DNSCrypt Reduces Privacy

Written a year ago by Mike Cardwell

DNSCrypt is a protocol for “securing” a single hop during a DNS lookup. It allows you to authenticate that the packet you received from the DNS server you connected to is the one that it sent, and also encrypts it over that single hop.

I’ve seen people recommend this as a technology to increase your privacy. Especially given the recent news that GCHQ is investigating a national firewall, potentially intercepting/modifying/blocking DNS requests.

Installing DNSCrypt on your host/network does not increase your privacy. Your ISP/government can no longer see the content of your DNS requests or responses, that is true, but the third party running the DNSCrypt enabled DNS server now can. And your ISP and government can still see what you’re doing anyway. They can still see what websites you’re visiting. Even if you’re using HTTPS, your browser is sending the website hostname in plain text due to SNI. And they can still see/log all of the IP addresses and ports you’re connecting to anyway.

Disagree with me? Well, then you’re disagreeing with the authors as well. From their own front page:

Please note that DNSCrypt is not a replacement for a VPN, as it only authenticates DNS traffic, and doesn’t prevent “DNS leaks”, or third-party DNS resolvers from logging your activity. The TLS protocol, as used in HTTPS and HTTP2, also leaks leaks websites host.

Use Tor or a VPN. Using DNSCrypt just increases the number of parties that can see what you’re doing.

Looking to hire somebody like me? I'm open to offers of full time employment and small contract jobs. Check out my hiring page. You can follow this Blog using RSS or . To read more, visit my blog index.

Feeling generous?BitcoinMoneroZcashPaypal