RedditFavorites
Products Services VPNs Android apps Subreddits

What is Reddit's opinion of DNSCrypt Proxy?
From 3.5 billion Reddit comments

➔ DNSCrypt Proxy website

By popularity on Reddit, this Service is:

16 reviews of this app found across Reddit:

QuantumLeap-BEL · /r/Adguard
6 points
·
2nd Oct 2018

More info on the DNSCrypt protocol can be found here: https://dnscrypt.info/

DNSCloak is an iOS app available in the App Store. I’m guessing here, but the reason it is allowed on the store is its purpose is securing DNS connections while AdGuard Pro does secure the DNS connection too, it also uses it to block ads/trackers/malware systemwide. In Apple's view, this is a violation.

So, what if you use DNSCloak to connect to AdGuard? You get roughly the DNS functionality from AdGuard Pro.

On the Mac, there is no secure DNS functionality build into AdGuard, so you have to use DNSCrypt to secure your connection to the AdGuard DNS server anyway.

Farcrada · /r/MagicArena
2 points
·
11th Oct 2018

Haven't had any problem with the DNSCrypt(-proxy) DNS' so might be worth checking that out if you also don't want anyone knowing what DNS requests you make and stay save of spoofing.

celzero · /r/privacy
1 point
·
9th Sep 2021

dnscrypt supports DoH, you can see if this stamp works for RethinkDNS:

sdns://AgcAAAAAAAAAAAAUYmFzaWMucmV0aGlua2Rucy5jb20KL2Rucy1xdWVyeQ

You can generate stamps from here: https://dnscrypt.info/stamps/

zfa · /r/dnscrypt
1 point
·
6th Jun 2021

You can create your own DNS stamp for backends you explicitly want to use and define them manually in your config:

https://dnscrypt.info/stamps/

Then simply ignore the normal resolver list entries.

DistractionRectangle · /r/openwrt
1 point
·
22nd Feb 2021

This. Dnscrypt.info has a similar list, with IPs and hostnames (click on name and see addresses field).

https://dnscrypt.info/public-servers/

I use a mix of pihole for logging/filtering and use firewall rules to transparently redirect dns traffic to my pihole. DoT and DoH are blocked via firewall rules and hostnames.

jsalas1 · /r/PFSENSE
1 point
·
29th Dec 2020

Interesting, I will certainly have to do more reading then since I did switch over to DNSCrypt resolver from TLS. Any idea how relevant this critique is with the release of DNSCrypt v2? https://dnscrypt.info/protocol/

From the brief follow up reading I've done, it seems that DNSCrypt opens us open to correlation attacks more than DoT would.

kadragoon · /r/cybersecurity
1 point
·
2nd Aug 2020

Yes you can. There are three protocols. DoT(DNS over TLS), DoH(DNS over HTTPS), DNSCrypt(I believe this protocol took the core of DoH and built upon it). The most common being DoH due to its versatility, ease of use, supoort, and security, in addition to it being integrated into some modern web browsers.

Overall, there's no best, but each have their own pros and cons.

DoT can have its use cases due to it's dedicated port, but overall people generally use DoH due to its ease to set up and slight security benefit.

DoH is by far the most common encrypted dns protocol. It's easily to set up and use, most major dns providers support it, and it's slightly more secure than DoT. This security is due to the port used. DoT has a dedicated port making the traffic standout, whereas DoH uses the default HTTPS port making this traffic blend in and hard to stop.

DNSCrypt provides many benefits, which are gone over on their page here: https://dnscrypt.info/. It's considered to be the most secure and anonymous protocol. Many people don't know about it though, and for some it can be a little challenging to set up (but overall it's relatively easy, but not quite as easy as DoH).

Currently I personally use a Pihole as my DNS server with it using DoH via cloudflared(Cloudflares DoH service). However I plan on switching from DoH into DNSCrypt when I get a chance into setting up Dnscrypt on the device.

ginsuedog · /r/privacytoolsIO
1 point
·
17th May 2020

That is not completely true, you are mixing different protocols and standards together with TLS. Your ISP would only see the top level although they are practicing TLS interception to decrypt and encrypt traffic passing through their network. DNS encryption has a number of different encryption methods. What you are thinking of is DOH which does use TLS and reveals part of the request in the headers. I think this is one of the weaker methods.

If you want a list of the different encryption projects for DNS, I recommend going to https://dnscrypt.info.

