dnscrypt / dnscrypt-resolvers Goto Github PK

I run 2 Servers with your Docker Image, the last 24 Hours without Problems right now.
The are running on a different Port ( 8443 ).
One Server is on IPv4 , the other on IPv6.
Hosted in Germany

   [static.'2.dnscrypt-cert.trashvpn.de']
   stamp = 'sdns://AQcAAAAAAAAAEzM3LjIyMS4xOTUuMTgxOjg0NDMgeWFZIMbyef83QDyIdD3cE9Fe_4QcTDw4nKWJDSacGvYbMi5kbnNjcnlwdC1jZXJ0LnRyYXNodnBuLmRl'

   [static.'2.dnscrypt-cert.zeroaim.de-ipv6']
   stamp = 'sdns://AQcAAAAAAAAAGVsyYTAzOjQwMDA6YjoyMjM6OjFdOjg0NDMgcrQcuGXx2fhX6rmtaP6aPXj8gumVIrn4GIrn6aTB1fUfMi5kbnNjcnlwdC1jZXJ0Lnplcm9haW0uZGUtaXB2Ng'

I have seen issue #4 and the stamp calculator, as well as the text based list of public resolvers. However I couldn't find an easy way to find suitable resolvers from the list. For example, if I wanted to find all servers in Canada that support DNSSEC, do not log, and do not censor, is there any easy way to generate such a list?

The list at dnscrypt.info does allow for sorting but not filtering, and does not include location as a sortable or filterable field.

doh.crypto.sx doesn't support DNSSEC.

hi frank

please deactivate ibksturm and doh-ibksturm till i write you

im gettong some new hardware this weekend (hope i habe time) so my bananapi till got crashed... my son played foodball and yeah... shot happens

This list appears to be missing the following OpenNIC resolvers:

ns8.ca.dns.opennic.glue
ns16.de.dns.opennic.glue
ns6.mx.dns.opennic.glue
ns7.nh.nl.dns.opennic.glue
ns12.nh.nl.dns.opennic.glue

The list contains the following resolvers that are no longer listed by OpenNIC:

doh-ibksturm
ibksturm
publicarray-au
publicarray-au-doh
publicarray-au2
publicarray-au2-doh

And the list contains outdated info for the following resolvers:

ethservices
ethservices2

Hi 👋🏼,

Can you add our new servers to the list, please?

Servers have full disk-encryption, Canonical Livepatch enabled and monitoring using a combination of Uptime Robot, Monit and Statping. All of them use the oficial Docker image.

We would also like to change the description of the dnscrypt-01.adsnomore.io server already on the list, as I think it looks too big right now?

From:

DNSCrypt server hosted with Hetzner in Nuremberg, Germany. No logging, DNSSEC. It has full disk encryption, Canonical Livepatch for less downtime and full monitoring using a combination of Uptime Robot, Monit and Statping. Uses the official Docker image. Operated by @jamesponddotco

To:

DNSCrypt server located in Nuremberg, Germany. No logging, DNSSEC, disk encryption, Canonical Livepatch and monitored 24/7. Uses the official Docker image.

Description and stamps for each new server

[static]
  [static.'dnscrypt-02.adsnomore.io']
  stamp = 'sdns://AQcAAAAAAAAAETE0MC44Mi4yNi4xMDM6NDQzIE15px_otxEaCZ20DybtbfMu92IH3Ritg83ibv6LeizTKTIuZG5zY3J5cHQtY2VydC5kbnNjcnlwdC0wMi5tYWRwb255LnNwYWNl'

DNSCrypt server located in Miami, USA. No logging, DNSSEC, disk encryption, Canonical Livepatch and monitored 24/7. Uses the official Docker image.

[static]
  [static.'dnscrypt-03.adsnomore.io']
  stamp = 'sdns://AQcAAAAAAAAAEDUuMTg4LjIzOC42ODo0NDMg1uv1UTjfRdCF1XDI3T10v4EXWcdK6x8qM5Qut7bwb_gpMi5kbnNjcnlwdC1jZXJ0LmRuc2NyeXB0LTAzLm1hZHBvbnkuc3BhY2U'

DNSCrypt server located in São Paulo, Brazil. No logging, DNSSEC, disk encryption, Canonical Livepatch and monitored 24/7. Uses the official Docker image.

