DNSCrypt Ephemeral Keys

Normally DNSCrypt uses the same public key for each request when contacting the DNS resolver. Technically the resolver could use this to link the public key to multiple IP addresses (particularly a problem with a mobile device like a laptop or smartphone).

To help fix this, dnscrypt-proxy recently added support for ephemeral keys, which means it creates a new key pair for each request. This does add some extra CPU time to each request, but for devices that may change IP addresses a lot, it might be worth enabling. If you have a static IP, or a dynamic IP that changes infrequently, it’s probably not as useful. That being said, if there are multiple users of dnscrypt-proxy behind the same IP address, then I would think it could help mask which requests are being sent by separate users (e.g. without ephemeral keys, the DNS provider could determine that key A visits Gmail and ArsTechnica while key B visits Yahoo and the BBC).

To enable ephemeral keys, add the -E tag when installing, like so:

dnscrypt-proxy.exe -E -R cloudns-can -L "dnscrypt-resolvers.csv" --install

2 thoughts on “DNSCrypt Ephemeral Keys”

Leave a Reply

Your email address will not be published. Required fields are marked *