dnscrypt.ca ... Free Canadian based encrypted DNS service with DNSSEC validation for your pleasure.


It seems the dnscrypt-proxy project has been archived and is now read-only. The public resolver list currently can not be updated and I am concerned about the future of the project. I have opened an issue here on my fork and on the dnscrypt-wrapper project in hopes that people will come and discuss the future of dnscrypt-proxy.


I cleaned up the web site a little today to put all the "connect" items on one page. It made more sense seeing as how I don't really have any content for Mac, mobile, and router connectivity. Hopefully it is a little cleaner now. :-)


The VPS that hosts the web site went down this morning somewhere between 8am and 9am Eastern time. It was brought back up at 12:30pm. The DNS servers are not hosted on the same infrastructure and were unaffected.


Today I added a new server to the collection. I have been testing it for a week or so and it has been performing better than I had anticipated. It is actually a Raspberry Pi Model B and it runs on less than 5W of power. At first I was concerned about the limited hardware being able to keep up, but clearly it is enough to run Pi-Hole, so it should be plenty capable of running DNSCrypt. Go on, try it out, I bet you'll be surprised at how well it performs.

I also added TXT records to DNS for the provider keys on all three servers. This is a fancy way of ensuring that you are connecting to the correct server, though I am not sure very many people check them. Now go update your public resolver list and get resolving! :-)


I had a writeup of my dnscrypt-wrapper install procedure on my other web site that was geared towards plain old Debian Jessie which I have now updated to match my recent setup on a Raspberry Pi running Raspbian. I am actually hoping to setup a third dnscrypt.ca server on a rpi. So far the tests are pretty good, and the performance is better than I expected. If it is successful I'll have more available bandwidth than the VPS servers but I want to make sure there won't be downtime problems first. Check out the instructions here eh.


There is a new section over there in the navigation list called "junkblocking". There you'll find a script that can be used to download and keep updated a bunch of blocker files that I use. The ad_hosts file is my personal list that I use to block stuff not found in the other lists. It is pretty aggressive and includes some phone home and junkware sites that some people may consider legitimate. Feel free to use it, feel free to offer suggestions for changes, but don't be disappointed if I don't agree. :-)

PS: If you have any suggestions for the script feel free to let me know eh.


This morning the web site was down for anyone using DNSSEC validating resolvers. I thought I had setup the RRSIG expiry time to be much longer than the default 30 days, but obviously had not. I just had to resign the zone and it was back to normal. The resolvers were completely unaffected by this and only people trying to access the web site (with a DNSSEC validating resolver) in the last few hours would have had any trouble. Totally my bad.


Today I got an email notification from my web server telling me that dnscrypt.ca-1 was down. The web server actually runs a pair of dnscrypt-proxy connections and every fifteen minutes it checks that it can dig from both servers. If it can't contact either server it will automatically change the green bars on the dnscrypt.ca home page to red and email me about it. Today's email notification told me that server #1 was down (around 5:15pm EST), but when I checked it was running fine. I manually changed the bar back to green and as far as I can tell the server had not gone down at all. If anyone experienced any issues today connecting to server #1, please use the contact page to let me know.


I made some updates to the web site tonight, including a few minor spelling and grammatical mistakes. More importantly, I added a bit to the status section of the main page that shows the details of each server (mostly thanks to sergeevabc's suggestion found here). Most importantly, it looks as though there is going to be complete bandwidth forgiveness and the servers can continue to run right where they are. Currently it look as though server #1 will be at about 250% of its monthly allotment, while server #2 will be at about 150%. Thanks Media-Hosts for being cool about that.


This morning I woke up to find that my script had marked both servers as being down on the home page. Turns out they were not down, but that the screwing around I had done last night had disconnected the web server from them. No worries, business as usual. :-)


Well, a lot has happened in the last few days. Here's a bit of a list:


The dnscrypt.ca servers have been listed in the public resolver list for nine days now, and it looks like lots of people are using them. More than I expected actually. Because there is no logging I can't see who is using them, or what they are querying, but I can see the bandwidth stats in the control panel of my VPS's. So far "server one" seems to have the best performance and is already out past 3GB of traffic. The traffic per day also seems to still be on the rise. At this rate I am pretty sure it will easily break the 10GB per month limit on the VPS during October. As a result, I am planning to relocate the servers to new locations. This will hopefully:

I am also hoping at some point to add ipv6 support and [of course] more documentation on using multiple resolvers.


Made some fairly significant updates to the web site today. I'm hoping it'll be a bit easier to read both from a style perspective and a language perspective. I've been fighting with the domain registration and am hoping DNSSEC and TLSA will be more reasonable at a different registrar.