[static]
  [static.'dnscrypt-04.adsnomore.io']
  stamp = 'sdns://AQcAAAAAAAAAEDQ1LjMyLjMxLjIzMTo0NDMgmk18Se_bsOdRNFJ64Lrw5MJ83y_au6WNrh3lZOceiqgpMi5kbnNjcnlwdC1jZXJ0LmRuc2NyeXB0LTA0Lm1hZHBvbnkuc3BhY2U'

DNSCrypt server located in Tokyo, Japan. No logging, DNSSEC, disk encryption, Canonical Livepatch and monitored 24/7. Uses the official Docker image.

[static]
  [static.'dnscrypt-05.adsnomore.io']
  stamp = 'sdns://AQcAAAAAAAAAETE0OS4yOC4xNjguNjI6NDQzIENfI6UCxKdNccBA9YW-OhkV-HB_b_Yj5nQbq-gM1TAMKTIuZG5zY3J5cHQtY2VydC5kbnNjcnlwdC0wNS5tYWRwb255LnNwYWNl'

DNSCrypt server located in Sydney, Australia. No logging, DNSSEC, disk encryption, Canonical Livepatch and monitored 24/7. Uses the official Docker image.

[static]
  [static.'dnscrypt-06.adsnomore.io']
  stamp = 'sdns://AQcAAAAAAAAAEjk1LjE3OS4xNzguMTAwOjQ0MyCzDTlSDfD9-UOciubW46-f6tsh8o60Rt1m4i7XH5hBqykyLmRuc2NyeXB0LWNlcnQuZG5zY3J5cHQtMDYubWFkcG9ueS5zcGFjZQ'

DNSCrypt server located in Amsterdam, Netherlands. No logging, DNSSEC, disk encryption, Canonical Livepatch and monitored 24/7. Uses the official Docker image.

[static]
  [static.'dnscrypt-07.adsnomore.io']
  stamp = 'sdns://AQcAAAAAAAAAEjEzOS4xODAuMjE2LjgzOjQ0MyBPxDlEgU5vJPp0n-Zh505hgFMSBQj8CQc7p9uUaIWigSkyLmRuc2NyeXB0LWNlcnQuZG5zY3J5cHQtMDcubWFkcG9ueS5zcGFjZQ'

DNSCrypt server located in Singapore. No logging, DNSSEC, disk encryption, Canonical Livepatch and monitored 24/7. Uses the official Docker image.

—————

I hope to have a few more to share in a few days.

Thank you! :)

Is it possible to add okturtles to your resolver list?

okturtles

For a surveillance-free world. HTTPS is broken. DNSChain fixes it.
sdns://AQIAAAAAAAAAETIzLjIyNi4yMjcuOTM6NDQzIB2FOVPjT6_QBflMb9HM5jXUEZkEDUjRml01C2p8gXPLHTIuZG5zY3J5cHQtY2VydC5va3R1cnRsZXMuY29t

hi frank

my both servers are back

 [static.'ibksturm']
  stamp = 'sdns://AQcAAAAAAAAADzIxNy4xNjIuMjA2LjE3OCCxGSyTbKFt1Kjc-TqE-cBV5TnQ8EdVjl0yBwYh1NImjxgyLmRuc2NyeXB0LWNlcnQuaWJrc3R1cm0'

 [static.'doh-ibksturm']
  stamp = 'sdns://AgcAAAAAAAAADzIxNy4xNjIuMjA2LjE3OAAUaWJrc3R1cm0uc3lub2xvZ3kubWUKL2Rucy1xdWVyeQ'

Watchup: at the moment, opennic isn't running, and root zone too not... linux gonna stressed my with writing permissions

aaah, dot is also now running :)

Hey, I have a resolver running that is part of the public resolver list.

I plan to perform a migration to a different host (I've opened an issue in the docker repository whether I can somehow salvage the existing certs and keep the same fingerprint)

But in case, the certs need to be regenerated, and I need a new stamp, what is the best way to ensure that there is minimum downtime for my resolver as I make this transition?

dnscrypt v2 - DNSSec No log - European servers.txt
Hi

This is an European dns resolvers list, dnscrypt v2 , DNSSec and no log.

