What's new

DNSCrypt Necessary or not?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

DNSSec and DNSCrypt are both complementary, they are not competitive. They both address different security aspects.

I probably won't be that popular here on this thread...

DNSCrypt is non-standard - what I find odd is that after 10 plus years, why haven't they approached the IETF? If not as a RFC submission, at least as an Internet Draft.

It does beg the question - They have not done this...

Why is this important?

Interoperability across different platforms, both on the client and server sides.

DNS over TLS (and it's cousin DNS over HTTPS) pretty much do the same thing in a cleaner and more elegant manner...

Both DoH and DoT are standards-based...

DoH - https://datatracker.ietf.org/doc/html/rfc8484

DoT - https://datatracker.ietf.org/doc/html/rfc7858

DNSSEC is still out there, and adoption is picking up across the 'net
 
I probably won't be that popular here on this thread...

DNSCrypt is non-standard - what I find odd is that after 10 plus years, why haven't they approached the IETF? If not as a RFC submission, at least as an Internet Draft.

It does beg the question - They have not done this...

Why is this important?

Interoperability across different platforms, both on the client and server sides.

DNS over TLS (and it's cousin DNS over HTTPS) pretty much do the same thing in a cleaner and more elegant manner...

Both DoH and DoT are standards-based...

DoH - https://datatracker.ietf.org/doc/html/rfc8484

DoT - https://datatracker.ietf.org/doc/html/rfc7858

DNSSEC is still out there, and adoption is picking up across the 'net
I do not recommend any protocol over the other, It is a bit up to the user on what DNS servers they want to use(How close they are and protocols they support and trust)
In Merlin firmware we have the ability to use most of them ;).
Think the developer of dnscrypt-proxy has talked more then a few times about making the dnscrypt protocol a IETF standard (It takes a lot of time and cost money, would require a team of people helping out and funding)
But the dnscypt protocol has a complete specification since 2013 and was made for DNS (Good enough for me but maybe not for others).
In Merlin firmware we have DoT available :)
And via AMTM we have:
DNSCrypt-proxy v2 has support for DoH ODoH DNSCrypt and Anonymized DNSCrypt via Asuswrt-Merlin-dnscrypt installer
Adguard home supports DoT DoH DoQ and DNSCrypt via Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI)
Unbound supports DoT, But is better used for making you your own DNS server, not encrypted but it has nice security features and use a large cache for fast lookups.

I have used DoT DoH DoQ ODoH and DNSCrypt, At the moment i use Anonymized DNSCrypt with DNSSec (Relays to remove my ip for the DNS servers)
All the solutions above offer the same practical security level. Compatibility with existing tools and infrastructure is what makes an actual difference
From what i know dnscrypt is available on most platforms and have a lot of servers to choose from, Quad9 Cleanbrowsing Cisco(OpenDNS) and many vpn providers support it.
 
Last edited:
Think the developer of dnscrypt-proxy has talked more then a few times about making the dnscrypt protocol a IETF standard (It takes a lot of time and cost money, would require a team of people helping out and funding)

As a former member of IETF, it takes no "money" or "Funding" to get something through the process. It takes one person to write an Internet Draft, convince a working group to add it to the agenda, and convince others to review and contribute.

The people that worked DoT and DoH did just that...

At the end of the day, I really don't care - I do find it odd that some folks resent DoT/DoH, and then want to implement DNScyrpt.
 
As a former member of IETF, it takes no "money" or "Funding" to get something through the process. It takes one person to write an Internet Draft, convince a working group to add it to the agenda, and convince others to review and contribute.
If this could become an RFC:


Then there is no excuse beside not wanting to...
 
Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top