Secure Your DNS

DNSCrypt encrypts, authenticates and optionally anonymizes communications between your DNS client and resolver. It prevents DNS spoofing with cryptographic signatures to verify responses haven't been tampered with.

Get Started

Why DNSCrypt?

A protocol built for privacy, security, and performance from the ground up.

Secure from the first packet
Unlike DNS-over-TLS and DNS-over-HTTPS, which require resolving a hostname through plaintext DNS first, DNSCrypt clients are configured with an IP address and a public key. Encryption starts from the very first query.
No Certificate Authorities
DNSCrypt eliminates dependency on certificate authorities entirely. Each resolver maintains a static public key verified through cryptographic signatures, making it resistant to CA compromises and state-level coercion.
Decentralized by design
Anyone can run a resolver without requiring approval from corporate gatekeepers. This contrasts with DoH's concentration among major CDN providers like Cloudflare and Google.
Censorship resistant
DNSCrypt traffic has no SNI, no HTTP signature, and no fixed port. Combined with Anonymized DNS relays, it offers strong protection against traffic analysis and blocking.
High performance
Zero-RTT operation with no handshake delay, native parallelism with multiple queries in flight, and consistently lower latency than DoH even when DoH uses HTTP/3.
Extensible protocol
Built-in query padding, multiple crypto suites (X25519, Ed25519), anonymized relays, and room to evolve without requiring cross-layer redesigns.

History

The DNSCrypt protocol was specifically designed for secure DNS communications. DNSCrypt version 2 was specified and implemented in 2013.

Anonymized DNS

In October 2019, Anonymized DNS was announced. It improves over the original protocol and DoH by hiding client IP addresses in addition to encrypting queries.

Join the Community

Connect with other DNSCrypt users, ask questions, and stay updated on the latest developments.

Visit r/dnscrypt