dnscrypt
A pure-Rust, high-assurance implementation of the DNSCrypt v2 client protocol. Supporting both synchronous and asynchronous (Tokio-backed) resolution, this crate provides transport-level encryption and cryptographic authentication for all your DNS queries.
No C bindings, no OpenSSL dependencies, and no unsafe code.
Features
- Pure Rust Cryptography: Built entirely on high-assurance cryptographic implementations (
chacha20,poly1305,x25519-dalek,ed25519-dalek). - Memory Security: Integrates the
zeroizecrate to securely wipe sensitive keying material and decrypted buffers from memory on drop. - MITM Resistance: Relies on pinned resolver public keys hardcoded at compile-time to prevent CA-level compromise/spoofing.
- Robust TCP Fallback: Automatically and transparently retries queries over TCP if the decrypted DNSCrypt response indicates truncation (TC bit set).
- Consensus Voting (
max-securitymode): Queries multiple DNSCrypt providers in parallel and returns only consensus-voted results, discarding minority/unconfirmed IP addresses. - Reqwest Integration: Ships a drop-in
DnscryptResolverto route all host lookups in areqwest::Clientthrough DNSCrypt. - Async & Sync Support: Complete async/sync dual API.
Feature Flags
| Feature | Description | Default |
|---|---|---|
tokio |
Enables asynchronous API, async session establishment, and async DNS querying using Tokio. | Yes |
zeroize |
Wraps all sensitive state, keys, nonces, and decrypted payloads in zero-on-drop containers. | Yes |
reqwest |
Enables the DnscryptResolver for integration with reqwest::Client. |
Yes |
max-security |
Aggregates and votes on results from multiple providers, returning only majority-voted answers. | No |
Cryptographic Specification
| Primitive | Protocol Role | Crate |
|---|---|---|
| X25519 DH | Per-session key agreement with the resolver | x25519-dalek |
| HChaCha20 | Key derivation from the raw Diffie-Hellman secret | chacha20 |
| XChaCha20-Poly1305 | Authenticated encryption of queries/responses | chacha20 / poly1305 |
| Ed25519 | Resolver certificate signature verification | ed25519-dalek |
Quick Start
Add dnscrypt to your Cargo.toml:
[]
= "0.1"
1. Simple Synchronous Resolution
use ;
2. Asynchronous (Tokio) Resolution
Make sure the tokio feature flag is enabled:
use ;
async
3. Reqwest Client Integration
Enable the reqwest feature flag to use DnscryptResolver:
use DnscryptResolver;
use Arc;
async
4. Custom DNSCrypt Resolvers
Bypass the default list of resolvers by supplying your own custom configurations:
use ;
use ;
const MY_RESOLVERS: & = &;
Security Hardening
This library has undergone systematic hardening to defend against transport-level threats:
- Zeroization: Sensitive memory containers (keys, nonces, plaintext packets) are systematically zero-filled on drop when the
zeroizefeature is active. - Randomized Padding & TXIDs: Queries are padded to randomized boundaries to prevent side-channel traffic analysis. Transaction IDs are derived from a cryptographically secure random source (
getrandom). - Encrypted TC Detection: The parser decrypts responses before validating truncation. If a response is truncated inside the secure envelope, the resolver automatically executes a retry over TCP.
- Majority Voting: When configured with
max-security, minority/non-consensus IP responses are automatically discarded to prevent MITM attacks from compromised or corrupted nodes.
License
Licensed under either of:
- Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
- MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)
at your option.