diff --git a/tornet.yml b/tornet.yml
index 3b29782..427c554 100644
--- a/tornet.yml
+++ b/tornet.yml
@@ -12,6 +12,7 @@
           - bridge-utils
           - ufw
           - dnsmasq
+          - dnscrypt-proxy
         update_cache: no
         install_recommends: no
 
@@ -239,6 +240,77 @@
       args:
         creates: /run/dnsmasq/dnsmasq-tornet0.pid
 
+#### Prepare DNSCRYPT PROXY FOR DoHoT (DNS over HTTPS over Tor)
+
+    - name: dnscrypt-proxy configfile
+      blockinfile:
+        path: /etc/dnscrypt-proxy/dnscrypt-proxy.toml
+        create: yes
+        mode: "0444"
+        owner: root
+        group: root
+        marker: "# {mark} ANSIBLE MANAGED BLOCK"
+        block: |
+          
+          # Listen 
+          listen_addresses = ['127.0.0.55:5354']
+          
+          # what kinds of server do we want to resolve from?
+          doh_servers = true
+          ipv4_servers = false
+          ipv6_servers = false
+          dnscrypt_servers = false
+          
+          # do we support IPv6 accressing? Maybe performance issue.
+          block_ipv6 = false
+          
+          # don't let weird queries & typos leak upstream
+          block_unqualified = true
+          block_undelegated = true
+          
+          # TTL for synthetic responses sent when a request has been blocked
+          reject_ttl = 600
+          
+          # request DoH servers which offer DNSSEC / tamperproofing
+          require_dnssec = true
+          
+          # we are using tor, so we should not care about logging
+          require_nolog = false
+          
+          # request DoH servers that advertise themselves as unfiltered
+          require_nofilter = true
+                    
+          # use tor
+          force_tcp = true
+          proxy = 'socks5://127.0.0.1:9050'
+          
+          # how long (ms) a DNS query will wait for a response; reasonable max 10s
+          timeout = 10000
+          
+          # keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds; default: 30
+          keepalive = 30
+          
+          # loadbalancing; p2 strategy, and continuous farming of the list
+          lb_strategy = 'p2'
+          lb_estimator = true
+          
+          # logging: approx 1 month of weekly logs, capped-out/force-rotated at 64Mb
+          log_level = 2
+          use_syslog = true
+          log_files_max_size = 64
+          log_files_max_age = 7
+          log_files_max_backups = 4
+   
+
+      notify:
+      - Restart dnscrypt-proxy
+
+    - name: 'enable and start dnscrypt-proxy'
+      command: systemctl enable dnscrypt-proxy --now
+      args:
+        creates: /etc/systemd/system/multi-user.target.wants/dnscrypt-proxy.service
+
+
   handlers:
 
     - name: Restart tornet0
@@ -264,3 +336,7 @@
         name: dnsmasq-tornet0
         state: restarted
 
+    - name: Restart dnscrypt-proxy
+      service:
+        name: dnscrypt-proxy
+        state: restarted