.toml , conf file

Up to date 22 12 2018

aZ

Now ea-dns.rubyfish.cn's stamp is 'sdns://AgUAAAAAAAAADzExNS4xNTkuMTU0LjIyNgAPZG5zLnJ1YnlmaXNoLmNuCi9kbnMtcXVlcnk', and uw-dns.rubyfish.cn's stamp is 'sdns://AgUAAAAAAAAADDQ3Ljk5LjE2NS4zMQAPZG5zLnJ1YnlmaXNoLmNuCi9kbnMtcXVlcnk'

Hi,
Google developers page on DOH doesn't have the /experimental API anymore.
Also, when I tried to use dnscrypt with the /resolve API as a static server, dnscrypt skips it from server list.

delete

[CRITICAL] Unable to retrieve source [relays]: [Invalid signature]

The content of relays.md had been changed 15 hours ago, but its signature was not updated simultaneously. Thus all the DNSCrypt-proxy clients installed on my device(Unfortuanately they were updated, which means they will try to fetch relay.md file in there starting process) refuse to start as they could not validate the relay.md file.

Wish the signature process would be automatically so we could prevent such a nasty thing happens again.

Hi Guys,

When I was trying to install the dnscript-proxy on my device I encountered the following error:

./dnscrypt-proxy: symbol lookup error: ./dnscrypt-proxy: undefined symbol: crypto_core_hchacha20

I did some researches and someone says may be the version of libsodium is old; however, install the latest version did not fix my problem.

Also when I performed:

./configure && make

I got an error like this:

configure: error: cannot find install-sh, install.sh, or shtool in libltdl/config "."/libltdl/config

does anyone have any suggestions?

Current fetching a new public-resolvers.md is currently returning:

[2019-05-01 18:18:26] [CRITICAL] Unable to use source [public-resolvers]: [Invalid signature]
[2019-05-01 18:18:26] [FATAL] No servers configured

I think this is because @jedisct1 forgot to sign the latest commit (c13404d)?

Hi,
i plan server maintenance with a longer downtime, for the dnscrypt service.
It may take a little longer than usual ( 2 or 3 weeks )
I test a few things with the server.
Maintenance / Downtime start in > 3 Days
Removing the following server from the list is maybe necessary.
It´s my ipv4 server : trashvpn
dnscrypt-server Docker image : DNSSEC/Non-logged/Uncensored Hosted in Germany
sdns://AQcAAAAAAAAAEzM3LjIyMS4xOTUuMTgxOjg0NDMgeWFZIMbyef83QDyIdD3cE9Fe_4QcTDw4nKWJDSacGvYbMi5kbnNjcnlwdC1jZXJ0LnRyYXNodnBuLmRl

Thanks

ea-dns.rubyfish.cn and uw-dns.rubyfish.cn

ea-dns.rubyfish.cn

resolve posioning domain from East-Asia upstream
'sdns://AgQAAAAAAAAADzExNS4xNTkuMTU0LjIyNgAPZG5zLnJ1YnlmaXNoLmNuCi9kbnMtcXVlcnk'

uw-dns.rubyfish.cn

resolve posioning domain from US-West upstream
'sdns://AgQAAAAAAAAADDQ3Ljk5LjE2NS4zMQAPZG5zLnJ1YnlmaXNoLmNuCi9kbnMtcXVlcnk'

Cleanbrowsing has a new DoH resolver for filtering phishing, malware and malicious domains only (link) but I don't know if it supports DNSCrypt. Can you add them/it ?

Just wondering, sorry if this is the wrong place to ask.

No more dnscrypt?

Maybe a timestamp issue? Can you verify that your clock is correct, @MystesofEternity ?

Originally posted by @jedisct1 in #96 (comment)

I apologize for not being able to reply to this in a timely manner and since the conversation has been locked and limited to collaborators only, I have decided to open up a new issue

I doubt my clock is off since my NTP is properly working and on sync with time.apple.com
Even though my clock is off by just seconds referencing the time at https://time.is/

I don't think such little difference would cause this issue

As a side note, I have not experienced this issue on other DNSCrypt servers and as of now I do not see evilvibes' dnscrypt server in the list of servers tried to connect to by my dnscrypt proxy client so I cannot verify whether or not the problem is fine now

Please add the new DNS with ad-blocking: https://securedns.eu/#ads

Keep up the good work, btw
Thanks

Trying to fix the comment in 8ce1a2a

Warning: forwards queries to Cisco servers.

