[Dnsmasq-discuss] DNSCrypt - the big picture

Maciej Soltysiak maciej at soltysiak.com
Fri Feb 7 13:15:35 GMT 2014

On Fri, Feb 7, 2014 at 1:42 PM, Lonnie Abelbeck
<lists at lonnie.abelbeck.com> wrote:
> I admit is is nice to know that no-one is silently altering DNS queries/responses in transit to a trusted DNS server, but is that being overly paranoid ?
> Appreciate any comments...
I treat dnscrypt as a way to prevent query snooping by my ISP, not as
means to prevent altering.

Alteration of DNS queries can still happen outside the dnscrypt
"tunnel" for non-DNSSEC queries.

If you are using dnscrypt+dnsmasq on a router and have clients talking
regular DNS to that router, your "last mile" is not encrypted. That
may or may not be a risk for you.

My paranoia makes me run my own DNSCrypt server outside my network,
which I trust and have very low latency to, but that still means that
server is doing regular DNS. It is simply located outside of my

So, to me, DNSCrypt is a lightweight encryption tunnel for DNS, which
can still leak queries out. No holy grail, but still a clever way to
"cloak" sensitive traffic.

> Lonnie

p.s. Feel fry to try latency on my no-logs, recursive, DNSSEC DNSCrypt
server: http://dc1.soltysiak.com/

More information about the Dnsmasq-discuss mailing list