Securing DNS Lookups via Encrypted DNS - DNSCrypt


100% Tier-1 Gogent
Securing DNS Lookups via Encrypted DNS - DNSCrypt

Normal computer traffic route involving DNS works like this:

1. Request for DNS lookup (from browser, FTP, etc.)

2. System gets DNS information for the domain from a list of remote DNS servers - often these are auto-configured by your internet provider (which is often bad and results in use of a monitored DNS provider that could be doing anything with your lookup date).

3. IP information is returned to your browser, FTP, etc.

That process is simple and is all done in plaintext. Meaning your requests are seen by the end server fulfilling the request as well as the upstream internet provider and networks the packets travel through. That is bad. The NSA is watching, the FBI is watching, foreign intelligence might be watching, your wife may be watching and hackers could be watching. DNS lookups tell a good amount about your life (where you are eating, products you are researching, your porn habits, etc.)

What Can we Do to Secure DNS Lookups?

Simply, encrypt the DNS requests. Doing so however is severely limited. There is no SSL-like standard and hardly anyone is on board with a recent effort by free DNS company OpenDNS.

The solution, for now, is OpenDNS and their DNSCrypt.

Recap of the DNS Lookup Workflow:

browser ---> remote DNS server
---- plaintext unencrypted = BAD!!!!! -----

Revised DNS Lookup Workflow:

browser ---> DNSCrypt ---> remote server
---- encrypted = GOOD!!!! ----

What you will need:

1. A computer running Debian or derivatives (Ubuntu should work). Desktop will work fine, a remote VPS or dedicated server should be fine.

2. Available port 53 - no existing DNS server running

3. gcc+ for doing compile

4. make and automake

Howto Debian Installation of DNSCrypt

1. Become root:
(enter root password)

Make a new user that isn't root:

2. mkdir /home/dnscrypt; chown dnscrypt:dnscrypt /home/dnscrypt -R

Back to being root :)

3. cd ~ ; mkdir dnscrypt; cd dnscrypt

Let's get the DNSCrypt source

4. wget

5. tar xzvf dnscrypt-proxy-1.3.2.tar.gz

6. cd dnscrypt-proxy-1.3.2

We need libsodium for this to work, let's get it and compile/install

7. mkdir libsodium

8. cd libsodium

9. wget

10. tar xzvf libsodium-0.4.2.tar.gz; cd libsodium-0.4.2

11. ./configure

12. make && make check && make install

Now back to DNSCrypt compile/install

13. cd ../..

14. ./configure && make -j2
(get an error here? like this:
"configure: error: cannot run C compiled programs. If you meant to cross compile, use `--host'."

maybe libc isn't installed, do the following:
apt-get --reinstall libc6-dev
./configure && make -j2 (work now?)

15. make install

You should be installed now.

16. ls -l /usr/local/sbin/dnscrypt-proxy (see the file?)

Let's run dnscrypt-proxy:

17. dnscrypt-proxy --daemonize --user=dnscrypt (did that work? I hope so)

ps -aux | grep dnscrypt

(if you don't see it, something else is probably running on port 53 ---> tail /var/log/syslog for error messages)

If you have this running add this so it runs at startup:

18. crontab -e
@reboot dnscrypt-proxy --daemonize --user=dnscrypt

We need to activate this for it to work by adding new info to /etc/resolv.conf:

19. nano /etc/resolv.conf
REMOVE or comment out any nameserver that exists:


Save and exit.

Try a lookup:

20. nslookup

You *SHOULD* be getting an IP, something like this:

Non-authoritative answer:

If so, it works and you are DONE! Congrats, your DNS requests now are fed to OpenDNS over an encrypted channel. Do I trust OpenDNS? Only a bit more than all the big companies that were outed for spying on web users recently. DNS is pretty much all OpenDNS does, so if they botch it or do wrong by users, they will lose their company in spectacular fashion.

This is a start to a solution, not the entire solution. In the future hopefully more DNS providers support DNSCrypt.

Enhancements for this would be local caching (perhaps DNSMASQ), addition of other remote servers (currently only other compatible server is in Australia = high latency for many), and coming up with a DNS pass through chain so requests can be processed and scoured as needed (i.e. DNSMasq ---> DNSCrypt) --- currently not easily doable since /etc/resolv.conf doesn't support entries with ports.

More Info:
Introducing DNSCrypt (Preview Release)
Background: The need for a better DNS security
A tool for securing communications between a client and a DNS resolver


100% Tier-1 Gogent
It's a valid point / question @FRCorey.

The code is I believe open.  Someone can review it / audit.  

"We're using elliptic-curve cryptography, in particular the Curve25519 elliptic curve. The design goals are similar to those described in the DNSCurve forwarder design."


Do I trust them?  Well at minimum we are eliminating open air sniffing of the information.  Beating the government, well, if they are cheating, yeah that won't do much good.  I can't call it.  But if we catch them handing/complying/feeding the feds, count them as ruined.
Last edited by a moderator:


Beware the bunny-rabbit!
Verified Provider
Curve25519 + Salsa20/16 (as used by DNSCurve and DNSCrypt) is a pretty tough cryptographic stack to break, and it's not hardware accelerated, so would be reasonably difficult for the NSA to crack in realtime.  I'm pretty sure the NarusInsight boxes don't support it.

That said, ECC cryptography is a little sketchy.  In theory it is simple, but it's also very easy to slip a backdoor in because the actual implementations are not.  I would say it's easier to slip in a backdoor with ECC than with an exponent-raising PKI like RSA, where the underlying theory and implementation are very well understood.


100% Tier-1 Gogent
Good and interesting work @vert!

Does your solution support multiple encrypted resolvers --- so for instance, both the EU resolver + OpenDNS as a backup?


New Member
Good and interesting work @vert!

Does your solution support multiple encrypted resolvers --- so for instance, both the EU resolver + OpenDNS as a backup?
Nope. Not yet anyway. That's really something DNSCrypt in it's present form lacks. DNS is so fundemental, that there needs to be a failover.

I'm thinking about doing something that checks the server status and reconfigures dnscrypt to another service if it can't reach the currently configured server.

I have not had time yet to see if "dual resolvers" have been feature requested with the DNSCrypt developers, but if it hasn't - it needs to be :)
Last edited by a moderator:


100% Tier-1 Gogent
Is it compatible with any existing lookup client eg browser? Or do you still need to patch everything?
Yes, fully compatibles with everything on your computer that does name lookups.   No patching of anything required.

Just fall the install above and should work 100%.