I tested my configuration (dnscrypt-proxy 1.9.5 running locally with ResolverName captnemo-in) against https://www.dnsleaktest.com/results.html

The only server that shows up is r5.compute.mum1.edc.strln.net / OpenDNS.

The DNSCrypt-wrapper Exec is set as:

ExecStart=/usr/local/sbin/dnscrypt-wrapper --resolver-address=208.67.222.222:53 --listen-address=10.47.0.5:4434 --provider-name=2.dnscrypt-cert.captnemo.in --crypt-secretkey-file=1.key --provider-cert-file=1.cert --outgoing-address=10.47.0.5

I'll a file a PR to remove the warning once this is confirmed as correct.

Having a list of public resolvers to be used with dnscrypt clients is critical.

However, the good old CSV file had quite a few drawbacks.

First, it was centralized. One file, available at a unique URL hardcoded in clients and scripts, maintained by one person. It’s fragile and not sustainable.

In order to address this, dnscrypt-proxy v2 works differently. Users subscribe to one or more “sources”.

A source is a URL returning a list of resolvers, and a public key.

Data from these sources are automatically downloaded, verified, and regularly updated.

So, the OpenNIC organization can autonomously maintain a list of their available resolvers, signed with their own key.

If you run your own private servers, you can list them in a private URL. If you use Kubernetes to spawn the server instances, the source data can be built automatically.

If someone wants to publish a list of resolvers that works well for a given country, or a list of resolvers that block ads, or a list of resolvers responding to non-standard ports, or whatever, they can.

Users just subscribe to the sources they are interested in. Then, they can let the software automatically pick the fastest server in all of the available ones, or explicitly choose a subset of servers from these sources to use.

This doesn’t prevent having some reference page (maybe the dnscrypt-proxy wiki) that lists some of the available/recommended sources.

Which brings us to the second point: what kind of data do these sources return?

The CSV format is a bit unusual for software configuration. But it made sense. After all, the list of resolvers and their properties could be nicely presented as a table.

However:

• CSV is not so easy to edit. Everybody doesn’t use a spreadsheet, and long lines don’t play well with text editors. And CSV is not really normalized (separators and quotes…)
• CSV is not extensible. Columns could be added or removed, if we assume that the first line contains property names, and that software associate individual cells to properties. In practice, doing so is lousy, so most scripts and applications just expect a property to be at a specific column. Adding/removing properties effectively is impossible.
• The CSV file was not great for computers to parse reliably. It was also not great for humans to read, as it contained too much useless information (public keys, IP addresses, protocol version, DNSSEC record), unused information (GPS coordinates), and not enough information (just a couple characters to describe what the server is).

So, I’m looking for suggestions to replace it. Or rather, to add to it, since the legacy CSV format will remain supported as well.

dnscrypt-proxy 2 introduces something called “stamps” (for the lack of a better word). A stamp is a base64 string that contains a protocol identifier (regular non-encrypted DNS, DNSCrypt, DNS-over-HTTP2, …) as well as all the parameters required to connect to a server: IP address, port, public keys, etc.

So, if you want people to use your server, you can just give them a single string to copy&paste.

Back to “what could we replace the CSV file with?”.

I’m looking for suggestions on a better way to publish lists of servers. The new format has to:

• Be easy to parse by scripts
• Be human readable
• Allow freeform text.

It could just be something like:

# example-server-1

This is a DNS server provided by https://example.com, located in India.

It filters out ads and trackers. It doesn’t log anything. It supports DNSSEC, and https://example.com also has cool privacy-oriented free software you should check out.

sdns://unoiwueovqunoeiuqwoienuvioquweo

# example-server-2

Another server in India, but that one doesn’t filter anything. Blablabla.

sdns://weonqviuwenqioevunqwioeuvqwoeqw

We still need some structure to have it parsable (here: the name after the # and the sdns:// stamps on their own line), but everything else can be freeform.

Note that stamps also include information about DNSSEC support and log/nolog, so GUIs, scripts and applications can still apply filters based on that. In fact, stamps include a 64 bit bitfield, so we have 62 bits left to store other properties.

I need your input. You are running servers, using the software, writing software, maintaining websites, your input on this is really badly needed.

What do you think about the general idea? What should we replace CSV files with? I’d be then glad to implement whatever makes everybody happy.

