Readablewiki

DNSCrypt

Content sourced from Wikipedia, licensed under CC BY-SA 3.0.

DNSCrypt is a network protocol that protects DNS traffic between your computer and DNS servers. It authenticates who sent the query and encrypts the content, so little or no information can be read or forged by eavesdroppers or attackers in the middle. It also helps stop certain abuse by making sure a small query can’t be used to make a much larger response (reducing amplification attacks).

It was created by Frank Denis and Yecheng Fu. There are many free, open-source implementations available for Windows, macOS, Linux, Android, and iOS. The dnscrypt-proxy implementation can also add ODoH, a privacy enhancement. DNSCrypt has been adopted by some public DNS resolvers and VPN services.

Public adoption has included providers such as OpenDNS (Cisco), which announced support in 2011, followed by CloudNS Australia; Yandex in 2016; AdGuard in 2016; Quad9 in 2018; and others listed by the creators. DNSCrypt can run over UDP or TCP and typically uses port 443. While it shares the same port with HTTPS, DNS over HTTPS and DNSCrypt must run on separate servers or at least separate services on that port.

Instead of trusting typical certificate authorities, DNSCrypt clients trust the provider’s public signing key to verify certificates fetched via DNS. These certificates include temporary keys and the chosen cipher, and servers rotate short-term keys roughly every 24 hours. Some services can use a predefined set of keys to control access or identify customers.

All queries and responses are encrypted and padded to hide the size of packets. If a UDP response would be too large, the server can send a short, truncated reply and the client should retry over TCP with more padding.

Technically, DNSCrypt uses modern crypto: X25519 for key exchange, EdDSA for signatures, and XSalsa20-Poly1305 or XChaCha20-Poly1305 for encryption. There are no known practical weaknesses in the protocol as of 2023.

An anonymized version, proposed in 2019, aims to further boost privacy by letting a resolver act as a proxy to hide the client’s real IP address. Deployment began quickly, with around 40 relays set up within two weeks of release.

This page was last edited on 3 February 2026, at 10:48 (CET).