The Best Alternatives to DNSCrypt

As the number of people to whom the Internet is available continues to grow, it’s more important than ever that you protect your online activity.

Using a VPN and exclusively visiting sites with HTTPS encryption are two such methods of protection. However, other vulnerabilities may still remain. Unencrypted DNS requests sent from your computer leave you exposed to surveillance and even malware attacks.

This may be a bit daunting, but there’s really nothing to fear. In the following article, we’ll break down DNS step-by-step: from what it is to how it may render you vulnerable, and ultimately, to how to solve the often overlooked danger of unencrypted DNS traffic.

What Is a DNS Request?

Domain Name System (DNS) is a directory that links a website to its IP address. Whenever you type the name of a website into your browser, your browser sends that name, known as the Universal Resource Locator (URL), to the DNS. This is called a DNS request.

In response to the DNS request, your browser receives the IP address of that website – it's exact location as specified by a series of numbers. Once your computer knows the IP address, it is able to send data to its corresponding website.

Why DNS Requests Should Be Encrypted

Almost every action on the Internet begins with a DNS request. However, DNS requests remain largely unencrypted by the vast majority of users. While the data in the DNS is public, the specific requests you make and the data they contain should nonetheless be encrypted.

DNS requests reveal not only the websites you visit but also other metadata regarding related services — like the domains of email contacts or messaging platforms. Because DNS requests are sent in clear and readable text, your online activity can be observed with relative ease.

Most of your devices are configured to automatically contact the DNS server given by the Internet Service Provider (ISP) in use. By exploiting this arrangement, ISPs can secretly gather and share your information with third parties.

Exposing your DNS requests to your ISP also allows it to analyze those queries using advanced methods that may further threaten your privacy. The longer the period of time in which your metadata is visible to the ISP, the more telling your online habits may be.

The threat does not come from your ISP alone. Some malware also exploits your unencrypted DNS traffic in order to gain access to your private data. A lot of malware is even installed on hacked routers in hopes of redirecting you to high-risk DNS servers.

In addition, security agencies are well known for using tools to secretly monitor, surveil, and hijack DNS traffic. If protecting your private data and identity is important to you, then DNS encryption should be among your top priorities.

Does HTTPS Protect You?

While HTTPS, along with other tools, helps to protect your privacy and data, it does not encrypt your DNS requests. When HTTPS is used, all HTTP data is wrapped into secured packets by the Transport Layer Security (TLS) before sending and after receiving.

When you interact with a site using TLS, your sensitive data is safeguarded and cannot be read or modified by cybercriminals. While the data transferred between your device and the site is encrypted, the DNS request — and the metadata it contains — still remains unencrypted.

In fact, because HTTPS connections require Server Name Indication (SNI) for TLS purposes, the domains you request are leaked in plain text. Nevertheless, HTTPS remains a viable security feature that is recommended for use at all times in order to ensure the protection of your private data.

Best Alternatives to DNSCrypt

DNSCrypt was a popular protocol that protected your DNS requests from eavesdropping and man-in-the-middle attacks. DNSCrypt would verify that all communication between your device and the DNS resolver – the first DNS server to be contacted – had not been tampered with.

DNSCrypt.org was taken offline in 2017. However, the DNSCrypt-Proxy is maintained via GitHub for use with the DNSCrypt version 2 protocol. Although support for version two of the DNSCrypt protocol is available at DNSCrypt.info, the long-term future of the protocol is not assured.

While DNSCrypt version 2 remains a noteworthy option, there are alternative methods for encrypting your DNS traffic. Below are four suggested alternatives to help you protect your DNS traffic.

Use a VPN With DNS Leak Protection

A VPN is the simplest alternative to DNSCrypt and also offers the most complete security. However, not all VPNs are created equal. It’s very important that you use a VPN that offers DNS leak protection.

When using a VPN, an encrypted tunnel is established between your computer and the VPN server. Depending on the VPN and its configuration, some or all your traffic is routed through this encrypted tunnel to the VPN server.