Hi,
i move to a new server, in the next few days / weeks.

Removing the following server from the list is necessary.
It´s my ipv6 server :

zeroaim-ipv6
dnscrypt-server Docker image : DNSSEC/Non-logged/Uncensored Hosted in Germany
sdns://AQcAAAAAAAAAGVsyYTAzOjQwMDA6YjoyMjM6OjFdOjg0NDMgcrQcuGXx2fhX6rmtaP6aPXj8gumVIrn4GIrn6aTB1fUfMi5kbnNjcnlwdC1jZXJ0Lnplcm9haW0uZGUtaXB2Ng

A new dnscrypt server from me, will come back in August/September

Thanks

I'm running a non logging Dnscrypt resolver, and while I've used it on v1 without any issues, I feel confident enough to add it to the public resolvers list now.

However, I've noticed that on v2, the resolver list simply has a sdns:// URL for each entry. How do I go about obtaining one for my server, and would I need to make any significant modifications on my server/resolver in order to do it?

Hi 👋🏼,

Can you add our new server to the list, please?

Server is hosted with Hetzner in Nuremberg, Germany, has full disk-encryption, Canonical Livepatch for less downtime and full monitoring using a combination of Uptime Robot, Monit and Statping. It uses the oficial Docker image.

[static]
  [static.'dnscrypt-01.adsnomore.io']
  stamp = 'sdns://AQcAAAAAAAAAETk0LjEzMC4xNzguNTY6NDQzIIxpj-7XPoT_79rA9pnvVGz0bIQRuEL-eI-0NlYJaGcpJjIuZG5zY3J5cHQtY2VydC5kbnNjcnlwdC0wMS5tYWRwb255Lmlv'

Name is dnscrypt-01.adsnomore.io, as more servers will be coming as soon as we finish talking with a few providers in Iceland and Panama.

Thank you! :)

Could we please add the Quad9 servers: https://www.quad9.net
IPv4: 9.9.9.9 and 142.112.112.112
IPv6: 2620:fe::fe

Although not officially documented yet, the servers are TLS enabled: https://labs.ripe.net/Members/stephane_bortzmeyer/quad9-a-public-dns-resolver-with-security

Thanks,
Michael

ea-dns.rubyfish.cn
sdns://AgUAAAAAAAAAAAASZWEtZG5zLnJ1YnlmaXNoLmNuCi9kbnMtcXVlcnk

uw-dns.rubyfish.cn
sdns://AgUAAAAAAAAAAAASdXctZG5zLnJ1YnlmaXNoLmNuCi9kbnMtcXVlcnk

If OpenDNS account was configured and client IP address was setup in OpenDNS account (statically or via DDNS from client side), then "cisco" resolver (208.67.220.220) answers on DNS queries with OpenDNS (Cisco Umbrella) account DNS filtering rules applied.

Below is an example of request. 146.112.61.106 receved as youtube.com's address is an 'block' address within OpenDNS block of addresses (as shown by whois) for such an account received via 'cisco' resolver with dnscrypt-proxy on Ubuntu 18.04 LTS server. Also, an untrusted HTTPS certificate for youtube.com signed by "Cisco Umbrella Secondary SubCA ams-SG" received.

Seems that this behavior should be fixed with Cisco, or listed in 'cisco' resolver description.

root@bgw01:/usr/share/dnscrypt-proxy# dig youtube.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> youtube.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60886
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;youtube.com. IN A

;; ANSWER SECTION:
youtube.com. 0 IN A 146.112.61.106

root@bgw01:/usr/share/dnscrypt-proxy# whois 146.112.61.106
...
Found a referral to whois.ripe.net.

