory?

Thanks again for your time and input on this!


Did you try to start it with log_level = 0 in dnscrypt-proxy.toml for more information?


I did now that I know that’s a thing :grin:

[2018-05-16 12:14:23] [NOTICE] Source [] loaded
[2018-05-16 12:14:23] [NOTICE] dnscrypt-proxy 2.0.12
[2018-05-16 12:14:24] [FATAL] listen udp bind: address already in use


Now you have to find out what’s already running on port 5353

sudo netstat -tulpen | grep 5353

or change your dnscrypt-proxy.toml

listen_addresses = [‘’, ‘[::1]:7053’]

Replace 7053 with your favored port.


Lovely, I guess avahi-daemon uses port 5353…?

Since I am apparently capable of winning the fail lottery while getting struck by lightning and eaten by a shark, is there a way to modify your command to show what ports are taken by anything so that I can firmly remove that from the equation?


Replace the port in the command with any number. If there is no output, the port is free.

For example sudo netstat -tulpen | grep 7053

Then use this port in the listen_addresses of dnscrypt-proxy.toml.


Yeah, I figured that, but was hoping for something with maybe a wildcard that would list all used ports.

In any case, I changed to 5354 and dnscrypt is now at least starting, so thank you again for that as I would have never realized that port was in use (I’m actually going to add a line to run this command in the Wiki so newbies like myself will know if the port they intend to use is in use).

That said I’m still not able to resolve or ping anything.

Making progress though!

Edit: When I ping something now, the failure is slightly different as it says “Temporary failure in name resolution”.


You can just take off the pipe to see all used ports: sudo netstat -tulpen


Great, thank you!

I feel like I’m making progress and really learning a bunch of useful things and how they interact along the way, which is fantastic.

Still need to work out why I can’t resolve anything, but I’m at least getting somewhere.


The command

dig @ -p 5354 +short

should print an IP ( in my case).


That returned the IP


It’s different because you’re in another country, I think.

As it returns an IP, dnscrypt-proxy is listening and working. If you’re on FTLDNS you can now set it as DNS server in the Pi-hole web interface:



I’ve tried that and still no luck. Not sure if it helps, but the status indicators for both “DNS service not running” and “FTL” are both red on the PiHole admin console.

I’ve also tried the method of directly editing the 3 specific config files as specified in the wiki I linked, but that didn’t give any change in result. I did make sure to uncheck the custom field before modifying the config files, as well as reverting the changes on the config files before re-enabling the custom field.

The current state is the config files are not commented and the custom field is checked with entered.

I also saw a post somewhere about enabling the “Listen on all interfaces” option, but this also did not appear to have an impact, so I reverted to “Listen only on interface wlan0”.


The only other idea I had was to try pihole -r, which I did with no success.

When it ran through the process, the last few lines of output are:

[✗] DNS service is not running
[✓] Starting DNS service
[i] Time until retry: 111
[i] Time until retry: 106
[✗] DNS resolution is not available

I feel like this is so close to working, but just not quite. Very frustrating, but thank you again to anyone contributing trying to get this going.

Edit: On a related note, not having PiHole working has REALLY made me appreciate when it was. There are so many ads being rammed down my throat from every angle that the internet feels broken and bordering on unusable.


Ok, so I think I’ve made it maybe a half a step farther?

I commented out the line listen_addresses = [‘’, ‘[::1]:5354’] in the dnscrypt-proxy.toml file

The positive results are:

  • DNS requests work from within the RBP
  • Pinging works from the RBP
  • Ad-blocking via pIhole appears to be working from the RBP when I use Chromium

Negative results are:

  • No devices that point to pihole for DNS requests are resolving
  • FTL is shown as offline in the dashboard
  • None of the graphs function in the dashboard

All of that said I don’t know how to interpret this information, so I suspect the questions are 1) now that we know DNSCrypt is working, should that line be commented out if the FTL build of pihole is being used? 2) should the etc/dnsmasq.d/02-dnscrypt.conf be created with the server=IP#port listed if the FTL build of pihole is being used? 3) what else might be causing this setup to fail on the pihole side?

Apologies if this seems like flailing and/or stream of consciousness. I am doing whatever I can to either make further progress or learn something about the setup and/or what I am doing wrong in-between the helpful replies from folks here.

it’s only fair that if you are going to be nice enough to take the time to help that I put in at least the same effort on my end. Thanks again.