DNScrypt vs DNScrypt v2 vs DoT vs DoH

Hi,
I'm using BT 5A with latest openWRT 19.7.3. I would like to encrypt my DNS activities. In theory, DNScrypt should be the best choice in term of privacy.
What do you recommend to use? Is there any guide about GUI interface other than this CLI one?

DNScrypt package is not maintained dnscrypt-proxy 2018-11-22-f61ca76a-1 while DNScrypt v2 package is updated (and huge) dnscrypt-proxy2 2.0.42-1.
I found that there is unofficial luci-app-dnscrypt-proxy2. Is there any plan to add it to official packages?
Moreover, the guide here should be updated with the newer version.

1 Like

Stubby, as discussed here: Using CloudFlare's DNS-Over-TLS

DoT is bad in term of privacy and performance.

DNS over HTTPS with Dnsmasq and https-dns-proxy

You can test:

  • Package: luci-app-https-dns-proxy
1 Like

Luci app dnscrypt, I installed the package but is not in service in luci...

DoH is better than DoT, but worse than DNScrypt in terms of privacy.

1 Like

What about performance? Which one is better at dual core ramips?
I'm using DoH actively. If DNScrypt better I wanna switch.

I'm not aware and I could not find any benchmarks. However, in general, the performance are strictly related to the DNS server instead of the protocol used.
In theory, DNScrypt is faster than DoT and DoH since it uses UDP protocol instead of TCP and it is a single software without any third party component as TLS stack (openSSL). Moreover, DSNcrypt v2.0 is multithread and supports DoH too. So if you want to benchmark the protocols (DNScrypt vs DoH) you can use the same DNS provider with DNScrypt v2.0

Let me share some thoughts on benchmarking.
I'm using Pi-hole (i.e. dnsmasq) that is/was talking to 1 or 2 local proxies (cloudflared | dnscrypt-proxy | stubby). All the proxies use Cloudflare servers.
Since I do not have --strict-order set for dnsmasq, I assume (per dnsmasq help) that

dnsmasq will send queries to any of the upstream servers it knows about and tries to favour servers that are known to be up.

So, it sounds like the most used upstream is generally better than other(s).
Initially I used cloudflared (DoH) and dnscrypt-proxy together and de-facto load split between them was approx. 50/50.
Then I removed dnscrypt-proxy when noticed that it cannot resolve some domains if DNSSEC is in use and for some time cloudflared was the only upstream.
At some point I've added stubby (DoT) and now I see that every day the share of stubby continuously growing from initial 0, eating the share of cloudflared. For me it looks like that this particular DoT implementation is faster than the DoH one.

Thank you for sharing your experience. Are you using dns-crypt v2? I would expect that DoT was slightly faster than to DoH. It would be great to have a proper benchmark from openWRT developers.

I was using dns-crypt v2 and not using it currently. I suppose the best benchmark is always our own and the whole discussion about privacy and performance with these proxies and protocols is not directly related to OpenWrt.

I agree. Moreover, DNS traffic and time are negligible compared to Web page or file transfer. So the best is to use the most private solution, dnscrypt-proxy2 and hopefully to have soon an official luci app as luci-app-dnscrypt-proxy2.

1 Like