dnscrypt.ca ... Free Canadian based encrypted DNS service with DNSSEC validation for your pleasure.

NOTICE: dnscrypt.ca has NEVER forwarded queries to Quad9 or any other upstream resolver.


Last check: 2018-05-22 at 05:30 Eastern time. If you think any or all of the servers are experiencing problems, feel free to contact me to let me know.

Server: dnscrypt.ca-1 dnscrypt.ca-2
Status: Online Online
Location: Montreal, PQ Montreal, PQ
Free: Yes Yes
Recursive: Yes Yes
Uncensored: Yes Yes
Query Logs: None None
FQDN: dns1.dnscrypt.ca dns2.dnscrypt.ca
IPv6/Port: None Yet [2605:2100:0:1::b5ad:18e2]:5353
Provider Name: 2.dnscrypt-cert.dnscrypt.ca-1 2.dnscrypt-cert.dnscrypt.ca-2
Provider Key: Hover Lookup Hover Lookup


I have no corporate affiliation, and I have nothing to do with the development of the dnscrypt or Unbound software. I am just some retired infrastructure guy who has strong opinions about privacy and security. I use these dnscrypt'ed servers for my own name resolution and pay for the server resources myself. I hope that one day my costs will be offset by some kind of cash or VPS donations, but for now it is all me.


When you use Internet services, you almost certainly need to do a DNS lookup. For example, when you open the dnscrypt.ca web page, your computer [or device] needs to convert the name dnscrypt.ca in to the IP address in order to connect to it. DNS is what does the conversion for you. Unfortunately, DNS is almost always unencrypted, and as a result it might be possible for someone to know what DNS names you are requesting. DNSCrypt is a way to encrypt your DNS queries, hiding them from prying eyes.

DNSSEC is a feature of DNS that allows domain owners to sign their DNS records with digital certificates. When you do a DNS lookup your DNS server will check the signature to make sure it matches. If it does not match, the query fails and you are unable to access the service. For this to work your DNS server must support DNSSEC and domain owners must start signing their records. Neither of these things is really widespread yet, but it seems to be gaining in popularity. Here is a web site you can use to check whether or not your current DNS resolver is validating DNSSEC signatures.

If a domain owner is signing their DNS records with DNSSEC, they can also include a TLSA record which specifies the SSL/TLS certificate you should be using when browsing their web site (or accessing their other services). It is possible for some nasty ISPs or corporate networks to intercept your connection to a secure web site and essentially impersonate it transparently. This would give them the ability to read all of the traffic, even when you see a cute little lock icon in your browser. Unfortunately, TLSA is used even less than DNSSEC, and the only way I know of to verify TLSA [on the fly] is to use the cz.nic Labs plugin for Firefox. They also make a plugin for Chrome, but I can't tell if it supports TLSA validation (perhaps some Chrome user could tell me whether it does or not).


I don't record/log the queries that get sent to these servers. I don't know how many people are using the servers, when they are using them, what names they are querying for, or what IP addresses they are querying from. If I were asked for records of any kind, I simply wouldn't have anything I could provide. In fact, I would rather just turn off the servers permanently than provide information like that. I have some minimal information that comes from the SolusVM control panel for my VPS's and the counters inside Unbound, but all it can tell me is general stats and so everyone's queries are just a big anonymized bunch.

If you wish to encrypt your DNS entries it is important to note that SNI and plain http traffic could still be giving away some info. It is also important to note that DNSCrypt is not the only way to encrypt your traffic. Do your homework, and if you decide that DNSCrypt is for you then go on and get connected eh.