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '146.112.0.0 - 146.112.255.255'

% No abuse contact registered for 146.112.0.0 - 146.112.255.255

inetnum: 146.112.0.0 - 146.112.255.255
netname: OpenDNS-RIPE
descr: OpenDNS
country: US
admin-c: ODNS36692-RIPE
tech-c: ODNS36692-RIPE
status: LEGACY
mnt-by: OPENDNS-MNT
mnt-routes: OPENDNS-MNT
mnt-domains: OPENDNS-MNT
mnt-by: OPENDNS-MNT
mnt-lower: OPENDNS-MNT
created: 1970-01-01T00:00:00Z
last-modified: 2019-04-08T07:51:51Z
source: RIPE

role: OPENDNS NETENG TEAM
address: OpenDNS
address: 675 West Hastings Street, Suite 500
address: Vancouver BC V6B 1N2
address: Canada
phone: +1 415 513 0439
abuse-mailbox: [email protected]
nic-hdl: ODNS36692-RIPE
mnt-by: OPENDNS-MNT
created: 2014-05-29T13:22:57Z
last-modified: 2015-01-22T18:28:03Z
source: RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.93.2 (WAGYU)

The following resolvers are listed at https://servers.opennicproject.org as PASS, but do not appear in opennic.md:

ethservices (only #2 appears in opennic.md)
famicoman
"lchimp connorw600"

And userspace has been offline for a while.

Hi!

I'm trying to go through the list of public solvers, in order to measure which is fastest. The old CSV format was good for that since we could just read off the ip, and whether the server would log, etc.
How would one do that with the stamps?

Thanks!

DoH to Google isn't working due to a certificate issue:

dnscrypt-proxy[8808]: System DNS configuration not usable yet, exceptionally resolving [dns.google.com] using fallback resolver [8.8.8.8:53]
dnscrypt-proxy[8808]: Certificate hash [1ef624cfff5e6bd3baddf3fddbfdea565467e377299dc7ee6675166f300cc1b9] not found for [google]

I'm assuming this means that Google updated their certificate - can it please be updated in the public-resolvers list as well?

Thanks so much!

Greetings,

Please update the stamps for dnscrypt.ca Server #1 (the descriptions should stay the same).

Services on the "old server" will remain available for at least three days to allow clients a chance to autoupdate and switch over.

Server #2 remains unchanged.

dnscrypt.ca-1
sdns://AQcAAAAAAAAAEzE2Ny4xMTQuMjIwLjEyNTo0NDMgGlOjyVB4nL3RCxkzpGibbIRqQPG3PRdSrsrJgp7LfOIdMi5kbnNjcnlwdC1jZXJ0LmRuc2NyeXB0LmNhLTE

dnscrypt.ca-1-doh
sdns://AgcAAAAAAAAADzE2Ny4xMTQuMjIwLjEyNSA-GhoPbFPz6XpJLVcIS1uYBwWe4FerFQWHb9g_2j24OBRkbnMxLmRuc2NyeXB0LmNhOjQ1MwovZG5zLXF1ZXJ5

dnscrypt.ca-1-ipv6
sdns://AQcAAAAAAAAAKlsyNjA3OjUzMDA6NjE6OTVmOjcyODM6MTFkOTowZjg2OmU2ODldOjQ0MyAg2RnU7DxQCM3HClHqK0_L_oqZPGQx0OxoHV6nOEWrgCIyLmRuc2NyeXB0LWNlcnQuZG5zY3J5cHQuY2EtMS1pcHY2

dnscrypt.ca-1-ipv6-doh
sdns://AgcAAAAAAAAAJlsyNjA3OjUzMDA6NjE6OTVmOjcyODM6MTFkOTowZjg2OmU2ODldID4aGg9sU_PpekktVwhLW5gHBZ7gV6sVBYdv2D_aPbg4FGRuczEuZG5zY3J5cHQuY2E6NDUzCi9kbnMtcXVlcnk

Thanks,
Snork.

This is a DNS server provided by id-gmail, located in Singapore.

It filters out ads, tracker and malware. It doesn’t log anything. It supports DNSSEC.

sdns://AQMAAAAAAAAADTE0OS4yOC4xNTIuODEg75aAZujZlPBl2D7d0xru7fVthldGPkrKR83X_pfD1PYcMi5kbnNjcnlwdC1jZXJ0LmRucy50aWFyLmFwcA

I found good latency DoH server hosted in Finland. More info: https://snopyta.org/service/dns/

[static.'doh-fi-snopyta']
 stamp = 'sdns://AgcAAAAAAAAADjk1LjIxNi4yMjkuMTUzABZmaS5kb2guZG5zLnNub3B5dGEub3JnCi9kbnMtcXVlcnk'

[static.'doh-fi-snopyta-ipv6']
 stamp = 'sdns://AgcAAAAAAAAAFlsyYTAxOjRmOToyYToxOTE5OjoyMV0AFmZpLmRvaC5kbnMuc25vcHl0YS5vcmcKL2Rucy1xdWVyeQ'

