dnscry.pt - Public DNSCrypt resolvers hosted by LowEnd providers
Let me introduce you to...
Public DNSCrypt resolvers hosted by LowEnd providers
The project exists since December 2022 but I wanted to make sure that everything's running smoothly before I expose it to the LET crowd. 
In a nutshell, DNSCrypt is a protocol which encrypts and authenticates your DNS requests, so that a third party (like your ISP) can no longer tinker with them. You have to run a DNSCrypt client like dnscrypt-proxy locally or in your network and point your DNS requests there instead of towards your Wi-Fi router or public resolvers like Google's 8.8.8.8. Your DNSCrypt client will take care of the encryption and forward your requests to a public DNSCrypt resolver (like one of those I run for dnscry.pt).
None of the resolvers do any filtering of any kind. I don't store any logs of your requests. All I do is collect metrics using Munin.
Most of the servers have been taken from my collection of idlers, but I'd like to give a shout-out to our generous sponsors who provide resources to the project free of charge:
- Terrahost (Sandefjord and Amsterdam)
- Kuroit (London)
- Internetport (Stockholm)
If you're interested in giving it a try, further instructions can be found here. There's also a list of all resolvers.
If you're using dnscrypt-proxy, you don't have to handpick resolvers near your location. Instead, use the auto-generated resolver list. Configuration instructions can be found in the file header or in the "Get Started" guide on the website.
I hope this is useful for some of you. I'm using DNSCrypt for years and have switched to my resolver list recently.
Let me know if you have any feedback or questions. I'm also open for suggestions for new locations.
Comments
Finaly briuges posted here. Another grean forum had this for ages.
im wondering what the speeds are like
Theoretically, at least twice slower than a normal DNS query.
Due to computation for encryption?
Great project, any plans on putting DoT and or DoH on those machines? I am more of a DoT fan.
No, redirect to local proxy, a less used (at least compared to anycast google) DNS, repacking the request, etc. Try a regular and a dnscrypt request and see the difference. For a domain you haven't before to see the whole chain's response.
Your ISP's resolvers or Google/Quad9 will likely be a few milliseconds faster - I don't have as many POPs as they do (yet).
Here's an example using my shitty Vodafone Cable home connection (compare the "Query time"):
I repeated that test multiple times and got response times between 23 ms to 86 ms for Quad9 and 29 ms to 63 ms for dnscry.pt. It all depends on your connection and how far you are from the nearest POP.
I stand corrected. It still adds up on complex pages as most are these days.
Exactly... I do cache responses so my resolvers won't dig through the whole DNS hierarchy for every requests, but the big ones have way more cache hits. But it's a matter of milliseconds and the internet doesn't feel any slower for me since I switched to DNSCrypt, even with my Pi-Hole in the chain.
It's been a while since I looked into DoT/DoH. I'm using the Rust implementation (https://github.com/DNSCrypt/encrypted-dns-server) on my resolvers which has support for DoH but needs another component (https://github.com/DNSCrypt/doh-server) + certificates to be installed.
So it might or might not happen in the future.
You need something like Jin Maek does - he sends mini arm servers to have huge amount of pops for his ping.
I wonder, did you reach out to the "sponsor hosts", or did they reach out to you? Seems like a cool thing to support!
Both - 3 out of 5 providers I contacted can be found in the OP, the other two did not respond.
I also got three offers from providers but the locations they offered are already covered. But thinking about it, it won't hurt to have multiple resolvers in the same region...
Thanks
Let me know if you want some VMs.
Can do, right now:
In the next couple of months will have:
Will be happy to float you resources in those two new locations as well.
Thanks to @MannDude , @crunchbits and @skhron, who are generously providing VMs for the project, we're now running 40 resolvers 🎉
The dnscry.pt resolvers have been added to the "official" list of DNSCrypt resolvers that ships with
dnscrypt-proxyby default yesterday, which I'm very happy about.I'm currently looking into adding DoH support to the resolvers which isn't as difficult as I thought, but would still require a weekend or two to get this done properly.
Let's have another round of stickers to celebrate 40 dnscry.pt resolvers. If you'd like to pimp your laptop or your neighbor's car (don't!), send me your postal address (please include the country!) and whether you'd like one or two* stickers. When they're gone, they're gone.
* I may only send one if I run our of stickers...
No DoT
Congrats on the 40 number, we need them great people like you running stuff like enc dns.
There is small difference between them, I suppose server that provides DoH is capable to serve DoT as well
+1 for dot
Any plans on anonymized dns support?
https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS
Anonymized DNS might be added this weekend. DoH is next on my agenda.
The software stack I use at the moment does not have DoT support, so that's unlikely to happen
Also: Last call for stickers! If you want some, let me know within the next 24h. I'll get the next batch shipped on Wednesday.
Great work so far, looking forward to reading the update posts.
Stickers have been sent out to anyone who reached out!
Salt Lake City will be removed soon due to networking issues the provider is unable to resolve. I'll add Las Vegas instead (nowhere close, I know...) and Los Angeles and another location in the Netherlands (sponsored by Crowncloud
) will be added soon™
The sticker do be looking shiny
There seems to be some issues with DNSSEC implementation
according to dnscheck.tools
Weird. I don't get such error. Could you send me the resolvers you use ("Your DNS resolvers are:" on the website) so I can check?
Your DNS resolvers are:
EU-SKHRON-20230626
88.218.206.137
ptr: 88.218.206.137.hosted-by.skhron.com.ua
Warsaw, Mazovia, PL
EU-SKHRONV6-20230626
2a09:b280:fe00:24::a
ns: ns1.skhron.com.ua
Warsaw, Mazovia, PL
PL-MEV-20130117
2a03:cfc0:803f:964:b5fa:0:1:96c6
ns: ns1.webhorizon.net
Warsaw, Mazovia, PL
WebHorizon
185.244.30.123
Warsaw, Mazovia, PL
I did some tests (with dnscheck.tools and manually using dig) and I'm unable to reproduce the issue:
The resolvers' config looks fine as well. Are you still seeing the errors? Maybe it was some weird temporary issue?
Hmm this is weird. 5 mins ago everything passed but now it's back to initial state
nice work, i'll try it now
I did some more checks and testing but I cant find any issue with the config. Is it always the same checks that fail on the website?
Due to the Dedipath closure I have replaced the resolver in Atlanta with a generous donation by KnownHost. Two resolvers sponsored by Crowncloud in Amsterdam and Los Angeles have been provisioned as well. Thanks for supporting the project!
I planned to add Jacksonville and Las Vegas but those servers were hosted by Dedipath, so that won't happen until I find a replacement. Denver is deprecated as well and may go offline anytime. Still looking for a replacement.
I'll be on vacation for the next two weeks, so Anonymized DNS is delayed further. It's not that difficult to enable, it's just a flag in the config files, but I have to adapt my tool to generate the resolver lists to create another list for anonymized relays. Stay tuned.
Exciting news (at least for some, hopefully): All resolvers support Anonymized DNSCrypt and DNS over HTTPS (DoH) now.
I have zero experience with DoH, so please test them and let me know if you run into any issues.
New resolver lists:
And we have some new locations: