DNSCrypt

DNSCrypt is a protocol specifically designed to encrypt and authenticate DNS communication between a DNS client and a DNS resolver. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered with.

Some of OpenNIC Tier 2 servers support DNSCrypt. In order to get started with DNSCrypt at OpenNIC, you need five things:

(Example based on ns1.any.dns.opennic.glue)

• dnscrypt-proxy installed - See this for more information
• The servers IP address (185.121.177.177)
• The DNSCrypt port this server is listening on for DNSCrypt encrypted queries
• The DNSCrypt provider name (2.dnscrypt-cert.dnsrec.meo.ws)
• The DNSCrypt provider key (1A6A:D0A3:2B4C:5A61:A695:D153:670D:69AB:1690:3F9E:C3F7:F64F:13E5:35A3:18B2:28A5)

You can test if the server is indeed configured correctly and working for you by executing:

dnscrypt-proxy -r $IP:$PORT -N $NAME -k $KEY

Example:

dnscrypt-proxy -r 185.121.177.177:5353 \
               -N 2.dnscrypt-cert.dnsrec.meo.ws \
               -k 1A6A:D0A3:2B4C:5A61:A695:D153:670D:69AB:1690:3F9E:C3F7:F64F:13E5:35A3:18B2:28A5

The example command should produce an output similar to this:

[NOTICE] Proxying from 127.0.0.1:53 to 185.121.177.177:5353

If this is not the case and an error comes up, please double-check that you copied everything correctly and try with another server or port.

Depending on which client you chose from the all the available ones, you might need to edit a CSV file, a configuration file or click through a few configuration settings in order to get started.

Once your DNSCrypt client is running, you can point your local systems DNS settings to query at 127.0.0.1:53 (or a different port if you specified one with -a or –local-address=).