DNSCrypt.nl

Free public DNSCrypt v2 server hosted in Amsterdam, The Netherlands.

For DNS traffic encryption and authentication.

Features

  • DNSSEC validation for better security
  • Caching
  • No logs
  • ED25519 algorithm support
  • Query prefetching to reduce latency
  • Query minimization for improved privacy
  • No forwarding to external/upstream DNS servers
  • Daily certificate rotation for forward secrecy
  • Supporting the latest DNSCrypt v2 protocol
  • Always latest Unbound DNS resolver
  • Pi-hole compatible
  • Blocking advertisements using Peter Lowe blocklist.

DNSCrypt v2 server

Server namednscrypt.nl-ns0, dnscrypt.nl-ns0-ipv6
Provider name2.dnscrypt-cert.ns0.dnscrypt.nl
FQDNns0.dnscrypt.nl
IPv4 address45.76.35.212
IPv6 address2001:19f0:5001:30a:5400:ff:fe58:7140
Port443

Provider key and DNS stamps

# Provider key
4C84:FB8C:0511:5DFA:5F97:C5ED:0329:1370:C78A:BCD6:4E15:DD53:AB08:DE72:FB84:4ACA
# dnscrypt.nl-ns0
sdns://AQcAAAAAAAAADDQ1Ljc2LjM1LjIxMiBMhPuMBRFd-l-Xxe0DKRNwx4q81k4V3VOrCN5y-4RKyh8yLmRuc2NyeXB0LWNlcnQubnMwLmRuc2NyeXB0Lm5s

# dnscrypt.nl-ns0-ipv6
sdns://AQcAAAAAAAAAJlsyMDAxOjE5ZjA6NTAwMTozMGE6NTQwMDpmZjpmZTU4OjcxNDBdIEyE-4wFEV36X5fF7QMpE3DHirzWThXdU6sI3nL7hErKHzIuZG5zY3J5cHQtY2VydC5uczAuZG5zY3J5cHQubmw

Verification

Server details can be verified by checking out my Keybase public files which are PGP signed by me. Alternatively use dig as shown below.

dig A +short +dnssec ns0.dnscrypt.nl
dig TXT +short +dnssec pkey.ns0.dnscrypt.nl
dig TXT +short +dnssec pname.ns0.dnscrypt.nl
dig TXT +short +dnssec sname.ns0.dnscrypt.nl
dig TXT +short +dnssec ips.ns0.dnscrypt.nl
dig TXT +short +dnssec port.ns0.dnscrypt.nl
dig TXT +short +dnssec stamp.ipv4.ns0.dnscrypt.nl
dig TXT +short +dnssec stamp.ipv6.ns0.dnscrypt.nl

To verify that you are actually making use of the server do a DNS Leak test.

Vultr promo banner

More …

Blocking advertisements in Unbound DNS server

As of today, I decided to block advertisement servers from within the Unbound DNS server.

For me personally, I don’t gain any benefit from it since I run my own personal Pi-Hole network advertisement blocker on a Raspberry Pi. But for the people who don’t, this should let you gain some performance back while browsing the web, in peace.

The blocklist that I am using is from Peter Lowe at pgl.yoyo.org.

If you encounter any problems or have any comments about it, be sure to let me know.

Unbound upgrade issues

Downtime explained

Unfortunately, after upgrading Unbound from version 1.8.3 to 1.9.0, I had encountered a problem. The problem was that Unbound continued crashing after running for around five hours. So I reconfigured everything and it seems to be working back to normal.

Since I use the same server myself I know how annoying and or problematic this can be and I tried my best to solve the issue as fast as possible.

DNS Flag Day

DNSCrypt.nl is DNS Flag Day ready.

Hereby a short announcement that the dnscrypt.nl service is DNS Flag Day ready and will work without any issues later on.

dnscypt.nl passes all tests

For a detailed test result visit EDNS Compliance Tester.

The DNS server Unbound will be upgraded to version 1.9.0 on or around February 1st once they release it.

For more information visit dnsflagday.net

Upgraded server

After seeing more increase of memory usage, almost to the max, I decided to upgrade the server. It has been upgraded from Intel Broadwell 1GB memory to Intel Skylake with 2 GB memory.

I will continue upgrading it in the future if it needs to.

Enjoy!