Feb 16 – 17, 2023 Workshop
Atlanta Marriott Marquis
US/Eastern timezone

DNSCrypt Protocol: Current State and Planned Extensions

Feb 16, 2023, 12:00 PM
Imperial Ballrom (Atlanta Marriott Marquis)

Imperial Ballrom

Atlanta Marriott Marquis

265 Peachtree Center Ave NE Atlanta GA 30303 United States
In-Person Standard Presentation Main Session OARC 40 - Day1


Brian Somers (OpenDNS/Cisco)


DNSCrypt Protocol has been in existence since 2013 and has received considerable attention from the DNS community with several major DNS services providing support. This protocol also has several established client and server side open-source implementations in different programming languages. While not providing end-to-end DNS security, this protocol is designed to protect the ‘last mile’ traffic between a client and recursive name server (resolver) against eavesdropping, spoofing or man-in-the-middle attacks. DNSCrypt protocol has been designed to have cryptographic security for communication between client and its first level resolver while being efficient and adding minimal overhead to the plain text queries.

Several more recent DNS protocol extensions such as DNS over TLS (DoT), DNS over HTTPS (DoH) and most recently DNS over Quic (DoQ) were designed to protect the DNS traffic each with its own target protection context and limitations.

In this presentation, we provide the current state of art and adoption of DNSCrypt protocol and provide comparison with the more recent protocols for protecting the DNS traffic. We also touch upon our current efforts to prepare DNSCrypt RFC and extend the protocol to version 3 to use P-224 or P-256 elliptic curve digital signature algorithm to authenticate sessions and AES-GCM authenticated encryption for DNS traffic.

Primary authors

Brian Somers (OpenDNS/Cisco) Dr Dejan Donin (Cisco)

Presentation materials