The DNSCrypt client proxy relays DNS queries to a DNSCrypt enabled upstream resolver. The traffic between the client and the upstream resolver is encrypted and authenticated, mitigating the risk of MITM attacks, DNS poisoning attacks, and third-party snooping (assuming the upstream is trustworthy). To enable the client proxy, set = true; Enabling the client proxy does not alter the system nameserver; to relay local queries, prepend 127.0.0.1 to networking.nameservers. To run the DNSCrypt proxy client as a forwarder for another DNS client, change the default proxy listening port to a non-standard value and point the other client to it: = 43; { = true; = [ "127.0.0.1#43" ]; } { = true; = [ "127.0.0.1@43" ]; }