DNSCrypt - running the server
why are you doing this?
There are many publicly available open resolvers using DoT, DoH or DNSCrypt just sitting around the interwebs, waiting to secure the DNS traffic and protect it from whoever is looking.
However, we have still felt the need to run our own, especially since DNS is such a critical piece of infrastructure.
And now we’re offering it for public use.
so what is it?
What we’re running is a non-censoring, non-logging, DNSSEC-capable, DNSCrypt-enabled DNS resolver using dnscrypt-server-docker project. Of course, our resolver is available over both IPv4 and IPv6.
can I haz some plz
Yes! As a matter of fact, you should even be able to get records on OpenNIC domains.
You can try some using the awesome tool doggo
, like so:
doggo --debug --json NS epic. @sdns://AQcAAAAAAAAAETE0NC45MS43MC42Mjo1NDQzIHF-JiN46cNwFXJleEVWGWgrhe2QeysUtZoo9HwzYCMzITIuZG5zY3J5cHQtY2VydC5kbnNjcnlwdC5kb3R5YS5tbA
example response:
DEBUG[2022-09-01T00:22:23+02:00] initiating DNSCrypt resolver
DEBUG[2022-09-01T00:22:23+02:00] Starting doggo 🐶
DEBUG[2022-09-01T00:22:23+02:00] Attempting to resolve domain=epic. nameserver="144.91.70.62:5443" ndots=0
[
{
"answers": [
{
"name": "epic.",
"type": "NS",
"class": "IN",
"ttl": "86400s",
"address": "ns13.opennic.glue.",
"status": "",
"rtt": "45ms",
"nameserver": "144.91.70.62:5443"
}
],
"authorities": null,
"questions": [
{
"name": "epic.",
"type": "NS",
"class": "IN"
}
]
}
]
dnscrypt-proxy
configuration tips
If you’d, for some reason, like to use exclusively our name servers, simply set
the server_names
in the root section of your dnscrypt-proxy.toml
config
file:
server_names = ['dotya.ml', 'dotya.ml-ipv6']
By default servers are picked based on latency, which is a sane default and it is in fact what we use.
If in need of more granular nameserver selection based on anything other than latency they can additionally easily be filtered (without being explicitly listed) based on:
- logging
- filtering
- DNSSEC capabilities
- DoH, ODoH or DNSCrypt capabilities
- IPv4 or IPv6 availability
Further, we also remove certain players from the equation by simply listing
them in disabled_server_names
, like so:
disabled_server_names = ['google-ipv6', 'cloudflare', 'cloudflare-ipv6', 'cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'yandex', 'apple', 'doh.dns.apple.com']
old news
Update 2022-09-01: the servers are now a part of the official listing at https://dnscrypt.info/public-servers/, so there is no point in adding them manually anymore. Keeping this for posterity.
Paste one or both of the following entries in the [static]
section of your
dnscrypt-proxy.toml
configuration file.
[static]
# IPv4 (144.91.70.62, port 5443)
[static. 'dnscrypt.dotya.ml-ipv4']
stamp = 'sdns://AQcAAAAAAAAAETE0NC45MS43MC42Mjo1NDQzIHF-JiN46cNwFXJleEVWGWgrhe2QeysUtZoo9HwzYCMzITIuZG5zY3J5cHQtY2VydC5kbnNjcnlwdC5kb3R5YS5tbA'
# IPv6 (2a02:c207:2030:396::1, port 5443)
[static. 'dnscrypt.dotya.ml-ipv6']
stamp = 'sdns://AQcAAAAAAAAAHFsyYTAyOmMyMDc6MjAzMDozOTY6OjFdOjU0NDMgcX4mI3jpw3AVcmV4RVYZaCuF7ZB7KxS1mij0fDNgIzMhMi5kbnNjcnlwdC1jZXJ0LmRuc2NyeXB0LmRvdHlhLm1s'
server configuration
Files used to set up and run this service can be found here:
https://git.dotya.ml/dotya.ml/dnscrypt-server.
It’s a docker-compose
setup managed with systemd
, similar to how Drone CI
is handled.