|Domain Name System|
DNSCrypt is a network protocol that authenticates and encrypts Domain Name System (DNS) traffic between the user's computer and recursive name servers. It was originally designed by Frank Denis and Yecheng Fu.
Although multiple free and open source software implementations exist, the protocol was never proposed to the Internet Engineering Task Force (IETF) by the way of a Request for Comments (RFC). It is available for a variety of operating systems, including Unix, Apple iOS, Linux, Android, and MS Windows.
DNSCrypt wraps unmodified DNS traffic between a client and a DNS resolver in a cryptographic construction in order to detect forgery. Though it doesn't provide end-to-end security, it protects the local network against man-in-the-middle attacks. The free and open source software implementation dnscrypt-proxy additionally integrates ODoH.
In addition to private deployments, the DNSCrypt protocol has been adopted by several public DNS resolvers, the vast majority being members of the OpenNIC network, as well as virtual private network (VPN) services.
Other servers that support secure protocol are mentioned in the DNSCrypt creators’ list.
DNSCrypt can be used either over UDP or over TCP. In both cases, its default port is 443. Even though the protocol radically differs from HTTPS, both service types utilize the same port. However, even though DNS over HTTPS and DNSCrypt are possible on the same port, they must still run separately on different servers. Two server applications cannot run simultaneously on the same server if both utilize the same port for communication; though a multiplexing approach is theoretically possible.
Instead of relying on trusted certificate authorities commonly found in web browsers, the client has to explicitly trust the public signing key of the chosen provider. This public key is used to verify a set of certificates, retrieved using conventional DNS queries. These certificates contain short-term public keys used for key exchange, as well as an identifier of the cipher suite to use. Clients are encouraged to generate a new key for every query, while servers are encouraged to rotate short-term key pairs every 24 hours.
The DNSCrypt protocol can also be used for access control or accounting, by accepting only a predefined set of public keys. This can be used by commercial DNS services to identify customers without having to rely on IP addresses.
Queries and responses are encrypted using the same algorithm and padded to a multiple of 64 bytes in order to avoid leaking packet sizes. Over UDP, when a response would be larger than the question leading to it, a server can respond with a short packet whose TC (truncated) bit has been set. The client should then retry using TCP and increase the padding of subsequent queries.
As of 2020, there are no known vulnerabilities in the DNSCrypt protocol nor practical attacks against its underlying cryptographic constructions.
Anonymized DNSCrypt is a protocol extension proposed in 2019 to further improve DNS privacy.
Instead of directly responding to clients, a resolver can act as a transparent proxy to another resolver, hiding the real client IP to the latter. Anonymized DNSCrypt is a lightweight alternative to Tor and SOCKS proxies, specifically designed for DNS traffic.
Deployment of Anonymized DNSCrypt started in October 2019, and the protocol adoption was fast, with 40 DNS relays being set up only two weeks after the public availability of client and server implementations.
- DNS over HTTPS
- DNS over TLS
- Domain Name System Security Extensions (DNSSEC)
- Elliptic curve cryptography
- "DNSCrypt/dnscrypt-proxy: dnscrypt-proxy 2 - A flexible DNS proxy, with support for encrypted DNS protocols". GitHub. DNSCrypt. Archived from the original on 20 January 2016. Retrieved 29 January 2016.
- "Oblivious DoH · DNSCrypt/dnscrypt-proxy Wiki". GitHub. DNSCrypt project. Retrieved 28 July 2022.
- Ulevitch, David (6 December 2011). "DNSCrypt – Critical, fundamental, and about time". Cisco Umbrella. Archived from the original on 1 July 2020. Retrieved 1 July 2020.
- "AdGuard DNS Now Supports DNSCrypt". AdGuard Blog. Archived from the original on 12 September 2017. Retrieved 11 September 2017.
- "DNS filtering". AdGuard Knowledgebase. Archived from the original on 11 September 2017. Retrieved 11 September 2017.
- "DNSCrypt Now in Testing". Quad9 Blog. 30 August 2018. Archived from the original on 28 December 2019. Retrieved 1 July 2020.
- "DNSCrypt - List of public DoH and DNSCrypt servers". DNSCrypt. Archived from the original on 19 June 2020. Retrieved 1 July 2020.
- "Anonymized DNSCrypt specification". GitHub. DNSCrypt. Archived from the original on 25 October 2019. Retrieved 1 July 2020.
- "Anonymized DNS relays". GitHub. DNSCrypt. 1 November 2019. Archived from the original on 1 July 2020. Retrieved 1 July 2020.