Anonymized DNS for DNSCrypt

[exile360]

A new protocol is now available, currently in beta, for users of the DNSCrypt protocol that anonymizes user IP addresses and DNS requests across multiple servers to prevent snooping/logging even if the DNSCrypt equipped DNS server you are using is being deceitful and logging without telling you.  This introduces another layer of anonymity when surfing the web for users of DNSCrypt (like myself; I've been using it for several years now) and once rolled out more broadly, should provide an excellent improvement to the security and privacy provided by DNSCrypt.

You can learn more about it here and you can read the full spec of the new protocol here.  Currently several beta servers implementing the new protocol have been made available so users of the latest builds of DNSCrypt can add the new resolver list and configure their client to use the new anonymized protocol.

From the article linked above:

Anonymized DNS is here!

DNS encryption was a huge step towards making DNS more secure, preventing intermediaries from recording and tampering with DNS traffic.

However, one still has to trust non-logging DNS servers for actually doing what they pretend to do. They obviously see the decrypted traffic, but also client IP addresses.

In order to prevent this, using DNS over Tor or over proxies (HTTP, SOCKS) has become quite common. However, this is slow and unreliable as these mechanisms were not designed to relay DNS traffic.

A new step towards making DNS more secure has been made. Today, I am thrilled to announce the general availability of Anonymized DNSCrypt, a protocol that prevents servers from learning anything about client IP addresses.

How does it work?

Instead of directly reaching a server, an Anonymized DNS client encrypts the query for the final server, but sends it to a relay.

The relay doesn't know the secret key, and cannot learn anything about the content of the query. It can only blindly forward the query to the actual DNS server, the only server that can decrypt it.

The DNS server itself receives a connection from the relay, not from the actual client. So the only IP address is knows about is the one of the relay, making it impossible to map queries to clients