DNSCrypt is another improvement of DNS adding security on its transport invented by our French (cocorico!) friend Frank Denis. Unlike DoT and DoH, DNSCrypt does not use TLS, but re-invent a transport security layer with the specificities of DNS in mind.

The main advantage of DNSCrypt over DoT/DoH is that it can work over UDP. Because UDP is a non-connected protocol, DNSCrypt is not slowed down by TCP and TLS handshakes (those can be mitigated with TCP Fast Open and TLS 1.3 0-RTT resumption though). There is still a sort of handshake over plain DNS to exchange the keys though. Additionally, in case of packet loss, the recovery implemented by TCP might not play well with DNS, which has been designed for UDP.

Like DoT, DNSCrypt uses a custom port (UDP/443) which can be easily blocked by firewalls. But it can fallback on the same port as HTTPS when UDP is not reachable. This is harder to detect, but still simpler than DoH, as magic bytes in the head of the protocol is used to distinguish it from HTTPS.

Because DNSCrypt is a custom security protocol, there is not as many implementations as for TLS. The main implementation is done by its author and is bundled with a proxy solution. There are other implementations embedded into different DNS servers. We plan on adding support for this protocol in the future, but we first have to extract the protocol implementation from DNSCrypt-proxy or re-implement it in order to adapt it to our solution.

Did this answer your question?