DNSCrypt

DNSCrypt is a protocol that authenticates communications between a DNS client and a DNS resolver. It prevents DNS spoofing. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered with.

Implementations are available for most operating systems, including Linux, OSX, Android, iOS, BSD and Windows.

DNSCrypt is not affiliated with any company or organization, is a documented protocol using highly secure, non-NIST cryptography, and its reference implementations are open source and released under a very liberal license.

Please note that DNSCrypt is not a replacement for a VPN, as it only authenticates DNS traffic, and doesn't prevent "DNS leaks", or third-party DNS resolvers from logging your activity.

DNSCrypt-compatible public resolvers

A couple companies, organizations and individuals are operating public recursive DNS servers supporting the DNSCrypt protocol, so that all you need to run is the client.

A constantly updated list of open DNSCrypt resolvers can be downloaded to replace the default CSV file shipped with the dnscrypt-proxy client.

If you are running your own public DNS resolver in order to help make the Internet a more secure and less censored place, please submit a pull request to have your resolver added to the list of public DNS resolvers.

Deployment

DNSCrypt is typically deployed using a pair of DNS proxies: a client proxy and a server proxy.

The client side of DNSCrypt is a proxy to which regular DNS clients can connect to. Instead of using your ISP's DNS settings, you can just configure your network settings to use 127.0.0.1 or whatever IP address and port you configured the DNSCrypt client to listen to. The client proxy translates regular DNS queries into authenticated DNS queries, forwards them to a server running the server DNSCrypt proxy, verifies the responses, and forwards them to the client if they appear to be genuine.

The server side of DNSCrypt receives DNS queries sent by the client proxy, forwards them to a trusted DNS resolver, and signs the responses it receives before forwarding them to the client proxy.

The DNSCrypt protocol uses UDP and TCP ports 443, which are less likely to be filtered by routers and ISPs than the standard DNS port.

The local network is usually the most vulnerable network segment against active attacks such as DNS spoofing. The DNSCrypt server can run on the router, along with a modern DNS resolver. Clients can then run the client code of DNSCrypt, leveraging the router DNS resolver.

    |----- Most vulnerable to attacks ------|            |-- Most vulnerable to censorship --|

         dnscrypt client               dnscrypt server
Laptop/workstation/phone/tablet --------> home router --------> ISP --------> the Internet

    |--------- Secured by DNSCrypt ---------| |------------- Secured by DNSSEC --------------|

Alternatively, companies, organizations and individuals are running public DNS resolvers supporting the DNSCrypt protocol. These can be used as an alternative to running a DNSCrypt server and a DNS resolver on the router.

For maximum protection, DNSCrypt client can run on every client device:

    |----- Most vulnerable to attacks ------|            |-- Most vulnerable to censorship --|

         dnscrypt client                                                                                 dnscrypt server
Laptop/workstation/phone/tablet --------> home router --------> ISP ----------> the Internet --------> public DNS resolver

    |----------------------------------- Secured by DNSCrypt -------------------------------------------|
                                                                              |--- Secured by DNSSEC ---|
                                                                     |--- Most vulnerable to logging ---|

Or if you totally trust the local network, the DNSCrypt client can run on the router instead:

    |----- Most vulnerable to attacks ------|            |-- Most vulnerable to censorship --|

                                        dnscrypt client                                                  dnscrypt server
Laptop/workstation/phone/tablet --------> home router --------> ISP ----------> the Internet -------->  public DNS resolver

                                            |------------------ Secured by DNSCrypt --------------------|
                                                                              |--- Secured by DNSSEC ---|
                                                                     |--- Most vulnerable to logging ---|

Finally, you can run your own DNSCrypt server on a remote, trusted network, to get the best possible protection against censorship, while having full control over what the resolver is logging:

    |----- Most vulnerable to attacks ------|            |-- Most vulnerable to censorship --|

        dnscrypt client                                                                                 dnscrypt server
Laptop/workstation/phone/tablet --------> home router --------> ISP ----------> the Internet --------> private DNS resolver

    |----------------------------------- Secured by DNSCrypt -------------------------------------------|
                                                                              |--- Secured by DNSSEC ---|

DNSCrypt server

If you are running your own private or public recursive DNS server, adding support for the DNSCrypt protocol requires installing DNSCrypt-Wrapper, the server-side DNSCrypt proxy.

DNSCrypt-Wrapper can be compiled from the source code. OSX users can also use Homebrew to install it: brew install dnscrypt-wrapper.

The proxy is compatible with any DNS resolver software, including Unbound, PowerDNS Recursor and BIND.

DNSCrypt for Windows

The dnscrypt-proxy application works on Windows, from Windows XP to Windows 10. It runs as a service, and does not provide a graphical user interface; its installation and its configuration require typing commands. This remains the best option for advanced users, especially since it supports the same plugins as other platforms.

See using DNSCrypt on Windows to get started with the command-line tool.

In addition, the following user interfaces are available:

Recommended guides for getting started with the DNSCrypt client on Windows:

DNSCrypt for OSX

DNSCrypt-OSXClient is an easy-to-use, full-featured, self-contained graphical user interface for OSX.

Alternatively, advanced users familiar with the command-line can use Homebrew to install the software:

brew install dnscrypt-proxy --with-plugins

DNSCrypt for iOS

For jailbroken iOS device, GuizmoDNS is an app to change DNS settings (for 3G/4G and Wifi), with support for DNSCrypt.

The DNSCrypt source code can also be compiled out of the box for iOS devices, using the provided dist-build/ios.sh script.

DNSCrypt for Android

The DNSCrypt source code can be compiled for Android devices, using the provided dist-build/android*.sh scripts.

Running it requires a rooted device.

dnscrypt-proxy

Pcap_DNSProxy is a very fast DNS proxy to bypass censorship, especially from the Great Firewall of China. It includes a DNSCrypt client implementation.

But the reference client DNSCrypt implementation is dnscrypt-proxy.

Packages are available for many modern Linux distributions and for common BSD systems.

For other systems, the dnscrypt-proxy source code can be compiled. The only dependency for it to compile is libsodium for which most distributions provide pre-built packages. The proxy will be installed as /usr/local/sbin/dnscrypt-proxy by default.

Command-line switches are documented in the dnscrypt-proxy(8) man page. Having a dedicated system user, with no privileges and with an empty home directory, is highly recommended. For extra security, DNSCrypt will chroot() to this user's home directory and drop root privileges for this user's uid as soon as possible.

Most users just want to start the client proxy like this:

sudo dnscrypt-proxy --ephemeral-keys --resolver-name=<resolver name>

Or to run it as a background process:

sudo dnscrypt-proxy --ephemeral-keys --resolver-name=<resolver name> --daemonize

Replace <resolver name> with the name of the resolver you want to use (the first column in the list of public resolvers). For example: sudo dnscrypt-proxy --ephemeral-keys --resolver-name=dnscrypt.org-fr --daemonize

The proxy will accept incoming requests on 127.0.0.1 - port 53, add an authentication tag, forward them to the resolver, and validate each answer before passing it to the client.

Given such a setup, in order to actually start using DNSCrypt, you need to configure your DNS settings to use 127.0.0.1 as a name server. Done! You are now using DNSCrypt.

Other common command-line switches include:

Multiple dnscrypt-proxy instances can run simultaneously, with different configurations.

Using DNSCrypt in combination with a DNS cache

The DNSCrypt client proxy is not a DNS cache. This means that incoming queries will not be cached and every single query will require a round-trip to the upstream resolver.

For optimal performance, the recommended way of running DNSCrypt is to run it as a forwarder for a local DNS cache, like unbound or powerdns-recursor.

Both can safely run on the same machine as long as they are listening to different IP addresses (preferred) or different ports.

If your DNS cache is unbound, all you need is to edit the unbound.conf file and add the following lines at the end of the server section:

do-not-query-localhost: no

forward-zone:
  name: "."
  forward-addr: 127.0.0.1@40

The first line is not required if you are using different IP addresses instead of different ports.

Then start dnscrypt-proxy, telling it to use a specific port (40, in this example):

# dnscrypt-proxy --ephemeral-keys --local-address=127.0.0.1:40 --daemonize

IPv6

IPv6 is fully supported. IPv6 addresses with a port number should be specified as [ip]:port

# dnscrypt-proxy --ephemeral-keys --local-address='[::1]:40' --daemonize

Firewall rules

The default port used by the DNSCrypt protocol is 443. Both TCP and UDP should be allowed.

Some public resolvers use a different port, though.

When running your own server, you can pick any port.

Plugins

dnscrypt-proxy can be extended with plugins.

Plugins are a very powerful mechanism to locally filter and rewrite queries and responses before forwarding them.

Plugins are enabled by adding --plugin=... switches to the startup command line. Multiple plugins can be enabled at the same time.

AAAA blocking

If your network doesn't support IPv6, chances are that your applications are still constantly trying to resolve IPv6 addresses, causing unnecessary slowdowns.

This plugin causes the proxy to immediately reply to IPv6 requests, without having to send a useless request to upstream resolvers, and having to wait for a response.

Usage:

# dnscrypt-proxy ... --plugin=example-ldns-aaaa-blocking.la

IP/domain names blocking

Want to filter ads, malware, sensitive or inapropriate web sites and domain names?

This plugin can block lists of IP addresses and names matching a list of patterns. The list of rules remains private, and the filtering process directly happens on your own network.

In order to filter IP addresses, the list of IPs has to be put into a text file, with one IP address per line. The plugin can then be enabled with:

# dnscrypt-proxy ... --plugin=example-ldns-blocking.la,ips=<ips file name>

Comments starting with # are allowed.

Lists of domain names can also be blocked as well. Put the list into a text file, one domain per line, and enable the plugin with:

# dnscrypt-proxy ... --plugin=example-ldns-blocking.la,domains=<domains file name>

Domains can include wildcards (*) in order to match patterns. For example *sex* will match any name that contains the sex substring, and ads.* will match anything starting with ads.

Comments starting with # are also allowed.

The Internet has plenty of free feeds of IP addresses and domain names used for malware, phishing and spam that you can use with this plugin.

Lists of IPs and domains can be used simultaneously:

# dnscrypt-proxy ... --plugin=example-ldns-blocking.la,domains=<domains file name>,ips=<ips file name>

Logging plugin

This plugin logs the DNS queries received by the proxy. The logs are stored in a local file.

# dnscrypt-proxy ... --plugins=example-logging.la,<log file name>