dnscrypt.ca ... Free Canadian based encrypted DNS service with DNSSEC validation for your pleasure.


When I first found dnscrypt, I was thrilled to try it out. I connected to one of the free public resolvers and was happily encrypting my queries. Then the service went down for some reason. It could have been a problem with the keys, a hardware failure, or even just a simple reboot. Whatever the problem was, my name resolution was dead and I had to revert to my ISP's DNS servers to get things working again. I didn't want to give up that easy, so I tried a different public resolver, which at some point had intermittent trouble resolving one of my own domain names. Again, I was back to my ISP's DNS servers. I really like the idea of DNS privacy, and there were no dnscrypt servers in Canada at the time, so I decided to make my own dnscrypt server.

I ran in to a few problems though. It turns out Canadian VPS's are typically more expensive and less plentiful than in the US. VPS's are also generally not as reliable as I would like (even with 99.99999% uptime guarantees). I also found that setting up DNSSEC and TLSA for a domain [at least for a .ca domain] is a giant pain. There really is a lot more to the story, but the short of it is that CIRA and Canadian registrars simply don't make DNSSEC/TLSA as easy as it should be, especially since validation of them is so low. I also decided that dnscrypt [all DNS for that matter] is best used with multiple resolvers. Anyways, I have a pair of VPS's now and I think they might be worth using for a stable Canadian dnscrypt presence.

Multiple Resolvers

The reason I think multiple resolvers is such a big deal, is because if your only resolver goes down for any reason, your Internet connection immediately becomes pretty much unusable. Existing connections may still function for a time, but essentially all new connections to any remote system will appear to be dead. This is really a wake up call that shows just how dependent all of our services are on DNS. Using multiple resolvers gives you the resilience to get through minor [or even major] server outages likely without even noticing at all. It does perhaps add a little bit of complication to your DNS setup, but is well worth the trouble.

Before the old dnscrypt-proxy project was abandoned and reincarnated I used to suggest using a stub resolver such as dnsmasq or Acrylic to connect to multiple instances of the dnscrypt-proxy software. This would offer some resilience to a DNS server going down for some reason. The new dnscrypt-proxy software has been around for the better part of a year now, is reasonably stable, and supports multiple resolvers. It is still possible to create separate instances by just using a couple of different .toml files.


I would suggest using dnsproxy for most setups, or dnscrypt-proxy if you require some of the advanced features it offers. There are also other client applications available. With dnsproxy you would use a command line like this:

dnsproxy -l -u https://dns1.dnscrypt.ca:453/dns-query -u https://dns2.dnscrypt.ca:453/dns-query -b

which would connect to the DoH services of both dnscrypt.ca servers, and use dns.watch as a bootstrap server (this may be required for your system to resolve dns1.dnscrypt.ca in order to connect). Once that is running you would set your operating system's DNS server to With dnscrypt-proxy you would edit your dnscrypt-proxy.toml file and tell it to use dnscrypt.ca using a "server_names" directive near the top like this:

server_names = ['dnscrypt.ca-1', 'dnscrypt.ca-2']

There are a lot of other options with dnscrypt-proxy and I think if you are going to use it that you should read through the whole .toml file and understand what all of the options do. Thanks to one of our users, here are some instructions for manually setting up Tomato to connect to dnscrypt.ca:

Make sure your Tomato version is current.

On the left menu click on BASIC -> Network. Under the LAN section
Then enter dnscrypt.ca options. Using Server #1 values in this image:


The settings required for both servers can be found on the main page.

Protecting Your Home Network

If you have a bunch of devices on your home network it might be better to setup a single device to do name resolution for all of them. A very small PC (or even a SBC like a Whatever Pi) can easily use dnsproxy or dnscrpyt-proxy to handle the DNS requests for all your home devices. Just set up the proxy application to listen on your LAN address instead of and setup your DHCP server point clients to it as their DNS server.