In some cases, not using Gnoppix, on other systems, you get the following error:
Aug 23 23:01:58 mac systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Aug 23 23:01:58 mac dnscrypt-proxy[9266]: dnscrypt-proxy 2.1.8
Aug 23 23:01:58 mac dnscrypt-proxy[9266]: Network connectivity detected
Aug 23 23:01:58 mac dnscrypt-proxy[9266]: listen udp4 127.0.0.1:53: bind: permission denied
Aug 23 23:01:58 mac systemd[1]: dnscrypt-proxy.service: Main process exited, code=exited, status=255/EXCEPTION
Aug 23 23:01:58 mac systemd[1]: dnscrypt-proxy.service: Failed with result ‘exit-code’.
root@mac:~# sudo setcap ‘cap_net_bind_service=+ep’ /usr/sbin/dnscrypt-proxy
root@mac:~# systemctl status dnscrypt-proxy
× dnscrypt-proxy.service - DNSCrypt client proxy
Loaded: loaded (/usr/lib/systemd/system/dnscrypt-proxy.service; enabled; preset: enabled)
Active: failed (Result: exit-code) since Sat 2025-08-23 23:01:58 EDT; 4min 37s ago
Duration: 131ms
Invocation: acfb4dcc197641f0bbc4d7925db1a006
TriggeredBy: ● dnscrypt-proxy.socket
Docs: Home · DNSCrypt/dnscrypt-proxy Wiki · GitHub
Process: 9266 ExecStart=/usr/sbin/dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml (code=exited, status=255/EXCEPTION)
Main PID: 9266 (code=exited, status=255/EXCEPTION)
Mem peak: 7.5M
CPU: 99ms
The log entry “listen udp4 127.0.0.1:53: bind: permission denied” indicates that dnscrypt-proxy was unable to start because it lacked the necessary permissions to bind to port 53 on the local host. This is a common issue with non-root services trying to use a privileged port.
Why This Happens
Ports below 1024 are known as privileged ports on Unix-like operating systems. . Only a process running with root privileges (the superuser) can bind to these ports. The dnscrypt-proxy service, for security reasons, often runs as a non-root user. The DNS service typically runs on port 53, which is a privileged port. The error arises because the non-root dnscrypt-proxy process is trying to bind to this privileged port, and the operating system is denying it permission.
How to Fix It
To resolve this issue, you must grant the necessary permissions to the dnscrypt-proxy process. Here are some common methods:
- Run as a privileged user: The simplest, though less secure, solution is to configure the service to run as the root user. This can be done by modifying the service file (e.g.,
/etc/systemd/system/dnscrypt-proxy.service). This approach is not recommended unless absolutely necessary, as it poses a security risk. - Grant specific capabilities: A more secure and recommended approach is to grant the
dnscrypt-proxyexecutable theCAP_NET_BIND_SERVICEcapability. This allows a non-root process to bind to privileged ports without having to run as a full root user. You can do this with thesetcapcommand. For example,sudo setcap 'cap_net_bind_service=+ep' /usr/sbin/dnscrypt-proxy. (The exact path may vary depending on the system). - Use a port redirect: You can run
dnscrypt-proxyon an unprivileged port (e.g., port 5353) and then use a firewall rule (e.g., usingiptables) to redirect traffic from port 53 to the unprivileged port. This method is secure, as the main service is not running with elevated privileges. - Use
systemdAmbientCapabilities: Modernsystemdversions allow you to addAmbientCapabilitiesto a service unit file, granting specific capabilities to the service. You would addAmbientCapabilities=CAP_NET_BIND_SERVICEto the[Service]section of the service file.