Investigating #62 the conclusion was reached that there was something wrong with the keys, so now there are new keys.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=== Changes to dnscrypt.ca servers ===
Greetings,

Please add the following stamp for dnscrypt.ca-1-ipv6 to the public resolver list

sdns://AQcAAAAAAAAAH1syNjA1OjIxMDA6MDoxOjo3MzRkOjc4NzZdOjUzNTMgie_Aik8Gbx0Yhl3AXGNrjkhIIuR2hdxG8wSccOyE5podMi5kbnNjcnlwdC1jZXJ0LmRuc2NyeXB0LmNhLTE

And modify the existing stamp for dnscrypt.ca-2-ipv6 to

sdns://AQcAAAAAAAAAH1syNjA1OjIxMDA6MDoxOjpiNWFkOjE4ZTJdOjUzNTMg5DtuKuW1dRp0BBgQ97rtLa9wScW38wTZSLyEgVkXmowdMi5kbnNjcnlwdC1jZXJ0LmRuc2NyeXB0LmNhLTI

Thank you,
Snork <[email protected]>
=== end ===
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJcHSPnAAoJEEiDbUhV+xWJ15kIAIhx1c3s4x+gODhRmD9HI3WY
GvvrHff3+0p/vjQSjtguv91rtHNnqjf/VBzWly7ibasu//K5RiFsI9SUmiq/gMjP
lCNI4CMDd8ypjpMz6qeKHoOMRv4gAFvNLHF/wTcPt6ZkCk0Qr9/Wih8gDmGBsHXg
c8vL0V4QU7VoMwPe91L+6BYTqeN2gp/i0pghK3ve8i1OSt2aQm7ZqhWpE69YjPvU
LFTT05bA2qXPr9hbiIct7bu8NCaVEVABUy0uKF7adI944IdwdINDaGn/GLy+vJKA
tnPeEWcChiB5OC2ECNJVVsGHpDlbsxhNqdgFHqTCWrqZj2oimYP6D3FRJy/e6Fs=
=zhV8
-----END PGP SIGNATURE-----

Hello @jedisct1,

It seems the latest commit didn't contain the right signature.

Travis is saying the signature is wrong.

DNS-over-HTTPS, provided by id-gmail, located in Singapore. Filter out ad/ad-tracking and malware. supports DNSSEC and no logs.

sdns://AgMAAAAAAAAACzQ1LjMyLjEwNS40AAxkb2gudGlhci5hcHAKL2Rucy1xdWVyeQ

Thanks.

Found so far:
sfw.scaleway-fr
dnswarden-dc1-ipv6

While using public_resolvers.md without server_names, I see [2.dnscrypt-cert.dnscrypt.ca-2.] Incorrect signature in journalctl -u dnscrypt-proxy. Where does it come from?

There is no 2.dnscrypt-cert.dnscrypt.ca-2. in the file and I don't see errors about them.

Dec 02 12:28:37 sedric dnscrypt-proxy[3156]: [dnscrypt.ca-1] OK (crypto v1) - rtt: 123ms
Dec 02 12:28:37 sedric dnscrypt-proxy[3156]: [dnscrypt.ca-2] OK (crypto v1) - rtt: 121ms
Dec 02 12:28:37 sedric dnscrypt-proxy[3156]: [2.dnscrypt-cert.dnscrypt.ca-2.] Incorrect signature

I have contacted the admin who doesn't have ideas either and cannot reproduce this issue by setting those servers as server_names and I am also only able to see this by having empty server_names.

• dnscrypt-proxy 2.0.19 (from Debian repositories)
• Debian GNU/Linux testing (buster)

If only to update this and the docker image?

Do you guys know what does this mean? 京ICP备18045418号-1京公网安备 11010802027577号

It might be OK you add the resolver here, but I'm going to warn people use dnscrypt inside China to watch out. Thanks.

Seems that issue #15 has been closed and as a peon I am unable to reopen it.

Would it be possible to have a non-stamped list? The stamp essentially hides important information that people could [or perhaps should] use to make educated decisions about which resolvers to use.

The map is pretty... but does not provide much information, hides multiple servers in a single location (I think), and in some cases appears to be just plain incorrect.

