DNSCrypt explained – it won’t replace a VPN!

DNSCrypt is a protocol for securing a single hop during a DNS lookup. It allows you to authenticate that the packet you received from the DNS server you connected to is the one that it sent, and also encrypts it over that single hop.  Sadly there several people spreading false facts about DNSCrypt.

Some router firmware even support DNSCrypt directly

Please note that DNSCrypt is not a replacement for a VPN, as it only authenticates DNS traffic, and doesn’t prevent “DNS leaks”, or third-party DNS resolvers from logging your activity. The TLS protocol, as used in HTTPS and HTTP2, also leaks websites host.

– DNSCrypt page

For all the attention that HTTPS gets, I’m amazed how little (relatively speaking) attention plaintext DNS gets. Let’s check it!

What it is

  • Your ISP and government can no longer see the content of your DNS requests or responses – it doesn’t provide end-to-end security.
  • Third-party running DNSCrypt enabled DNS servers can see now your requests
  • Your ISP and government can still see what you’re doing anyway – they can still see what websites you’re visiting. Even if you’re on HTTPS, your browser is sending the website hostname in plain text due to SNI. And they can still see/log all of the IP addresses and ports you’re connecting to.

Sounds bad? Nope!

Before someone says now that this is all bad, right it is but there also some good things when it comes to DNSCrypt.

  • DNSCrypt can be used either over UDP or over TCP.
  • It doesn’t rely on trusted certificate authorities, instead  it explicitly trust the public signing key of the chosen provider.
  • DNSSEC and DNSCrypt can be combined, there working together without problems.
  • Queries and responses are encrypted using the same algorithm and padded to a multiple of 64 bytes in order to avoid leaking packet sizes.
  • Transparency – The source code is hosted on GitHub, same like all clients and extensions.

There are a couple of reasons why an everyday user might want to encrypt their DNS. First, if you think you’ve been secure and you’ve still gotten security alerts or warnings from your ISP or struggled with hacks or phishing attempts, it’s possible that your security tools aren’t as airtight as they claim to be. For example, many VPN providers promise end-to-end security, but “leak” DNS requests left and right. Second, DNS snooping and poorly configured DNS servers have become popular attack vectors recently, as a way to spy on people or companies and collect sensitive data.

In the same way the SSL turns HTTP web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks. It doesn’t require any changes to domain names or how they work, it simply provides a method for securely encrypting communication between our customers and our DNS servers in our data centers. We know that claims alone don’t work in the security world, however, so we’ve opened up the source to our DNSCrypt code base and it’s available on GitHub.

DNSCrypt has the potential to be the most impactful advancement in Internet security since SSL, significantly improving every single Internet user’s online security and privacy.

– OpenDNS statement

Alternative Options

  • DNS over TLS might be a new thing, it’s coming!
  • CurveDNS – In my own opinion authoritative nameservers and therefore DNSCurve forwarders like CurveDNS are more important than recursive resolvers/caches such as OpenDNS and DNSCrypt.
  • Encrypted SNI with TLS 1.3 which then allows us to use DNSCrypt more efficiency.


Installing DNSCrypt on your host/network does not increase your privacy. 

Better use Tor or a VPN, using DNSCrypt just increases the number of parties that can see what you’re doing. To be fair, encrypting your DNS is a level of security that many people may not need to aspire to. However, if you do regularly work with sensitive material, work remotely and need to make sure all of your traffic is secure, or travel to places where you may be snooped on, encrypting your DNS is a good idea especially if you don’t have any access to a VPN.

1 reply on “DNSCrypt explained – it won’t replace a VPN!”

Comments are closed.