This is a tutorial on how to get DNSCrypt running on your router. I hope to later make a Web Gui integration to easily enable it, if no one else beats me to it first. Shibby builds have dnscrypt with Gui. I've provided a binary you can load to either jffs or to a flash drive. You can download these at http://lancethepants.com/files/ For JFFS, use the following code Administration -> Scripts -> Init Code: /jffs/dnscrypt-proxy -a 127.0.0.1:40 -r 220.127.116.11:53 -d Else if you load the binary to a USB device USB and NAS -> USB Support -> Run after mounting Code: /path/to/dnscrypt-proxy -a 127.0.0.1:40 -r 18.104.22.168:53 -d Basic -> Network -> Static DNS. Place it in the first entry. Code: 127.0.0.1:40 Advanced -> DHCP/DNS -> Dnsmasq Custom configuration Code: strict-order edit: The author of DNSCrypt now has provided a tool (hostip) for resolving DNS before DNSCrypt can become active. This is useful for resolving NTP servers, and eliminates the chicken/egg scenario of DNScrypt needing the Time to work, and the Time needing functional DNS to set itself. I've compiled and included 'hostip' for those wanting to use this new method. This then eliminates the need to place IP adresses for NTP servers. You MUST choose to either use the 'hostip' method , or place IP addresses for your NTP servers, else DNSCrypt will not work. I've scripted the following, and have placed it in JFFS, having also place 'hostip' in JFFS. /jffs/ntp_resolve.sh Code: #!/bin/sh for server in $(nvram get ntp_server) do addresses=$(/jffs/hostip $server) for address in $addresses do echo $address $server >> /tmp/etc/hosts done done Then use the following code. Administration -> Scripts -> Wan Up Code: /jffs/ntp_resolve.sh Use the 'hostip' method above, OR using the following method. Basic -> Time -> NTP Time Server You need to put the IP adresses of some NPT servers, they can't be domain names. Reboot and that should do it. Go to welcome.opendns.com to check if it's working. Occasionally when going to welcome.opendns.com, I've noticed that it does not give me the check mark. I've checked with TCPDump that it is indeed working, and should be for you if you have followed all the directions. If you are in doubt, run TCPDump on your router as I have. You should see that DNS requests appear to have an error (using Wireshark to evaluate the dump). This is because they are encrypted, and wireshark cannot make anything of the encrypted queries. NOTICE: QOS users Unlike traditional DNS, DNSCrypt keeps one connection open for all DNS queries, instead of opening multiple smaller connections per query. If you are using Toastman QOS rules, this will result in your queries being sent to the crawl category. To fix this, remove the "KB Transferred" portion of the the DNS rule.