This public DoH server powered by CZ.NIC - czech domain registrar and Knot DNS developer
More info: https://www.nic.cz/odvr/

sdns://AgcAAAAAAAAADDE4NS40My4xMzUuMQALb2R2ci5uaWMuY3oEL2RvaA

Server back online, and can be added to public-resolvers.
Now on Port 443, and standalone for dnscrypt. ( IPv4 )

## trashvpn.de

dnscrypt-server Docker image : DNSSEC/Non-logged/Uncensored
Hosted in Germany

stamp = 'sdns://AQcAAAAAAAAAEjM3LjIyMS4xOTUuMTgxOjQ0MyAl_sppDIKYr4Er_QKZ1ee96Xy_f5ZZs5Dxo0EvV22IoBsyLmRuc2NyeXB0LWNlcnQudHJhc2h2cG4uZGU'

Thanks

Hi!

I tried visiting the wiki here on github, but I can't find what your policy is, regarding logging.
I'm asking because have some concerns about cloudflare being under the "no logging" label.
According to their website they log this:

Cloudflare will collect only the following anonymized DNS query data that is sent to the Cloudflare Resolver:

Timestamp
IP Version (IPv4 vs IPv6)
Cloudflare Resolver IP address + Destination Port
Protocol (TCP, UDP, TLS or HTTPS)
Query Name
Query Type
Query Class
Query Rd bit set
Query Do bit set
Query Size
Query EDNS enabled
EDNS Version
EDNS Requested Max Buffer Size
EDNS Nsid
Response Type (normal, timeout, blocked)
Response Code
Response Size
Records in Response
Response Time in Milliseconds
Response served from Cache
DNSSEC Validation State (secure, insecure, bogus, indeterminate)
PoP ID
Server ID
Autonomous System Number

This seems like enough information to identify someone.
I do understand they remove the IP address, as seen here:

There is some telemetry information (i.e. performance related metrics), however, that Cloudflare will store indefinitely as part of its permanent logs in order to assist Cloudflare in enhancing the overall performance of Cloudflare Resolver and identifying security threats. Cloudflare will only store permanent logs of the following such information:

My point here is this: the reason people worry about their ip address being logged, is beause it is considered 'identifying information'.
However, if you look at that list above, there are several things in there that can identify someone easily.

Which they actually admit to being able to do in the bold section here:

Total number of queries with different protocol settings (e.g tcp/udp/dnssec) by Cloudflare PoP
Response code/time quantiles with different protocol settings by Cloudflare PoP
Total Number of Requests Processed by Cloudflare PoP
Aggregate List of All Domain Names Requested, and timestamp of first time requested
-----> Number of unique users <-----, queries over IPv4, queries over IPv6, queries with the RD bit set, queries asking for DNSSEC, number of bogus, valid, and invalid DNSSEC answers, queries by type, number of answers with each response code, response time quantiles (e.g. 50 percentile), and number of cached answers per minute, per day, per protocol (HTTPS/UDP/TCP/TLS), per Cloudflare data center, and per Autonomous System Number.
Number of queries, number of queries with EDNS, number of bytes and time in answers quantiles (e.g. 50 percentile) by day, month, Cloudflare data center, and by IPv4 vs IPv6.
Number of queries, response codes and response code quantiles (e.g. 50 percentile) by day, region, name and type.

If they can identify unique users, and keep all the information above (some of it permanently), my suggestion is to reconsider putting them under "no-logging".

Regardless, I trust your opinion.

Source: https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/privacy-policy/

I'm no longer able to use Google DNS over HTTPS with dnscrypt-proxy - if I set Google as the only resolver then I see this in my logs:

dnscrypt-proxy[12368]: System DNS configuration not usable yet, exceptionally resolving [dns.google.com] using fallback resolver [8.8.8.8:53]

dnscrypt-proxy[12368]: Certificate hash [f25c6adc73978d79c27c9e8989089faae9e08b4c49fa6c789cd2158653061068] not found for [google]

dnscrypt-proxy[12368]: dnscrypt-proxy is waiting for at least one server to be reachable

I'm not very familiar with how the dnscrypt-proxy resolvers work, but I'm guessing this means that Google is serving a different intermediate (or root) certificate than the one encoded in the public resolvers list. This only seems to affect Google - other services like Cloudflare are working correctly.

Thanks for your help!