dnscrypt.ca ... Free Canadian based encrypted DNS service with DNSSEC validation for your pleasure.


When I first found dnscrypt, I was thrilled to try it out. I connected to one of the free public resolvers and was happily encrypting my queries. Then the service went down for some reason. It could have been a problem with the keys, a hardware failure, or even just a simple reboot. Whatever the problem was, my name resolution was dead and I had to revert to my ISP's DNS servers to get things working again. I didn't want to give up that easy, so I tried a different public resolver, which at some point had intermittent trouble resolving one of my own domain names. Again, I was back to my ISP's DNS servers. I really like the idea of DNS privacy, and there were no dnscrypt servers in Canada at the time, so I decided to make my own dnscrypt server.

I ran in to a few problems though. It turns out Canadian VPS's are typically more expensive and less plentiful than in the US. VPS's are also generally not as reliable as I would like (even with 99.99999% uptime guarantees). I also found that setting up DNSSEC and TLSA for a domain [at least for a .ca domain] is a giant pain. There really is a lot more to the story, but the short of it is that CIRA and Canadian registrars simply don't make DNSSEC/TLSA as easy as it should be, especially since validation of them is so low. I also decided that dnscrypt [all DNS for that matter] is best used with multiple resolvers. Anyways, I have a pair of VPS's now and I think they might be worth using for a stable Canadian dnscrypt presence.

Multiple Resolvers

The reason I think multiple resolvers is such a big deal, is because if your only resolver goes down for any reason, your Internet connection immediately becomes pretty much unusable. Existing connections may still function for a time, but essentially all new connections to any remote system will appear to be dead. This is really a wake up call that shows just how dependent all of our services are on DNS. Using multiple resolvers gives you the resilience to get through minor [or even major] server outages likely without even noticing at all. It does perhaps add a little bit of complication to your DNS setup, but is well worth the trouble.

Before the old dnscrypt-proxy project was abandoned and reincarnated I used to suggest using a stub resolver such as dnsmasq or Acrylic to connect to multiple instances of the dnscrypt-proxy software. This would offer some resilience to a DNS server going down for some reason. The new dnscrypt-proxy software has been around for the better part of a year now, is reasonably stable, and supports multiple resolvers. It is still possible to create separate instances by just using a couple of different .toml files.


Here are some client/proxy applications that can be used to connect to dnscrypt.ca servers:

Thanks to one of our users, here are some instructions for manually setting up Tomato to connect to dnscrypt.ca:

Make sure your Tomato version is current.

On the left menu click on BASIC -> Network. Under the LAN section
Then enter dnscrypt.ca options. Using Server #1 values in this image:


The settings required for both servers can be found on the main page.

Protecting Your Home Network

If you have a bunch of devices on your home network it might be better to setup a single DNSCrypt'ed resolver for all of them. A very small PC (or even a SBC like a Whatever Pi) can easily use dnscrpyt-proxy to handle the DNS requests for all your home devices. Just set up the proxy application to listen on your LAN address instead of and then setup your DHCP server point clients to it as their DNS server.