DNSCrypt - running the server

why are you doing this?

There are many publicly available open resolvers using DoT, DoH or DNSCrypt just sitting around the interwebs, waiting to secure the DNS traffic and protect it from whoever is looking.

However, we have still felt the need to run our own, especially since DNS is such a critical piece of infrastructure.

And now we’re offering it for public use.

so what is it?

What we’re running is a non-censoring, non-logging, DNSSEC-capable, DNSCrypt-enabled DNS resolver using dnscrypt-server-docker project. Of course, our resolver is available over both IPv4 and IPv6.

can I haz some plz

Yes! As a matter of fact, you should even be able to get records on OpenNIC domains.

You can try some using the awesome tool doggo, like so:

doggo --debug --json NS epic. @sdns://AQcAAAAAAAAAETE0NC45MS43MC42Mjo1NDQzIHF-JiN46cNwFXJleEVWGWgrhe2QeysUtZoo9HwzYCMzITIuZG5zY3J5cHQtY2VydC5kbnNjcnlwdC5kb3R5YS5tbA

example response:

DEBUG[2022-09-01T00:22:23+02:00] initiating DNSCrypt resolver

DEBUG[2022-09-01T00:22:23+02:00] Starting doggo 🐶

DEBUG[2022-09-01T00:22:23+02:00] Attempting to resolve domain=epic. nameserver="" ndots=0
        "answers": [
                "name": "epic.",
                "type": "NS",
                "class": "IN",
                "ttl": "86400s",
                "address": "ns13.opennic.glue.",
                "status": "",
                "rtt": "45ms",
                "nameserver": ""
        "authorities": null,
        "questions": [
                "name": "epic.",
                "type": "NS",
                "class": "IN"

dnscrypt-proxy configuration tips

If you’d, for some reason, like to use exclusively our name servers, simply set the server_names in the root section of your dnscrypt-proxy.toml config file:

server_names = ['dotya.ml', 'dotya.ml-ipv6']

By default servers are picked based on latency, which is a sane default and it is in fact what we use.

If in need of more granular nameserver selection based on anything other than latency they can additionally easily be filtered (without being explicitly listed) based on:

  • logging
  • filtering
  • DNSSEC capabilities
  • DoH, ODoH or DNSCrypt capabilities
  • IPv4 or IPv6 availability

Further, we also remove certain players from the equation by simply listing them in disabled_server_names, like so:

disabled_server_names = ['google-ipv6', 'cloudflare', 'cloudflare-ipv6', 'cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'yandex', 'apple', 'doh.dns.apple.com']

old news

Update 2022-09-01: the servers are now a part of the official listing at https://dnscrypt.info/public-servers/, so there is no point in adding them manually anymore. Keeping this for posterity.

Paste one or both of the following entries in the [static] section of your dnscrypt-proxy.toml configuration file.

  # IPv4 (, port 5443)
  [static. 'dnscrypt.dotya.ml-ipv4']
    stamp = 'sdns://AQcAAAAAAAAAETE0NC45MS43MC42Mjo1NDQzIHF-JiN46cNwFXJleEVWGWgrhe2QeysUtZoo9HwzYCMzITIuZG5zY3J5cHQtY2VydC5kbnNjcnlwdC5kb3R5YS5tbA'

  # IPv6 (2a02:c207:2030:396::1, port 5443)
  [static. 'dnscrypt.dotya.ml-ipv6']
    stamp = 'sdns://AQcAAAAAAAAAHFsyYTAyOmMyMDc6MjAzMDozOTY6OjFdOjU0NDMgcX4mI3jpw3AVcmV4RVYZaCuF7ZB7KxS1mij0fDNgIzMhMi5kbnNjcnlwdC1jZXJ0LmRuc2NyeXB0LmRvdHlhLm1s'

server configuration

Files used to set up and run this service can be found here:
https://git.dotya.ml/dotya.ml/dnscrypt-server. It’s a docker-compose setup managed with systemd, similar to how Drone CI is handled.