If you want to cut your ISP out then the best way is going to be using a transparent proxy that uses both a recursive DNS like unbound and a DNS forwarding proxy that uses DNScrypt-proxy v2.

nitrohorse · /r/privacytoolsIO
1 point
·
28th Apr 2020

Yeah, unsure why NextDNS removed the DNS "stamp" from the setup page. But you can determine it yourself with this tool (run offline or use the demo site) and these options:

  • Protocol: DNS-over-HTTP/2
  • IP Address: 45.90.28.0
  • Host name: dns.nextdns.io
  • Path: /<your config number>

Then you can paste this at the bottom of DNSCloak's config file:

[static.'NextDNS']

stamp = '<your stamp>'

Side note, this is what I use sometimes when running a self-hosted Algo VPN (since Algo uses dnscrypt-proxy) :)

9DD90 · /r/pihole
1 point
·
7th Jan 2020

Running a local recursive server helps with:

  • Not sending data to a DNS service (Google, Cloudflare, Quad9, etc).

  • Reduces the risk of DNS poisoning.

Everything else depends on your ISP and everything between your server and root/authoritative servers:

  • Some ISPs intercept DNS queries, including the ones from a local recursive server.

  • You still need to trust your ISP (and everyone else) not to be evil because queries aren't encrypted (and can be spied on) and only part of the queries can be authenticated. It's not just a question of just trusting a DNS service or root servers.

  • DNSSEC is optional and needs to be enabled by the domain owner/operator. Adoption is slow.

  • Authoritative servers can track you. This is also true for DNS services that send EDNS data, but some (eg: Cloudflare) don't.

Running a local recursive server is good for some users and bad for others. From a privacy and security point of view, sometimes it makes sense to run your own server and sometimes it's better just to use one of the many encrypted DNS servers/services, even if that increases the risk of DNS poisoning. I disagree with the view that DNS encryption is worthless just because we still use things like plain-text SNI and not eSNI.

I've used Unbound before (using the guide you linked), but moved to DoH (also using the guide on pihole's website) because sometimes it was slow(er) and because my previous ISP intercepted queries. Now I'm using DNSCrypt which seems to be less buggy than DoH via CloudflareD and even allows users to proxy queries via multiple servers so the DNS server doesn't know who's making the query.

There are upsides and downsides with both solutions, so I don't think this is a question of you being wrong and me being right (or vice-versa). It's just that people have different ISPs, live in different countries with different laws, and end up trusting different things.

cbwigyqbv · /r/privacy
1 point
·
8th Nov 2019

> They’re the protocols used by the clients; DoH is inherently more secure than DoT (DNS over HTTPS). > > > > Adguard means well, but the app won’t give you a DoH connection even when using their DoH servers. The only app found to force DoH properly was 1.1.1.1 unfortunately run by Cloudflare. > > > > Proxy info: https://dnscrypt.info/implementations

I see, what are you using?

RickTheLinux · /r/dnscrypt
1 point
·
27th Oct 2019

So DoH & DNSCrypt do same thing, but DNSCrypt have option to hide my IP too (The Anonymized DNS) & if i used one of them my ISP or anyone won't see my queries i mean in both cases it will be same thing (yeah sorry i have overthinking about this so i ask stupid things xD) also as a mod which one you will go if u care more about privacy & hiding yourself ? if you were me which one you will select ?

> You can also see the list here: https://dnscrypt.info/public-servers and click on server names to get details

daaaaamn, i never knew this xD (i mean click on name thing)

tincho5 · /r/privacytoolsIO
1 point
·
1st Oct 2019

DNSCrypt is very much alive, I get updates for my PC and android phone clients all the time.

Here is a comparison with pros and cons with all protocols, check it out:

https://dnscrypt.info/faq

anonymous1184 · /r/dns
1 point
·
18th Aug 2019

- Portability: DoH

- RFC standard: DoT

- Encryption+customization: DNSCrypt

You can always (and of curse, it's recommended) compare them side-by-side, and depending on your needs you can make a well educated choice.

malehi · /r/privacy
1 point
·
5th Jul 2019

> It also wasn't clear about whether an arbitrary DNS server would support this.

I suppose support will appear over time, but yeah a list of servers would be great. Because if the place you're getting DoH is going to be either Google or Cloudflare, you'd better go for DNSCrypt servers

pol-der · /r/pihole
1 point
·
27th Dec 2018

Enter this website and choose at least 20 DNS server which has DnsCrypt feature.

https://dnscrypt.info/public-servers/

Then download this little software and test the speed of servers.

https://www.grc.com/dns/benchmark.htm

Finally use those servers forever.

No Google, No Whatsapp, No Apple, No Instagram, No CRY.