dnscrypt.ca ... encrypted public resolvers.

home · news · more info · contact


Almost all internet traffic begins with at least one DNS query. DNS is the service that converts names like dnscrypt.ca in to IP addresses like The bad news is that DNS was designed without security, or privacy of any kind. The good news is that dnscrypt and DNSSEC can provide security and privacy for DNS. The bad news is that in order to take advantage of dnscrypt and DNSSEC you probably have to install software, configure it, fiddle with your DNS settings, and probably learn something along the way.

My Adventure

When I first found dnscrypt, I was thrilled to try it out. I connected to one of the free public resolvers and I was happily encrypting my queries. Then the service went down for some reason. It could have been a problem with the keys, a hardware failure, or even just a simple reboot. Whatever the problem was, my name resolution was dead and I had to revert to my ISP's DNS servers to get things working again. I didn't want to give up that easy, so I tried a different public resolver, which at some point had trouble resolving one of my own domain names for some reason. Again, I was back to my ISP's DNS servers. I really like the idea of proper DNS privacy, so I decided to make my own dnscrypt server.

I got a VPS, setup the dnscrypt-wrapper, setup Unbound as a recursive resolver, and put the dnscrypt-proxy on my home box. It was workin' pretty nice, for a while... then my VPS went down. I was irritated but I was able to get it running reasonably quickly on a different VPS. Which lasted a couple of weeks before it went down. At this point I was pretty disappointed but not quite ready to quit. Now I have the dnscrypt-wrapper running on two VPS's in two separate Canadian datacenters, and using a stub resolver it is possible to use both. The likelihood that both will be down at the same time is pretty low.

Hook Me Up

Whoa! Slow down Tex... I am still testing to make sure that this will be stable enough. I'm also testing a couple of alternative configs that will allow users to choose between entirely uncensored service or service that has some sites (malware/ads/etc) blocked. For now, if you really want to try it out you can use the information provided below to connect to my primary server, or you may check out the dnscrypt.org web site and find a resolver that suits your needs. Unfortunately, once you rule out dnscrypt providers who log queries or who do not provide DNSSEC validation there are really only about 8 providers left... none of whom are in Canada. It looks like d0wn.biz had one in Canada but it is currently down. I'll continue work on my testing, and will provide some instructions on keeping dnscrypt stable once I am confident in the stability of my setup.

  • IP Address:
  • Provider Name: 2.dnscrypt-cert.dnscrypt.ca
  • Provider Key: 7158:1E50:DCDF:64A3:F913:DB11:38A9:8C19:E722:4A8A:B86B:E631:C400:278E:79BA:4A38

After downloading the DNSCrypt proxy, you would connect with a command like this (all on one line of course):

dnscrypt-proxy --local-address=

This essentially sets up a listener on (your local machine) that will forward DNS queries to my server ( which is named 2.dnscrypt-cert.dnscrypt.ca, and checks to make sure it uses the correct key. If you monitor the output of the proxy you should notice that every six hours it will download the new query keys. Now all you have to do is tell your operating system to use as your DNS server and all your queries will go through the proxy. Check out the "more info" page if you'd like to see how to use the proxy in combination with dnsmasq to force all your network devices to go through the encrypted proxy.

Javascript-free, cookie-free, TLS encrypted, DNSSEC signed, and TLSA signed for your pleasure.