DNSCrypt objects and functions

addDNSCryptBind(address, provider, certificate, keyfile[, options])

Adds a DNSCrypt listen socket on address.

  • address (string) – The address and port to listen on
  • provider (string) – The provider name for this bind
  • certificate (string) – Path to the certificate file
  • keyfile (string) – Path to the key file of the certificate
  • options (table) – A table with key: value pairs with options (see below)


  • doTCP=true: bool - Also bind on TCP on address.
  • reusePort=false: bool - Set the SO_REUSEPORT socket option.
  • tcpFastOpenSize=0: int - Set the TCP Fast Open queue size, enabling TCP Fast Open when available and the value is larger than 0
  • interface="": str - Sets the network interface to use
  • cpus={}: table - Set the CPU affinity for this listener thread, asking the scheduler to run it on a single CPU id, or a set of CPU ids. This parameter is only available if the OS provides the pthread_setaffinity_np() function.
generateDNSCryptProviderKeys(publicKey, privateKey)

Generate a new provider keypair and write them to publicKey and privateKey.

  • publicKey (string) – path to write the public key to
  • privateKey (string) – path to write the private key to
generateDNSCryptCertificate(privatekey, certificate, keyfile, serial, validFrom, validUntil)

generate a new resolver private key and related certificate, valid from the validFrom UNIX timestamp until the validUntil one, signed with the provider private key.

  • privatekey (string) – Path to the private key of the provider.
  • certificate (string) – Path where to write the certificate file.
  • keyfile (string) – Path where to write the private key for the certificate.
  • serial (int) – The certificate’s serial number.
  • validFrom (int) – Unix timestamp from when the certificate will be valid.
  • validUntil (int) – Unix timestamp until when the certificate will be valid.

Display the fingerprint of the provided resolver public key

Parameters:keyfile (string) – Path to the key file

Display the currently configured DNSCrypt binds

getDNSCryptBind(n) → DNSCryptContext

Return the DNSCryptContext object corresponding to the bind n.


class DNSCryptCert

Represents a DNSCrypt certificate.

:getClientMagic() → string

Return this certificate’s client magic value.

:getEsVersion() → string

Return the cryptographic construction to use with this certificate,.

:getMagic() → string

Return the certificate magic number.

:getProtocolMinorVersion() → string

Return this certificate’s minor version.

:getResolverPublicKey() → string

Return the public key corresponding to this certificate.

:getSerial() → int

Return the certificate serial number.

:getSignature() → string

Return this certificate’s signature.

:getTSEnd() → int

Return the date the certificate is valid from, as a Unix timestamp.

:getTSStart() → int

Return the date the certificate is valid until (inclusive), as a Unix timestamp


class DNSCryptContext

Represents a DNSCrypt content. Can be used to rotate certs.

:generateAndLoadInMemoryCertificate(keyfile, serial, begin, end)

Generate a new resolver key and the associated certificate in-memory, sign it with the provided provider key, and use the new certificate

  • keyfile (string) – Path to the key file to use
  • serial (int) – The serial number of the certificate
  • begin (int) – Unix timestamp from when the certificate is valid
  • end (int) – Unix timestamp from until the certificate is valid
:getCurrentCertificate() → DNSCryptCert

Return the current certificate.

:getOldCertificate() → DNSCryptCert

Return the previous certificate.

:getProviderName() → string

Return the provider name

:hasOldCertificate() → bool

Whether or not the context has a previous certificate, from a certificate rotation.

:loadNewCertificate(certificate, keyfile)

Load a new certificate and the corresponding private key, and use it

  • certificate (string) – Path to a certificate file
  • keyfile (string) – Path to a the corresponding key file