DNSCrypt.nl

Free public DNSCrypt and DNS-over-HTTPS server in Amsterdam, NL.

Features

  • DNSSEC validation for better security
  • Caching
  • No logs
  • No censoring and filtering
  • Query prefetching to reduce latency
  • Query minimization for improved privacy
  • No forwarding to external/upstream DNS servers (recursive)
  • Daily certificate rotation for forward secrecy
  • Supporting the latest DNSCrypt v2 protocol version
  • Pi-hole compatible

DNSCrypt v2 server

Server namednscrypt.nl-ns0, dnscrypt.nl-ns0-ipv6
Provider name2.dnscrypt-cert.ns0.dnscrypt.nl
IPv4 address45.76.35.212
IPv6 address2001:19f0:5001:30a:5400:ff:fe58:7140
Port443

DNS-over-HTTPS server

Server namednscrypt.nl-ns0-doh
IPv4 address108.61.199.170
IPv6 address2001:19f0:5000:8067:5400:ff:fe27:25a2
Port443
Query URLhttps://doh.dnscrypt.nl/dns-query

Recursive DNS server

The recursive DNS server software being used is the most recent version of Unbound and the DNS resolver hostname is ns0.dnscrypt.nl with the IP address 45.76.35.212. By using either one of the servers, it makes queries to this DNS server which is only accepting queries from DNSCrypt and DNS-over-HTTPS capable clients.

Public key and DNS stamps and verification

Provider key (pkey.ns0)
4C84:FB8C:0511:5DFA:5F97:C5ED:0329:1370:C78A:BCD6:4E15:DD53:AB08:DE72:FB84:4ACA
dnscrypt.nl-ns0 (stamp.ipv4.ns0)
sdns://AQcAAAAAAAAADDQ1Ljc2LjM1LjIxMiBMhPuMBRFd-l-Xxe0DKRNwx4q81k4V3VOrCN5y-4RKyh8yLmRuc2NyeXB0LWNlcnQubnMwLmRuc2NyeXB0Lm5s
dnscrypt.nl-ns0-ipv6 (stamp.ipv6.ns0)
sdns://AQcAAAAAAAAAJlsyMDAxOjE5ZjA6NTAwMTozMGE6NTQwMDpmZjpmZTU4OjcxNDBdIEyE-4wFEV36X5fF7QMpE3DHirzWThXdU6sI3nL7hErKHzIuZG5zY3J5cHQtY2VydC5uczAuZG5zY3J5cHQubmw
dnscrypt.nl-ns0-doh (stamp.doh.ns0)
sdns://AgcAAAAAAAAADjEwOC42MS4xOTkuMTcwID4aGg9sU_PpekktVwhLW5gHBZ7gV6sVBYdv2D_aPbg4D2RvaC5kbnNjcnlwdC5ubAovZG5zLXF1ZXJ5

Server details can be verified by checking out my Keybase public files which are PGP signed by me. Alternatively use dig as shown below.

dig A +short +dnssec ns0.dnscrypt.nl
dig TXT +short +dnssec pkey.ns0.dnscrypt.nl
dig TXT +short +dnssec pname.ns0.dnscrypt.nl
dig TXT +short +dnssec sname.ns0.dnscrypt.nl
dig TXT +short +dnssec ips.ns0.dnscrypt.nl
dig TXT +short +dnssec port.ns0.dnscrypt.nl
dig TXT +short +dnssec stamp.ipv4.ns0.dnscrypt.nl
dig TXT +short +dnssec stamp.ipv6.ns0.dnscrypt.nl
dig TXT +short +dnssec stamp.doh.ns0.dnscrypt.nl

To verify that you are actually making use of DNSCrypt.nl DNS server do a DNS Leak test.

More …

Upgraded server

After seeing more increase of memory usage, almost to the max, I decided to upgrade the server. It has been upgraded from Intel Broadwell 1GB memory to Intel Skylake with 2 GB memory.

I will continue upgrading it in the future if it needs to.

Enjoy!

DNS-over-HTTPS server

As of today I have setup a DNS-over-HTTPS server. Giving people a choice whether they want to use DNSCrypt or DNS-over-HTTPS. Or even both when using DNSCrypt-proxy, by letting the proxy choose which one to use automatically.

The DNS-over-HTTPS server proxy software that is being used is rust-doh by Frank Dennis (jedisct1).

Let me know if you encounter any issues.

Upgraded to DNSCrypt v2 and to Unbound.

As of today you can enjoy using “dnscrypt.nl-ns0” and “dnscrypt.nl-ns0-ipv6” with even better security and performance. The DNSCrypt server has been updated from the old v1 to the new v2 protocol. The DNS server Bind has been replaced by Unbound.

Made numerous optimizations for better security and performance. Not based on the DNSCrypt server Docker image.