dnscrypt.ca ... Free Canadian based encrypted DNS service with DNSSEC validation for your pleasure.

NOTICE: If you haven't been keeping up on your DNSCrypt news, you should really click on news at the left there.


Last check: 2018-01-16 at 10:30 Eastern time. If you think any or all of the servers are experiencing problems, feel free to contact me to let me know.

Server: dnscrypt.ca-1 dnscrypt.ca-2 dnscrypt.ca-3
Status: Server #1 Online Server #2 Online Server #3 Online
Location: Montreal Montreal Ottawa
Free: Yes Yes Yes
DNSSEC: Yes Yes Yes
Recursive: Yes Yes Yes
Uncensored: Yes Yes Yes
Query Logs: None None None
FQDN: dns1.dnscrypt.ca dns2.dnscrypt.ca dns3.dnscrypt.ca
Provider Name: 2.dnscrypt-cert.dnscrypt.ca-1 2.dnscrypt-cert.dnscrypt.ca-2 2.dnscrypt-cert.dnscrypt.ca-3
Provider Key: Hover Lookup Hover Lookup Hover Lookup


I have no corporate affiliation, and I have nothing to do with the development of the dnscrypt or Unbound software. I am just some retired infrastructure guy who has strong opinions about privacy and security. I use these dnscrypt'ed servers for my own name resolution and pay for the server resources myself. I hope that one day my costs will be offset by some kind of cash or VPS donations, but for now it is all me.

Unbound and DNSCrypt

Unbound is an application that resolves names in to IP addresses. There is nothing special about the version of Unbound that I use, it is the one that comes with Debian Jessie. Unbound is similar in function to the DNS software that Google, or your ISP provide DNS services with. One problem with conventional DNS server software (including Unbound), is that it typically does not encrypt the queries or the responses. DNSCrypt is a small application that can be used to encrypt your DNS traffic so that it can't be read by someone who may have the ability to capture the traffic between you and your DNS server.

One of the features that Unbound can support is DNSSEC, which helps to ensure that you are really being provided with the correct IP addresses for your queries. The idea is that domain owners can use a digital certificate to "sign" their DNS records, and Unbound can verify those signatures. If the signature does not match (or does not exist) then Unbound assumes it is a forgery and it replies by telling your computer that the domain does not exist. I believe that DNSSEC is helpful and provides added security, but it is not very widely used and support for deploying it (especially within the .ca namespace) is poor at best. The dnscrypt.ca servers do DNSSEC validation, and here is a place you can check to see if your current DNS resolver is validating DNSSEC signatures.

If a domain owner is signing their DNS records with DNSSEC, they can also include a TLSA record which specifies the SSL/TLS certificate you should be using when browsing their web site (or accessing their other services). It is possible for some nasty ISPs or corporate networks to intercept your connection to a secure web site and essentially impersonate it transparently. This would give them the ability to read all of the traffic, even though you see a cute little lock icon in your browser. Unfortunately, TLSA is used even less than DNSSEC, and the only way I know of to verify TLSA [on the fly] is to use the cz.nic Labs plugin for Firefox. They also make a plugin for Chrome, but I can't tell if it supports TLSA validation (perhaps some Chrome user could tell me whether it does or not).


First off, it should be clear that I don't record/log the queries that get sent to these servers. As a result, I have no idea how many people are using them, when they are using them, or what IP addresses they are querying from. If I were asked for a record of the DNS queries that have come from a particular person or IP address I simply wouldn't have anything I could provide. In fact, I would rather just turn off the servers permanently than provide information like that. I should also note that there are a number of dnscrypt providers, and you should look at the list of public resolvers carefully and choose the one(s) best suited to you.

Having said that, if you wish to use any dnscrypt provider(s), I think it is a good idea to use at least two resolvers (see the about page for why). The basic dnscrypt-proxy does not support multiple resolvers, and I hope to provide instructions on how best to accommodate this under the links at the left over there. If you have any questions, or can help provide multiple-resolver instructions please use the contact page to let me know. The first two dnscrypt.ca servers are running on virtual private servers that I rent from openvz.ca (which is owned by media-hosts.com). The third server is on a residential DSL connection from Teksavvy. I don't have any affiliation with OpenVZ.ca or Teksavvy other than the fact that I rent resources from them.