Dnsmasq vs. dnscrypt-proxy

I am trying to run a DNS server on my LAN. I set it up where:

• Dnsmasq is the "initial" server that clients see
• Dnsmasq resolves internal domains, and handles overrides (such as if I want to block an ad domain) via its dnsmasq.conf file
• Dnscrypt-proxy also runs on the same machine, and dnsmasq forwards "normal" queries to it
• Dnscrypt resolves domains using its normal methods

But, does it really make sense to run two DNS services? There seems to be a lot of overlap between what they do and I'm wondering if I'm just overdoing it for no reason.

Dnscrypt provides much better DNS security and privacy than others, so I want to use it for resolving regular domains. But dnsmasq is much easier to configure so I want to use it for caching and local domains.

Dnscrypt's docs claim that it has superior caching. Maybe they mean that its cache performance is higher, but I don't really care because the number of DNS queries I generate and their load on my server is pitiful anyway. From what I've seen in the configs the dnsmasq settings for caching are much more straightforward and powerful though.

Dnscrypt also doesn't provide as much control over resolving internal domains, and its query logging has worse usability.

posted 8 months ago

CC BY-SA 4.0

matthewsnyder‭

1086 reputation 79 53 175 73