BadAss.Sx advices everyone to use DNSCrypt on his system (Mac & Windows). This little tool encrypts all your DNS queries submitted to DNS servers and replaces your ISP DNS servers for the DNS servers from OpenDNS.
For the tools you can use on Mac or Windows you can simply go here and download the version for your OS. If you are on Linux or a BSD version I will give you the instructions down below:
If you are on Linux
$ ldconfig # if you install libsodium from source
$ git clone –recursive git://github.com/Cofyc/dnscrypt-wrapper.git
$ make configure
$ ./configure
$ make install
If you are on freeBSD
$ pkg_add -r gmake autoconf
$ pkg_add -r libevent2
$ gmake LDFLAGS=’-L/usr/local/lib/event2 -L/usr/local/lib’ CFLAGS=-I/usr/local/include
If you are on OpenBSD
$ pkg_add -r gmake autoconf
$ pkg_add -r libevent
$ gmake LDFLAGS=’-L/usr/local/lib/’ CFLAGS=-I/usr/local/include/
And finally if you want to install it on a Mac OSX version
$ brew install dnscrypt-wrapper # best recommended
And here are the instructions how to use it
You need to generate a provider keypair:
# stored in public.key/secret.key in current directory
$ ./dnscrypt-wrapper –gen-provider-keypair
After that, you need to generate a crypt keypair:
# stored in crypt_public.key/crypt_secret.key in current directory
$ ./dnscrypt-wrapper –gen-crypt-keypair
When that is done, you must generate a pre-signed certificate with the pre-generated key pairs:
# stored in dnscrypt.cert in current directory
$ ./dnscrypt-wrapper –crypt-secretkey-file crypt_secret.key –crypt-publickey-file=crypt_public.key –provider-publickey-file=public.key –provider-secretkey-file=secret.key –gen-cert-file
And then it is time to run the program:
$ ./dnscrypt-wrapper -r 8.8.8.8:53 -a 0.0.0.0:443 –crypt-secretkey-file=crypt_secret.key –crypt-publickey-file=crypt_public.key –provider-cert-file=dnscrypt.cert –provider-name=2.dnscrypt-cert.yechengfu.com
If you can store generated pre-signed certificate (binary string) in TXT record for your provider name, for example: 2.dnscrypt-cert.yourdomain.com. Then you can omit –provider-cert-file option. Name server will serve this binary certificate data for you.
Run the dnscrypt-proxy to test it:
# –provider-key is public key fingerprint in first step.
$ ./dnscrypt-proxy -a 127.0.0.1:55 –provider-name=2.dnscrypt-cert.yechengfu.com -r 127.0.0.1:443 –provider-key=<provider_public_key_fingerprint>
$ dig -p 55 google.com @127.0.0.1
Optionally you can add “-d/–daemonize” to let it run as a daemon