With so many IETF RFC's and draft RFC's in play, DNS encryption and authentication are hot IT topics.

One hot, non-RFC player is the DNSCrypt protocol ( Official DNSCrypt website ) and related implementations.

Although DNSCrypt was abandoned for a short while in January 2018, it has since been reincarnated - and is arguably now a strong player in the DNS encryption and authentication conversation.

The command-line proxy DNSCrypt-Proxy ( GitHub - jedisct1/dnscrypt-proxy: DNSCrypt Proxy - A flexible DNS proxy, with support for encrypted DNS protocols. ) has been completely rewritten in Go (goodbye, C). Functionality improvements between the original DNSCrypt-Proxy and DNSCrypt-Proxy 2 are huge ( Differences to v1 · jedisct1/dnscrypt-proxy Wiki · GitHub ). Implementations for many platforms ( Official DNSCrypt website ) exist. E.g., now that the dust has settled since DNSCrypt-Proxy 2 was released, Simple DNSCrypt ( Simple DNSCrypt ) works like a charm for me as a Windows-client GUI over the new proxy.

DNSCrypt's FAQ page is quite possibly the world's most interesting, currently-available source of DNS encryption and authentication info/debate:
Official DNSCrypt website

The above FAQ page also includes links to some competing projects (e.g., DNS Privacy Implementation Status - DNS Privacy Project - DNS Privacy Project ),

Meanwhile, what had been an insightful analysis of DNSCrypt-Proxy 1 by Tenta published just 2.5 months ago ( Tenta DNS over TLS vs DNSCrypt ) has in my opinion now been rendered in large part outdated and incorrect. The DNSCrypt folks may have offered or may offer a point-by-point, DNSCrypt-Proxyv2-based response to the aforementioned Tenta blog post; I haven't looked for it. Kudos to any of you who find and post it as a comment in this thread.

Given the rocky "development of new standards" world, I imagine that over the next 1-3 years we will see major shifts to the DNS landscape that will render the data noted on aforementioned page Official DNSCrypt website change significantly. I am most curious.

Meanwhile, on my Windows devices ( SECURE - Meltcheesedec Security Configuration 2018 ) I use (the newly-reincarnated, stable) Simple DNSCrypt while on networks I control and trust; when on all other networks, I turn off Simple DNSCrypt and turn on my VPN.

For additional platforms, see section 'Pre-built binaries' at GitHub - jedisct1/dnscrypt-proxy: DNSCrypt Proxy - A flexible DNS proxy, with support for encrypted DNS protocols. , and the Implementations page Official DNSCrypt website .

What are your thoughts on:
- the future of DNS encryption/authentication?
- DNSCrypt's reincarnation?
Last edited: