
DNSCrypt is a protocol that encrypts DNS traffic between your device and a DNS resolver, making it more secure than traditional DNS.
This encryption is provided by a third-party service, known as a DNSCrypt server, which acts as a middleman between your device and the DNS resolver.
To configure DNSCrypt, you'll need to install a DNSCrypt client on your device, which will connect to the DNSCrypt server.
The client will then encrypt your DNS requests and send them to the DNSCrypt server, which will forward them to the DNS resolver.
If this caught your attention, see: EDNS Client Subnet
Deployment
The adoption of DNSCrypt has been significant, with several public DNS resolvers and VPN services embracing the protocol.
OpenDNS, now part of Cisco, announced the first public DNS service supporting DNSCrypt on 6 December 2011.
CloudNS Australia quickly followed suit, supporting DNSCrypt soon after OpenDNS.
The majority of these public DNS resolvers are members of the OpenNIC network.
Additional reading: Public Suffix List
Protocol
The DNSCrypt protocol operates over both UDP and TCP, with the default port being 443. This is the same port used by HTTPS, despite the two protocols being quite different.
To use DNSCrypt, you'll need to have a DNSCrypt client and server set up. The client sends a DNS query to the server to retrieve its public keys.
The DNSCrypt protocol uses the X25519 algorithm for key exchange, EdDSA for signatures, and XSalsa20-Poly1305 or XChaCha20-Poly1305 for authenticated encryption. These are all secure and widely used cryptographic techniques.
If a query is too large to fit in a single UDP packet, the server can respond with a short packet that has the TC (truncated) bit set. The client should then retry using TCP and increase the padding of subsequent queries.
Queries and responses are encrypted using the same algorithm and padded to a multiple of 64 bytes to avoid leaking packet sizes.
Here's a step-by-step overview of how the DNSCrypt protocol works:
- The client sends a DNS query to the server to retrieve its public keys.
- The client generates its own key pair.
- The client encrypts unmodified DNS queries using a server's public key, padding them as necessary, and concatenates them to a nonce and a copy of the client's public key.
- The server decrypts the queries using the attached client public key and its own secret key.
- The server adds padding to the response, encrypts it using the client's public key and the client's nonce, and truncates the response if necessary.
- The client authenticates and decrypts the response using its secret key, the server's public key, the client's nonce included in the response, and the client's original nonce.
As of 2023, there are no known vulnerabilities in the DNSCrypt protocol or practical attacks against its underlying cryptographic constructions.
Security
DNSCrypt provides a secure way to encrypt DNS traffic, making it more difficult for hackers to intercept and manipulate DNS queries. This is achieved through the use of cryptographic protocols.
By encrypting DNS traffic, users can protect their browsing data from being intercepted by third parties, including ISPs and cybercriminals. This is especially important for users who value their online privacy.
DNSCrypt uses public-key cryptography to authenticate and encrypt DNS queries, ensuring that only the intended recipient can access the encrypted data. This provides a high level of security and integrity to DNS traffic.
Encrypted State
The Umbrella roaming client has a special feature called the Encrypted State, which plays a crucial role in enhancing security.
In the Encrypted State, the Umbrella roaming client sends encrypted, authenticated DNS queries to Umbrella. This ensures that sensitive information is protected from potential threats.
But when is the Encrypted State activated? It's triggered when two conditions are met: the Umbrella roaming client is in the Encrypted State, and the DNS query doesn't search for a domain or its subdomain that's listed on the internal domains list.
To be more specific, the Encrypted State is not triggered if the DNS query is looking for a domain or its subdomain that's part of the internal domains list.
You might like: List of Managed DNS Providers
Anonymized
Anonymized DNSCrypt is a protocol extension that improves DNS privacy, specifically designed for DNS traffic.
It's a lightweight alternative to using Tor and SOCKS proxies, making it a more efficient option for secure DNS resolution.
In October 2019, deployment of Anonymized DNSCrypt started, and the adoption was surprisingly fast.
Within two weeks, 40 DNS relays were set up, showing the protocol's potential for widespread use.
This rapid adoption is a testament to the protocol's ease of implementation and its ability to meet the growing demand for secure DNS services.
DnsSec
DNSSEC provides authentication between the recursive DNS server, the root DNS servers, and the authoritative DNS servers which support DNSSEC. The recursive DNS servers and Authoritative DNS Servers must both support DNSSEC.
This means that for DNSSEC to work, both the recursive DNS server and the authoritative DNS server need to be configured to support it.
DNSSEC is particularly useful in ensuring the integrity of DNS data, especially when dealing with sensitive information.
It's essential to note that DNSSEC doesn't encrypt DNS queries, but rather focuses on authenticating the data exchanged between servers.
Recommended read: Public Recursive Name Server
Certificates
Certificates are a crucial aspect of security, and understanding how they work can help you stay safe online.
A certificate is essentially a digital ID that verifies the identity of a website or organization. It's like a driver's license, but for the internet.
To obtain a certificate, a website or organization must first generate a public-private key pair. This is done through a process called key pair generation.
A certificate is then issued by a trusted third-party organization, such as a Certificate Authority (CA). This certificate is what verifies the identity of the website or organization.
Certificates are typically used for secure communication, such as when you enter sensitive information on a website. They ensure that the data is encrypted and protected from interception.
A certificate's expiration date is usually set by the CA, and it must be renewed periodically to remain valid. This is done to prevent certificates from being used maliciously.