So far I have been pretty happy with the OpenVZ.ca virtual private server. In preparation for possibly adding myself to the list of public resolvers there was some downtime this morning on the IntegralHost server, while I reinstalled it. I had messed with the upgrade to Stretch at some point and wanted to revert back to stock Jessie so both servers would be the same. The website was down too, though I don't think it is getting much traffic yet, so I doubt anybody noticed. :-)


I have been testing an OpenVZ.ca VPS and am reasonably impressed. I also dropped DNSSEC and TLSA from the dnscrypt.ca domain since DNSSEC validation is minimal and TLSA validation is almost completely non-existent. I have transferred the domain to a new registrar, and will be moving my DNS to Hurricane Electric, so I can remove BIND9 from the servers and free up resources for dnscrypt. I also renewed the letsencrypt cert for the web site. Almost like starting over really. I'm optimistic about adding myself to the list of public resolvers, but I've said that before right?


Changed the web site to say that I am not ready to present this as a production service. I am looking for another VPS and am doing some testing to ensure that the service won't suck before adding it to the public resolvers list. It is possible to manually connect to my primary server right now, but only via the long command line with all the required parameters on it.


I'm feelin' pretty disappointed. After the CloudAtCost failure, I moved dnscrypt.ca to IntegralHost... and, you guessed it, the VPS went down less than two weeks later. I couldn't open a support ticket via their web site so I emailed their support email address and the reply was that "There was a power issue at the facility, which caused the issue.". Man, I just wanta VPS that runs all the time. I'm not gonna add myself to the public list of resolvers until i can find something much better.


Well, on Friday night the server went down and it stayed down all weekend. The support was awful, and I am brutally disappointed. The web site and dnscrypt services have been relocated to a VPS on IntegralHost, and all seems to be running well. The bad news, is that the old server (which came back up this morning at like 7:30am) is certainly the fastest VPS-based resolver I can find. IntegralHost is not bad, but the old server was better. I'll keep looking for a new home for dnscrypt.ca, but for now, this is working just fine. Note the updated connection info at the bottom of the main page.


Last night I tried to access dnscrypt.ca on a Blackberry phone but couldn't access it at all... because Blackberries (a) do not accept letsencrypt certs by default, and (b) don't have an easy way to make an exception on a per-site basis. It is possible to download the letsencrypt CA certs and manually add them to the device, but it would have to be done from a separate computer since a Blackberry can't access the download site. There seem to be people who says that letsencrypt is crappy because it is free. That somehow it is less desirable than pay-certs. This is crap.

The job of a cert is to provide trust in the privacy of the communication between client and server, not to provide trust in the owner of the site. Just because a big bank has the funds to buy certs, doesn't mean they are any more trustworthy than the owner of a site about fart jokes. The job of DNSSEC is to provide trust in the fact that you are accessing the correct IP address, and the job of TLSA is to provide trust that you are using the correct cert. Big CA organizations that charge lots of money for their certs do not make any assertions about the values or intentions of the people buying them. If you blindly assume that a lock in your URL bar that comes from a big CA means you are in good hands, you are doing something wrong.


So...DNSSEC is where a domain owner sets up a set of keys and bunch of extra DNS records that basically let a resolver (and the people querying it) know that the responses are really the correct ones. It means that when you resolve dnscrypt.ca to, you know you are not being sent to a DNS-poisoned incorrect address. On top of DNSSEC, domain owners can also add TLSA records which tell queriers that they are using the correct TLS certificate when they access that domain's services. I guess there is a fair bit of technical crap, but this Cloudflare article makes it a little easier to understand. In short, it is public key signing for DNS records and TLS certificates.

I had a hell of a time setting this up for dnscrypt.ca this week. I started by registering the domain name with a new registrar because the one I have used for years apparently doesn't support DNSSEC. This new registrar has "Fully supports DNSSEC" on their web site, but as it turns out, their DNS Manager doesn't allow users to manage any of the DNSSEC related records. I opened a support ticket and was told the entries could be made manually via support ticket. I was back and forth a bit with them and ultimately ended up making my own [DNSSEC supporting] BIND servers and asking them just to make the DS record for me (that's the one only registrars have permission to create).

Along the way I tried to contact around a dozen registrars, many of whim did not even reply to my question, and some of whom told me they do not support DNSSEC (even through they are listed on CIRA's web site as having DNSSEC support. I even sent CIRA a message asking why they haven't been pushing for better DNSSEC support even though their site says:

Domain Name Security Extensions (DNSSEC) is a critical upgrade to the security of the Internet by protecting users against attacks such as those listed above.
In 2014 CIRA implemented DNSSEC capability in the Registry and worldwide their has been a significant push for the implementation of the DNSSEC.

They have had all week and have elected not to reply at all.

Ultimately, I am pretty disappointed with CIRA for their less-than-stellar efforts on the DNSSEC front. I am glad I finally got it going though, and anyone who has DNSSEC/TLSA validating browsers or plugins should see this site as having both signed. I personally like SeaMonkey and am hoping the .cz folks will update their plugin to work with it.


Today I bought the domain and started setting up the web site. I have had the resolver service running for a week or so now, it seems quite stable, and the keys are rotating as expected. I haven't had any hiccups, so I thought it was time to take the next step. I'll start by having some friends and family use it, hopefully performance will be even better as a result of increased cache hits. If it continues to go well I will consider adding dnscrypt.ca to the list of public resolvers.