dnscrypt.ca ... Free Canadian based encrypted DNS service with DNSSEC validation for your pleasure.


If you prefer you can simply follow the RSS feed.


I dropped TLSv1.0 and TLSv1.1 from the web server tonight. Seriously, if you are concerned enough about security to be using encrypted DNS servers then you should be concerned enough to use a browser that is capable of using modern encryption too. Don't get me wrong, finding a decent browser is a nightmare, but using Dillo ain't the answer.

In case there is any question... the resolvers are completely unaffected by this change.


I got some automated notifications today that dnscrypt.ca-1 was down for an hour or so around 5pm Eastern time. I also noticed that there was a bunch of traffic to the web site during that time. Sorry folks! I might see if I can write a small script that checks/restarts all three listeners, and cron it every minute.


I do not yet know why, but server #1 seems to have rebooted a few minutes ago. Everything should be back up and running right now.


The DoH services are now live and have been added to the public resolver list. The privacy policy also refers to DoH client connectin as well and had a couple of minor wording changes. The meaning of the privacy policy content has not changed in any significant way.


I am testing this DoH server implementation and it is currently functional on IPv4 and IPv6 on both servers. It is basically just another listener that will use the same Unbound recursive service that the DNSCrypt service uses. If the testing goes well I will hopefully add the new sdns stamps next week. If anyone actually prefers DoH I would love to hear about why you do, and which servers you are using right now.


There will be an emergency reboot of the host that server #1 lives on at 2pm Eastern time today. The downtime should be just a few minutes.


ULayer was kind enough to get dnscrypt.ca server #2 on to a different server in a different building, which should help improve the fault tolerance of dnscrypt.ca. The public resolver list was updated last week and all clients should have migrated over by now (by default dnscrypt-proxy updates its list every 72 hours). Anyone still using the old server needs to update to the new IP address.


There was a short outage tonight for a host reboot, it didn't last long and both servers should be available again.


Added my XMPP account (and OTR/OMEMO fingerprints) to the contact page.


With the servers now hosted at ULayer my costs are approximately CDN$80 per year. This also includes obvious things like the domain name and less obvious things like electrcity to run the web server. 2019 is actually a fair bit more expensive than $80 because of the billing problems I had with Media-Hosts.com but it shouldn't be an issue going forward.

I'd like to thank Nick for his generous donation of $20 today, it is truly appreciated!


I added a privacy policy today because I am hoping to add dnscrypt.ca to the Wikipedia page for Public Recursive Name Servers, and so people will have a clear understanding of what I know about them.


I shut down the old servers today. Until now they have been sort of running on autopilot just in case there was anyone still running the old client or directly connecting via a static entry in the new client. Hopefully everyone has had a chance to point their clients at the new servers by now.


I have been testing the servers at ULayer.net and they seem to be working well. Both the IPv4 and IPv6 services are back up and running now. So I made a request to have them added to the public resolver list and they were added right away.


OpenVZ.ca/Media-Hosts.com was a miserable failure, I had to shut the servers down this morning. I am hopeful that they'll be back soon.


Five business days have passed since I opened my support ticket with openvz.ca/media-hosts.com and I have still not received a reply. QuickClickHosting doesn't seem to be much better. I am currently examining other hosting options but it looks like it'll cost me more.


Still no answer from media-hosts, the VPS at quickclickhosting was finally authorized but the name and password for the control panel are not working, and lastly the entries for the servers were removed from the public resolver list. If I can work out an agreement then I'll have them added back. If hosting companies continue to fail me, I don't know what I'll do. :-(


I still have not heard from the billing department at openvz.ca/media-hosts.com. I sent another reply today asking for someone to answer me but I am concerned that maybe there is nobody there anymore. I even tried to buy a VPS from another provider... so far it has been two days and they haven't even authorized the VPS yet. I also opened an issue on the dnscrypt-proxy github page asking for all four dnscrypt.ca entries to be removed (in order to minimize possible downtime for users), but the only reply I have received is a request for help from a user who wants to setup their own server. WTF is going on?


It has been 24 hours since I opened the ticket with openvz.ca/media-hosts.com and I have not received a reply yet. I guess I will send a "bump" reply, but if the billing people are actually in Canada then they are probably busy drinking red beer.


The VPSs that dnscrypt.ca runs on (the resolvers) have been costing me $15 per year. With other various costs such as the domain name, my entire costs have been in the neighbourhood of $50 per year. Today I received a bandwidth overage charge (with no notice of any policy change) of $86 for the last month of traffic. I have submitted a ticket to the billing department asking if I may return to the previous state of bandwidth forgiveness and am awaiting their reply.

If they tell me that I will continue to be charged for overage, then dnscrypt.ca will be forced to shut down immediately. Going from $50 per year to a projected $1100 per year is simply not going to cut it. I will provide updates here as frequently as I can.


The maintenance window lasted longer than expected. At 4:00pm I got an email saying they were extending the window until 10pm. A little before 7:00pm the servers went down. At about 12:30am dnscrypt.ca-1 came back up. Around 1:30am I fell asleep... and around 4:00am is when dnscrypt.ca-2 came back up.

Sorry for the downtime folks. I am hoping I'll get an email about it today some time.


My hosting provider has set a maintenance window on Saturday, June 22nd 2019 from 10AM EST to 8PM EST. It is expected that the servers will reboot at least once during this time. I will monitor and minimize downtime as best I can.


I was reading through some nginx related material recently, which led me to running various tests on the web server. I figured I'd play along with what they had to say so I could get the fancy A+ rating on most of them. The bulk of the changes involved just adding some reasonably appropriate headers in nginx. I am skeptical that anyone will even notice a change, and it certainly has nothing to do with the security of the DNS resolvers, but I guess it'll make some folks happy.


In response to this reddit post:

I do not have a reddit acccount but I am open to questions. Click "contact" at the top of this page to ask whatever you like.


dnscrypt.ca-2 IPv4 just barfed on a bad key for some reason. Since I was already doing some testing on the switch to the xchacha20 cipher I figured I would just quickly add it to the key rotation script before restarting it. Looks to be running fine now and should be showing the new cipher too. Total downtime was just a few minutes.

I'll change the IPv6 script and both scripts on dnscrypt.ca-1 in the next few hours. Users should not have to do anything but if anyone notices any connectivity issues please let me know.


Just made some minor changes to the web site in hopes that it might look better on mobile devices. Didn't make a massive effort to support mobile, just made the layout more vertical.


A dnscrypt.ca user (thanks Nick) recently alerted me to an outage on the IPv4 services. As a result I have made a script that is cron'ed to run every minute on the servers to check whether or not the dnscrypt-wrapper processes are running. If they are not running, the script will attempt to detect which key/cert files are present, restart the process and email me a notification message. After some testing the script is now live on both servers and is monitoring both IPv4 and IPv6 processes. I'll be monitoring to see how they do.

The script on the web server that checks connectivity (and which updates the web site in the event of an outage) remains unchanged, but only runs every 15 minutes rather than every minute.

Older News

Curious eh? Well, have a look at the 2018 News.