DNSCrypt is a

network protocol A communication protocol is a system of rules that allows two or more entities of a communications system to transmit information via any kind of variation of a physical quantity. The protocol defines the rules, syntax, semantics and synchroniza ...

that authenticates and encrypts

Domain Name System The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned t ...

(DNS) traffic between the user's computer and recursive

name server A name server refers to the server component of the Domain Name System (DNS), one of the two principal namespaces of the Internet. The most important function of DNS servers is the translation (resolution) of human-memorable domain names (example ...

s. It was originally designed by Frank Denis and Yecheng Fu. Although multiple free and open source software implementations exist, the protocol was never proposed to the

Internet Engineering Task Force The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...

(IETF) by the way of a

Request for Comments A Request for Comments (RFC) is a publication in a series from the principal technical development and standards-setting bodies for the Internet, most prominently the Internet Engineering Task Force (IETF). An RFC is authored by individuals or g ...

(RFC). It is available for a variety of operating systems, including Unix, Apple iOS, Linux, Android, and Microsoft Windows. DNSCrypt wraps unmodified DNS traffic between a client and a DNS resolver in a cryptographic construction in order to detect forgery. Though it doesn't provide end-to-end security, it protects the local network against man-in-the-middle attacks. The free and open source software implementation dnscrypt-proxy additionally integrates ODoH. It also mitigates UDP-based amplification attacks by requiring a question to be at least as large as the corresponding response. Thus, DNSCrypt helps to prevent DNS amplification attacks.

Deployment

Dnscrypt-proxy as systemd service screenshot

In addition to private deployments, the DNSCrypt protocol has been adopted by several public DNS resolvers, the vast majority being members of the OpenNIC network, as well as virtual private network (VPN) services.

OpenDNS OpenDNS is an American company providing Domain Name System (DNS) resolution services—with features such as phishing protection, optional content filtering, and DNS lookup in its DNS servers—and a cloud computing security product suite, Umbre ...

(now a part of

Cisco Cisco Systems, Inc., commonly known as Cisco, is an American-based multinational digital communications technology conglomerate corporation headquartered in San Jose, California. Cisco develops, manufactures, and sells networking hardware, ...

) announced the first public DNS service supporting DNSCrypt on 6 December 2011, shortly followed by CloudNS Australia. On 29 March 2016,

Yandex Yandex LLC (russian: link=no, Яндекс, p=ˈjandəks) is a Russian multinational technology company providing Internet-related products and services, including an Internet search engine, information services, e-commerce, transportation, map ...

announced support for the DNSCrypt protocol on their public DNS servers, as well as in

Yandex Browser Yandex Browser ( Russian: Яндекс.Браузер) is a freeware web browser developed by the Russian technology corporation Yandex that uses the Blink web browser engine and is based on the Chromium open source project. The browser checks w ...

. On 14 October 2016, AdGuard added DNSCrypt to their DNS filtering module so that users could move from their ISPs to custom or AdGuard's own DNS servers for online privacy and

ad blocking Ad blocking or ad filtering is a software capability for blocking or altering online advertising in a web browser, an application or a network. This may be done using browser extensions or other methods. Technologies and native countermeasures ...

. On 10 September 2018, the Quad9 nonprofit public recursive resolver service announced support for DNSCrypt. Other servers that support secure protocol are mentioned in the DNSCrypt creators’ list.

Protocol

DNSCrypt can be used either over UDP or over TCP. In both cases, its default port is 443. Even though the protocol radically differs from

HTTPS Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is enc ...

, both service types utilize the same

port A port is a maritime facility comprising one or more wharves or loading areas, where ships load and discharge cargo and passengers. Although usually situated on a sea coast or estuary, ports can also be found far inland, such as H ...

. However, even though

DNS over HTTPS DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man- ...

and DNSCrypt are possible on the same port, they must still run separately on different servers. Two server applications cannot run simultaneously on the same server if both utilize the same port for communication; though a multiplexing approach is theoretically possible. Instead of relying on trusted certificate authorities commonly found in web browsers, the client has to explicitly trust the public signing key of the chosen provider. This public key is used to verify a set of certificates, retrieved using conventional DNS queries. These certificates contain short-term public keys used for key exchange, as well as an identifier of the cipher suite to use. Clients are encouraged to generate a new key for every query, while servers are encouraged to rotate short-term key pairs every 24 hours. The DNSCrypt protocol can also be used for access control or accounting, by accepting only a predefined set of public keys. This can be used by commercial DNS services to identify customers without having to rely on IP addresses. Queries and responses are encrypted using the same algorithm and padded to a multiple of 64 bytes in order to avoid leaking packet sizes. Over UDP, when a response would be larger than the question leading to it, a server can respond with a short packet whose TC (truncated) bit has been set. The client should then retry using TCP and increase the padding of subsequent queries. Versions 1 and 2 of the protocol use the X25519 algorithm for key exchange, EdDSA for signatures, as well as XSalsa20-Poly1305 or XChaCha20-Poly1305 for authenticated encryption. As of 2020, there are no known vulnerabilities in the DNSCrypt protocol nor practical attacks against its underlying cryptographic constructions.

Anonymized DNSCrypt

Anonymized DNSCrypt is a protocol extension proposed in 2019 to further improve DNS privacy. Instead of directly responding to clients, a resolver can act as a transparent proxy to another resolver, hiding the real client IP to the latter. Anonymized DNSCrypt is a lightweight alternative to Tor and SOCKS proxies, specifically designed for DNS traffic. Deployment of Anonymized DNSCrypt started in October 2019, and the protocol adoption was fast, with 40 DNS relays being set up only two weeks after the public availability of client and server implementations.

References

External links

*
DNSCrypt protocol specification
{{Internet censorship circumvention technologies Domain Name System Internet protocols

Deployment

Protocol

Anonymized DNSCrypt

See also

References

External links