In this mode, the only dependancy is OpenSSL (version 1.0.2 or later is required for hostname authentication to be supported). If this is installed in a non-standard location on your system use the --with-ssl option to configure below to specify where it is.
It may be necessary to install 1.02 from source for most Linux distros.
It is recommended to install OpenSSL using homebrew, in which case use the following in the configure line in 1.3 below:
Download the getdns source
Build the code
If you want to see detailed debug information as messages are processed then add the --enable-debug-stub option to the configure line above
Run the daemon
The command below will run the daemon listening on port 53 of the loopback address and sending queries to the NLnet Labs test DNS Privacy server (at 18.104.22.168 and 2a04:b900:0:100::38) over TLS.
It also specifies an example idle timeout on the TLS connection of 10s with the '-e 10000' option. (Note: the NLnet Labs test server does not support EDNS0 TCP Keepalive yet, so in that case this timeout will always be used.)
IPv4 and IPv6
Exit the daemon at any time by hitting CTRL-C.
Strict vs Opportunistic
The above command will run the daemon without trying to authenticate the TLS connection (a form of Opportunistic Privacy).
If you have authentication information for the DNS Privacy server and you want to use Strict Privacy then you can specify this when starting the daemon in the following ways:
Test the daemon
A quick test can be done by using dig on the loopback address
Modify your upstream resolvers
For getdns to re-send outgoing DNS queries over TLS the recursive resolvers configured on your machine must be changed to send all the local queries over the loopback interface on which getdns is listening. This depends on the operating system being run
OS XFrom the command line you can do the following to set the local DNS servers on your Wi-Fi interface, for example (first line clears all servers, second line adds localhost):
If you want to reset to e.g. the DHCP provided servers then just use the first line above to clear all specified the servers, which will cause the system to use the default DHCP servers. Or use the similar to the above to specify a different server.
Or via the GUI:
Other ways to run a privacy daemon are: