I realize that one of the tags I included is “privacy” - and I want to preface this post with the fact that privacy is extremely hard to do on clearnet. It’s extremely hard to achieve when you hand processes and requests off to third parties. That’s the nature of DNS. You can encrypt your DNS requests, but the third party receiving your request has to decrypt it. You don’t know who they are. You hope they are trustworthy (see: Web-Of-Trust) but there is no absolute guarantee. With that said…
dnscrypt-autoinstall is a script which, for debian and rhel-based distros (and others - I haven’t tried them), will install the requisite software needed to build and install the dnscrypt-proxy ecosystem, grab resolvers and configure the packages. What this does is force your local resolver to look at localhost (127.0.0.1:53 & 127.0.0.2:53) for dns requests, which is a proxy that made an encrypted connected to dns servers specified during the dnscrypt-autoinstall process. The script also configures the services to start on boot - so once you’ve installed it, you can practically forget about it. The proxy then connects to the resolvers on port 54, using a predefined encryption method, whereas standard dns requests are passed over the clearnet in plaintext - making interception and manipulation (or just spying…) extremely simple. DNSCrypt works towards solving that problem.
There’s the caveat that the packages aren’t really checked for updates since you’re pulling code down and compiling it (this should mostly be avoided on package-based distros, I warn you now. I do this only because it was the easiest method I’ve found to install it - I would like to actually create packages for this for both debian/ubuntu & rhel/centos but haven’t invested the time yet) - so if there are security updates or changes in resolvers, you need to be diligent about checking for these.
You can find updated scripts here. I have a pull request in to the original repo to update the main dnscrypt url to grab packages from an HTTPS endpoint instead of HTTP - a minor nitpick, but there’s no need not to use https here.
If you have questions, feel free to email or reach me at https://chat.sfunk1x.com.