dnscrypt.ca ... Free Canadian based encrypted DNS service with DNSSEC validation for your pleasure.


When I first found dnscrypt, I was thrilled to try it out. I connected to one of the free public resolvers and was happily encrypting my queries. Then the service went down for some reason. It could have been a problem with the keys, a hardware failure, or even just a simple reboot. Whatever the problem was, my name resolution was dead and I had to revert to my ISP's DNS servers to get things working again. I didn't want to give up that easy, so I tried a different public resolver, which at some point had intermittent trouble resolving one of my own domain names. Again, I was back to my ISP's DNS servers. I really like the idea of DNS privacy, and there were no dnscrypt servers in Canada at the time, so I decided to make my own dnscrypt server.

I ran in to a few problems though. It turns out Canadian VPS's are typically more expensive and less plentiful than in the US. VPS's are also generally not as reliable as I would like (even with 99.99999% uptime guarantees). I also found that setting up DNSSEC and TLSA for a domain [at least for a .ca domain] is a giant pain. There really is a lot more to the story, but the short of it is that CIRA and Canadian registrars simply don't make DNSSEC/TLSA as easy as it should be, especially since validation of them is so low. I also decided that dnscrypt [all DNS for that matter] is best used with multiple resolvers. Anyways, I have a pair of VPS's now and I think they might be worth using for a stable Canadian dnscrypt presence.

Multiple Resolvers

The reason I think multiple resolvers is such a big deal, is because if your only resolver goes down for any reason, your Internet connection immediately becomes pretty much unusable. Existing connections may still function for a time, but essentially all new connections to any remote system will appear to be dead. This is really a wake up call that shows just how dependent all of our services are on DNS. Using multiple resolvers gives you the resilience to get through minor [or even major] server outages likely without even noticing at all. It does perhaps add a little bit of complication to your DNS setup, but is well worth the trouble.

Before the old dnscrypt-proxy project was abandoned and reincarnated I used to suggest using a stub resolver such as dnsmasq or Acrylic to connect to multiple instances of the dnscrypt-proxy software. This would offer some resilience to a DNS server going down for some reason. The new dnscrypt-proxy software has been around for the better part of a year now, is reasonably stable, and supports multiple resolvers. It is still possible to create separate instances by just using a couple of different .toml files.

Connecting With Windows

Here are some of the DNSCrypt client applications for Windows:

If you have Windows 7 SP1 or newer, and don't mind installing frameworks like .NET and VS runtime libs, then you might want to use Simple DNSCrypt. It will give you a pretty GUI you can use to manage the service. I assume this application uses the current public resolver list, but have not confirmed so.

On the other hand, if you run an older Windows OS, want a little more control, or simply like a lean OS, then you should probably stick with dnscrypt-proxy. The good news about dnscrypt-proxy version 2 is that it supports multiple resolvers, the bad news is that by default it just lets you configure a few requirements (such as ipv6 and logging), connects to all servers that meet those requirements, and uses the one with the lowest latency. It is possible however to limit it to a particular list of servers by using the server_names directive in your .toml file.

Connecting With Linux

If you want a GUI tool you're pretty much looking at using YourFriendlyDNS, and if you don't care about GUI then your only other option is probably dnscrypt-proxy.

Connecting With MacOS

It is my understanding that dnscrypt-proxy works on macOS, but I have no Apple products here, so I have no way to test any Mac versions of clients. I have received an email from a user telling me that he was able to connect to my servers using the OSX Client but the screenshots give me the impression it can only handle a single server. There are also some instructions on using Homebrew to install the CLI dnscrypt-proxy software on the dnscrypt-proxy installation wiki page.

Connecting With Android

The dnscrypt-proxy client also has an Andoid port, though I have no Android device here and have never tested it.

Protecting Your Home Network

If you have a bunch of devices on your home network it might be better to setup a single DNSCrypt'ed resolver for all of them. A very small PC (or even a SBC like a Whatever Pi) can easily use dnsmasq and dnscrpyt-proxy to handle the DNS requests for all your home devices. Just set up your small computer with Linux and use a stub resolver like dnsmasq to provide DNS services to your home network. You would also of course need to have your DHCP server tell clients that to use it as their DNS server.