| > Personally, instead of DNSCrypt, I prefer CurveDNS Neither is a replacement for the other; they're orthogonal. They solve different problems. You should use both of them. From the CurveDNS link you posted: > CurveDNS supports: > Forwarding of regular (non-protected) DNS packets These are being sent in the clear, and your ISP is most certainly logging them. You should tell your CurveDNS resolver to use a (local) dnscrypt-proxy instance for resolving "regular (non-protected)" queries that don't have DNSCurve entries. Then you have the best of both worlds! > The question I have for DNSCrypt fans is _why_ AFAICT no authoritative DNS servers are using it Because DNSCrypt is only for querying recursive resolvers! ... and DNSCurve is only for querying authoritative resolvers. DNSCrypt is link-level encryption between you and your recursive resolver (the thing you put in /etc/resolv.conf). DNSCurve is link-level encryption between your recursive resolver (or you) and the authoritative resolver (like this one, which is authoritative for cr.yp.to): $ dig -t NS yp.to
yp.to. 3600 IN NS uz5jmyqz3gz2bhnuzg0rr0cml9u8pntyhn2jhtqn04yt3sm5h235c1.yp.to.
It is a shame that the two names (DNSCurve and DNSCrypt) are so similar. |