DNSCrypt + Dnsmasq setup with Waydroid

1 minute read


I’ll skip the usual shite about why you really should be using one of DNSCrypt, DoT or DoH nowadays. Okay, maybe not that last one if it can be avoided.

So, here’s my very quick guide / reference to getting DNSCrypt and dnsmasq working. This has been tested with waydroid, which is especially relevant because waydroid runs its own dnsmasq instance, which can sometimes fail to start when another instance is already running.

The guide


server_names = ['cloudflare']
listen_addresses = ['']

Edit server_names as you wish, or leave it commented and adjust the require_* configuration values as desired. If you use the same loopback address as dnsmasq will use, make sure to change the port to something non-standard.



Getting dnsmasq: failed to create listening socket for Address already in use errors in waydroid log? You probably forgot to enable bind-interfaces. It prevents dnsmasq from binding to the loopback interface, which would interfere with waydroid.

To optionally (though it’s strongly recommended) enable DNSSEC, uncomment the following two lines:


Remember to apk add dnsmasq-dnssec (or your system’s equivalent)!


options edns0

Many things will break if you try and specify a non standard (53) port in resolv.conf. So don’t. Dnsmasq should be configured to use port 53 by default. However, you can use a different localhost address as I’ve done here. Just remember to update dnsmasq.conf



This prevents NetworkManager from overwriting resolv.conf with the DNS server provided by DHCP, as it would usually. This will not automatically edit existing networks, so you may have to delete and re-add connections, or just update the DNS field to blank and checking Automatic DNS.