All of these can be served simultaneously, on the same port (usually port 443). The proxy automatically detects what protocol is being used by each client.
The proxy requires a recursive DNS resolver, such as Knot, PowerDNS or Unbound.
That resolver can run locally and only respond to `127.0.0.1`. External resolvers such as Quad9 or Cloudflare DNS can also be used, but this may be less reliable due to rate limits.
In order to support DoH in addition to DNSCrypt, a DoH proxy must be running as well. [rust-doh](https://github.com/jedisct1/rust-doh) is the recommended DoH proxy server. DoH support is optional, as it is currently way more complicated to setup than DNSCrypt due to certificate management.
Then, review the [`encrypted-dns.toml`](https://raw.githubusercontent.com/jedisct1/encrypted-dns-server/master/example-encrypted-dns.toml) file. This is where all the parameters can be configured, including the IP addresses to listen to.
If you are currently running an encrypted DNS server using [`dnscrypt-wrapper`](https://github.com/cofyc/dnscrypt-wrapper), moving to the new proxy is simple:
- Double check that the provider name in `encrypted-dns.toml` matches the one you previously configured. If you forgot it, it can be recovered [from its DNS stamp](https://dnscrypt.info/stamps/).
In addition, if a server is slow or unresponsive, expired cached queries will be returned, ensuring that popular domain names always keep being served.
The proxy creates and updates a file named `encrypted-dns.state` by default. That file contains the provider secret key, as well as certificates and encryption keys.