DNSCrypt is pegged as a lightweight and faster alternative to DNS-over-Tor

UPDATED As encrypted Domain Name Server (DNS) queries are beginning to go mainstream through DNS-over-HTTPS (DoH), a software developer is looking to go one step further with a technology that adds anonymized domain name lookups.

A proxy-based implementation of the DNSCrypt protocol was released as a beta by developer Frank Denis through GitHub this week.

The software package, named dnscrypt-proxy, offers a faster, lightweight alternative to the technologically similar DNS-over-Tor, according to Denis.

On the server-side, anonymized DNS can be enabled through an encrypted DNS server.

The technology relies on relays to pass on DNS lookup requests contained in encrypted traffic. Instead of directly querying a server, an anonymized DNS client encrypts the query for the final server, which is sent via a relay.

The relay wouldn’t have access to the content of the request – but it would know the IP address of the privacy-conscious individual making the query.

Resolving DNS lookups without censorship or logging is a key goal of the project.


ANALYSIS Full DNSSEC adoption needed to repel state-sponsored DNS hijackers – ICANN


The Daily Swig asked Denis who would run these relays and what incentives would they have to get involved in supporting this nascent technology.

We are yet to hear back from the researcher, but his earlier public comments provide some idea of what he has in mind for DNSCrypt.

Denis – who describes himself as a Parisian fashion photographer with an active interest in opensource software and infosec – is full of ideas for how the project might work in practice.

He said: “Cloudflare Spectrum could be a simple way to do anonymized DNS. Send encrypted queries to Cloudflare, that forwards them to an actual DNSCrypt server. As in Anonymized DNSCrypt, Cloudflare doesn’t learn the DNS query, the server doesn’t learn the client IP.”

The release of new versions of software supporting the technology was accompanied by a discussion thread on Reddit this week.


INTERVIEW ‘Middle-aged’ DNS tech still has legs to kick on, says web architect Cricket Liu

Cricket Liu, the chief DNS architect at cloud-managed network services firm Infoblox, described DNSCrypt technology as “interesting” while adding that the project to push its adoption had to grapple with some as yet unanswered questions.

“The degree to which this is effective in concealing your identity depends on the number of ‘relays’ and their popularity,” Liu told The Daily Swig. “Currently there are three, and I imagine not many users yet.”

“Since the developer used DNSCrypt, you're limited to relaying to a DNS service that supports DNSCrypt. "That limits the providers you can use somewhat,” he added.

Using the technology may at this stage incur a performance hit, Liu added.

“It’d be interesting to see how much using a relay increases latency (which depends, I suppose, on how far away the relay is from your stub resolver, and how far it is from the service it's relaying to),” he explained.


This story was updated on October with comment from DNS expert Cricket Liu