DNSCrypt — Encrypt Your DNS Traffic

DNSCrypt is a protocol that encrypts DNS traffic between your device and a DNS resolver. It was created before DNS over HTTPS and DNS over TLS became standardized, and it remains a popular choice for users who want an extra layer of DNS security without relying on HTTP or TLS infrastructure.

Unlike DoH and DoT, DNSCrypt does not use TLS. It uses its own encryption mechanism based on the X25519 key exchange algorithm and authenticated encryption. This makes it lightweight and fast, but it also means it is not a standard protocol supported by most public DNS providers.

How DNSCrypt Works

DNSCrypt uses a client-server model. The client software runs on your device and intercepts DNS queries before they leave your computer. It encrypts each query using a shared key negotiated with the DNSCrypt-enabled DNS server. The server decrypts the query, resolves it, encrypts the response, and sends it back.

The key negotiation happens via public-key cryptography. The server publishes its public key through a certificate stored in a DNS record or a predefined list. The client retrieves this certificate, generates an ephemeral key pair, and performs a key exchange with the server. Subsequent queries use the shared secret for authenticated encryption.

DNSCrypt also supports server authentication. The client verifies the server's identity using the provider's public key. This prevents man-in-the-middle attacks. Even if an attacker intercepts the connection, they cannot forge a valid DNSCrypt response without the server's private key.

DNSCrypt vs DNS over HTTPS vs DNS over TLS

The main difference is the protocol layer. DNSCrypt operates at the DNS protocol level, adding encryption and authentication directly to DNS messages. DoH wraps DNS queries in HTTPS, making them look like regular web traffic. DoT adds TLS encryption on top of the DNS protocol using a dedicated port.

DNSCrypt uses port 443 by default, similar to DoH. This makes it hard to block because it looks like HTTPS traffic. DoT uses port 853, which is easier to identify and block. Some networks block port 853 but cannot block port 443 without breaking the web.

DNSCrypt has a smaller overhead than DoH. DoH requires HTTP/2 or HTTP/3 framing, which adds bytes to each query. DNSCrypt encrypts the raw DNS message without the HTTP wrapper. For high-throughput DNS servers, the difference adds up.

DoH and DoT are IETF standards supported by major browsers and operating systems. DNSCrypt is not a standard protocol. You need to install client software to use it. This is the main limitation of DNSCrypt compared to DoH and DoT.

Setting Up DNSCrypt Proxy

DNSCrypt-proxy is the most popular client implementation. It runs as a local proxy on your device, listening on 127.0.0.1:53. All applications send their DNS queries to the proxy, which encrypts them and forwards them to a DNSCrypt-enabled resolver.

Download DNSCrypt-proxy from the GitHub releases page. For Windows, download the win64 zip. For Linux, download the linux_x86_64 tar.gz. Extract the archive and find the example configuration file (example-dnscrypt-proxy.toml).

Rename the example file to dnscrypt-proxy.toml and edit it. The most important setting is the list of servers. DNSCrypt-proxy can automatically select the fastest, most reliable server from a published list. Set server_names to an empty list to enable automatic selection, or specify your preferred servers.

Install DNSCrypt-proxy as a service so it runs automatically when your computer starts. On Linux: sudo ./dnscrypt-proxy -service install. On Windows: run the command prompt as administrator and use the same command. After installation, configure your system DNS to 127.0.0.1.

DNSCrypt-Proxy Features

DNSCrypt-proxy does more than just encrypt DNS. It includes a DNS cache, which speeds up repeat queries significantly. It supports local blocking rules for ads and trackers. It can also anonymize DNS queries by routing them through two hops: one that knows your IP and one that knows the query, but neither knows both.

Anonymized DNS relays are a unique DNSCrypt feature. The relay accepts encrypted DNS queries and forwards them to the actual resolver. The relay sees your IP but not the query content. The resolver sees the query but not your IP. This prevents any single server from knowing both who you are and what you are looking up.

The query log shows which domains are being resolved and how long each query takes. You can export the log for analysis. The cache statistics show the hit rate and size. A well-tuned cache can answer 80% of queries without contacting the upstream resolver.

For an alternative approach to encrypted DNS, see our guide on Stubby DNS-over-TLS.

Limitations of DNSCrypt

Fewer DNS providers support DNSCrypt compared to DoH and DoT. Cloudflare and Google do not support DNSCrypt on their public resolvers. Quad9 and a network of smaller independent resolvers do. The list of supported servers is maintained by the DNSCrypt project.

DNSCrypt requires client software on every device. For a home network, you can run DNSCrypt-proxy on a Raspberry Pi and configure your router to use it. But this adds complexity compared to DoH or DoT, which can be configured on the router itself or via operating system settings.

Some corporate networks and public Wi-Fi hotspots block non-standard DNS traffic, including DNSCrypt. If the network blocks all outbound DNS except through their own resolver, DNSCrypt will not work. DoH has the same problem, though it is harder to block because it looks like HTTPS.