VPNs that offer DNS leak protection configure your connection so that all your DNS queries go through the VPN tunnel to their own DNS server. These VPNs simultaneously block traffic to DNS servers provided by your ISP, government agencies, or cybercriminals.

DNS encryption protects your requests from malicious actors, and prevents ISPs from reading content and domain information directly from the DNS request itself. However, there are other methods by which ISPs can monitor your online activity.

No matter the DNS encryption solution you choose, it’s always a good idea to use a leak test to verify that your DNS traffic is properly secured.

Use DNS-Over-TLS

TLS, as previously mentioned, is a security protocol that is used throughout the Internet to secure transfers of data. TLS is commonly used alongside the HTTP protocol. However, a number of DNS services are now compatible with DNS requests transmitted over TLS.

Although DNS-over-TLS (DoT) is a great alternative to DNSCrypt, its client support is still growing and there are not too many options available as of yet. Your easiest solution in this category is Tenta, an open-source project that includes DNS-over-TLS.

Configuring your device to use Tenta’s DNS-over-TLS is easy thanks to their detailed setup tutorials – available for Android, Mac, and Windows. Tenta even provides a free, built-in VPN while browsing via their Android browser.

Stubby is another excellent DNS-over-TLS alternative that encrypts all DNS requests sent from your device. Stubby’s default privacy utilizes a subset of the available DNS Privacy servers. Additional servers (e.g. Cloudflare) are available for activation for those users interested in customization.

As more and more people come to understand the growing need to secure DNS traffic, development in DNS-over-TLS will continue to occur, and more options will become available.

DNS-over-TLS is already a great method for protecting your DNS requests if you don’t have a VPN. However, we recommend that you always use a VPN for maximum privacy and protection.

Use DNSCrypt Version 2

While not exactly an alternative, DNSCrypt version 2 picks up right where its predecessor left off. It’s an important and effective option thanks in large part to dnscrypt.info. A number of client implementations of DNSCrypt v2 exist, with DNSCrypt-Proxy being one of the best and most actively maintained choices available.

If you choose to use DNSCrypt version 2, make sure, as always, to test your DNS traffic regularly for any potential leaks.

Use DNSCurve

DNSCurve was actually the blueprint for the original DNSCrypt. Although DNSCurve’s adoption is slightly less mainstream, DNSCurve is, in fact, a worthwhile alternative. DNSCurve uses high-speed, elliptic-curve cryptography to ensure the confidentiality, integrity, and authenticity of DNS queries.

Despite its very high level of security, DNSCurve is relatively easy to install. There’s even a DNSCurve community to guide you along during the process of implementation.

While it may require a bit more know-how than the previous alternatives, DNSCurve affords you an extremely high level of DNS security and is certainly worth a try. Just remember to run a leak test after installation.

Use DNS-Over-HTTPS

DNS-over-HTTPS (DoH) is a relatively new protocol in comparison to the other options listed here. However, it’s already begun to receive widespread support and is believed by some to be the future of DNS Privacy.

Because DoH uses the same standard port as HTTPS traffic — Port 443 — it’s a difficult protocol to block and track. Inspection of your traffic is more difficult as DNS requests can hide among the rest of your encrypted traffic. Blocking your DNS requests also requires blocking all HTTPS traffic.

DoH is quite simple to install. Major providers like Firefox even began including it in their products in 2018. CloudFlare’s 1.1.1.1 is a terrific option, as it does not track your requests and offers a good privacy guarantee. There’s even a 1.1.1.1 app for both Apple and Android devices.

Regardless of which option you choose, remember to test for potential DNS leaks early and often.

The Best Way to Encrypt Your DNS Requests

A VPN that offers you DNS leak protection is the simplest and most comprehensive way to protect your DNS traffic. While the alternatives will protect your DNS requests from tampering, only a VPN with DNS leak protection can completely protect your privacy.

Even if you decide not to use a VPN, protecting your DNS traffic is essential if you’re concerned about your online security and privacy. Now is as good a time as ever to take control and prevent your DNS traffic from falling into the wrong hands.