Certificates can be revoked if they are compromised or no longer trusted. This is done by removing the certificate from the trusted list of certificates.
Key Management
Key Management is a critical aspect of securing your online interactions. Clients generate unique key pairs for each resolver they communicate with.
In fact, resolvers create individual key pairs for every client they interact with. This ensures that each client has a unique key pair for a specific resolver.
Resolvers also create a public key for each encryption system they support. This allows them to encrypt responses for clients who support the same encryption system.
A resolver may choose to disregard a query or send back a response encrypted using DNSCrypt. This decision is made on a case-by-case basis, depending on the resolver's configuration and the client's encryption capabilities.
A successful response to a certificate request contains one or more TXT records, each record containing a certificate encoded in a specific format.
If this caught your attention, see: Domain Name System Blocklist
Configuration
The default configuration file for dnscrypt-proxy is located at /etc/dnscrypt-proxy/dnscrypt-proxy.toml. This is where you'll find the settings to customize the behavior of the service.
Curious to learn more? Check out: Domains by Proxy
To run dnscrypt-proxy as a forwarder for a local DNS cache, it's recommended to use a separate caching program, such as pdnsd. You'll need to install pdnsd and set up a basic configuration that works with dnscrypt-proxy.
dnscrypt-proxy listens on port 53 by default, but you can change this to a different port, such as 54, to avoid conflicts with the local DNS cache.
A fresh viewpoint: Web Proxy Auto-Discovery Protocol
Repositories
Repositories are a crucial part of the configuration process, providing a central location for managing and organizing your projects.
You'll find a range of repositories listed below, each with its own unique features and benefits.
The encrypted-dns-server repository is an easy-to-install, high-performance, zero-maintenance proxy for running an encrypted DNS server. It's a great option for those looking for a hassle-free solution.
The dnscrypt-proxy repository offers a flexible DNS proxy with support for encrypted DNS protocols, making it a popular choice among users. With over 12,500 commits in the past year, it's clear that this project is actively maintained and updated.

Here's a brief overview of some of the key repositories:
- encrypted-dns-server: An easy to install, high-performance, zero maintenance proxy to run an encrypted DNS server.
- dnscrypt-proxy: A flexible DNS proxy, with support for encrypted DNS protocols.
- doh-server: A fast, mature, secure DoH and ODoH server proxy written in Rust.
- dnscrypt-resolvers: Lists of public DNSCrypt / DoH DNS servers and DNS relays.
Each of these repositories has its own unique strengths and weaknesses, so it's essential to choose the one that best fits your needs.
Padding for TCP Client Queries
Padding for TCP client queries is a crucial step in ensuring secure communication. Queries MUST undergo padding using the ISO/IEC 7816-4 format before being encrypted.
The padding starts with a byte valued 0x80 followed by a variable number of NUL bytes. This initial byte is a signal to the receiving end that padding has been applied.
The length of the padding is selected randomly, ranging from 1 to 256 bytes, including the initial byte valued at 0x80. This adds a level of unpredictability to the padding.
The total length of the padded query must be a multiple of 64 bytes. This ensures that the padded query can be efficiently encrypted and transmitted.
For example, a 56-bytes DNS query can be padded with 8 NUL bytes, resulting in a total length of 64 bytes. This is done by adding the initial 0x80 byte and 7 additional NUL bytes to the original query.
Configuration

The default configuration file for dnscrypt-proxy is located at /etc/dnscrypt-proxy/dnscrypt-proxy.toml.
You can run dnscrypt-proxy as a forwarder for a local DNS cache, which is recommended if you're not using dnscrypt-proxy's cache feature. This is because every single query will make a round-trip to the upstream resolver otherwise.
To run dnscrypt-proxy as a forwarder, you'll need to set up your local DNS cache program, such as pdnsd. A basic configuration to work with dnscrypt-proxy is to install pdnsd and edit its configuration file accordingly.
dnscrypt-proxy should listen on a port different from the default 53, since the DNS cache itself needs to listen on 53 and query dnscrypt-proxy on a different port. Port number 54 is used as an example in this section.
If you want to manually set which server is used by dnscrypt-proxy, you can uncomment the server_names variable in the configuration file and select one or more of the servers. For example, to use Cloudflare's servers, you can add the following line to your /etc/resolv.conf.
dnscrypt-proxy can choose the fastest server from the sources already configured under [sources] if you leave server_names commented out in the configuration file. This way, you don't need to manually configure a specific set of servers.
Additional reading: Amazon Route 53
Usage
DNSCrypt is a simple way to encrypt DNS traffic, making it harder for hackers to intercept and steal sensitive data.
To use DNSCrypt, you'll need to set up a DNSCrypt proxy on your network. This can be done using a variety of software packages, including OpenDNS and Cloudflare.
One of the most popular DNSCrypt clients is the dnscrypt-proxy, which is available for both Windows and Linux operating systems.
To get started, simply download and install the dnscrypt-proxy, then configure it to use a DNSCrypt-enabled DNS server.
Frequently Asked Questions
What is the difference between DNS and DNSCrypt?
DNSCrypt encrypts traffic between your device and the DNS resolver, while DNSCrypt servers don't necessarily encrypt communication with the DNS server. This means DNSCrypt provides end-to-end encryption, but not necessarily across the entire network.
Is DNSCrypt free?
Yes, DNSCrypt is free to use, with multiple open-source implementations available for various operating systems. Its free and open-source nature makes it an attractive option for those seeking secure and private DNS services.
Featured Images: pexels.com


