The DNSCrypt client proxy relays DNS queries to a DNSCrypt enabled upstream resolver. The traffic between the client and the upstream resolver is encrypted and authenticated, mitigating the risk of MITM attacks, DNS poisoning attacks, and third-party snooping (assuming the upstream is trustworthy). To enable the client proxy, set services.dnscrypt-proxy.enable = true; Enabling the client proxy does not alter the system nameserver; to relay local queries, prepend 127.0.0.1 to networking.nameservers. To run the DNSCrypt proxy client as a forwarder for another DNS client, change the default proxy listening port to a non-standard value and point the other client to it: services.dnscrypt-proxy.localPort = 43; { services.dnsmasq.enable = true; services.dnsmasq.servers = [ "127.0.0.1#43" ]; } { services.unbound.enable = true; services.unbound.forwardAddresses = [ "127.0.0.1@43" ]; }