diff --git a/_information/Collections.md b/_information/Collections.md
index eff3e06..f3da7fb 100644
--- a/_information/Collections.md
+++ b/_information/Collections.md
@@ -26,4 +26,6 @@ A collection of QubesOS related content.
-[dvm-zulucrypt](./qubes/dvm-zulucrypt) - Notes on how to setup a disposable zulucrypt instance for USB devices.
\ No newline at end of file
+[dvm-zulucrypt](./qubes/dvm-zulucrypt) - Notes on how to setup a disposable zulucrypt instance for USB devices.
+
+[kicksecure-sys-dns](./qubes/kicksecure-sys-dns) - Notes on how to setup a hardened dnscrypt proxy
\ No newline at end of file
diff --git a/_information/Qubes/kicksecure-sys-dns.md b/_information/Qubes/kicksecure-sys-dns.md
new file mode 100644
index 0000000..ac3ac5a
--- /dev/null
+++ b/_information/Qubes/kicksecure-sys-dns.md
@@ -0,0 +1,75 @@
+---
+layout: default1
+description: Notes reguarding kicksecure DNS
+title: kicksecure-sys-dns
+permalink: /qubes/kicksecure-sys-dns
+---
+
+Setting up a hardened `sys-dns` to proxy DNS traffic through `dnscrypt`
+
+
+
+### Prerequisites:
+
+Create a Debian minimal templated and setup [kicksecure](./#debian-security).
+
+Install the required packages:
+
+``sudo apt install dnscrypt-proxy qubes-core-agent-networking``
+
+The `dnscrypt` settings are located at `/etc/dnscrypt-proxy/`
+
+Edit ``/rw/config/rc.local`` to:
+
+
+
+```
+#!/bin/sh
+
+# This script will be executed at every VM startup, you can place your own
+# custom commands here. This includes overriding some configuration in /etc,
+# starting services etc.
+
+# Example for overriding the whole CUPS configuration:
+# rm -rf /etc/cups
+# ln -s /rw/config/cups /etc/cups
+# systemctl --no-block restart cups
+
+# allow redirects to localhost
+/usr/sbin/sysctl -w net.ipv4.conf.all.route_localnet=1
+/usr/sbin/iptables -I INPUT -i vif+ -p tcp --dport 53 -d 127.0.0.1 -j ACCEPT
+/usr/sbin/iptables -I INPUT -i vif+ -p udp --dport 53 -d 127.0.0.1 -j ACCEPT
+
+# redirect dns-requests to localhost
+/usr/sbin/iptables -t nat -F PR-QBS
+/usr/sbin/iptables -t nat -A PR-QBS -d 10.139.1.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.1
+/usr/sbin/iptables -t nat -A PR-QBS -d 10.139.1.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.1
+/usr/sbin/iptables -t nat -A PR-QBS -d 10.139.1.2/32 -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.1
+/usr/sbin/iptables -t nat -A PR-QBS -d 10.139.1.2/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.1
+
+# set /etc/resolv.conf and start dnscrypt-proxy
+echo "nameserver 127.0.0.1" > /etc/resolv.conf
+/usr/bin/systemctl enable dnscrypt-proxy.service --now
+```
+
+
+
+### Setup:
+
+Create an AppVM `dvm-dnscrypt` based on the template created above with:
+
+- NetVM: `sys-net`
+- Autostart: `true`
+- Provides Network: `true`
+
+
+
+Clone `dvm-dnscrypt`and create a `sys-dns` as a DispVM, ensuring the same settings as above are set.
+
+Set your `sys-fireall` to connect to `sys-dns`
+
+
+
+### Sources
+
+- [[guide] how-to setup a sys-dns qube](https://forum.qubes-os.org/t/guide-how-to-setup-a-sys-dns-qube/13749)
\ No newline at end of file