DNSCurve.io

DNSCurve FAQ

1. Is DNSCurve encrypted?

Yes.

2. Can encryption in DNSCurve be disabled?

No.

3. Can a DNSCurve server talk to a non-DNSCurve server?

Yes. DNSCurve is only used when both the resolver and authoritative server support DNSCurve. Otherwise plain DNS is used.

4. How are DNSCurve packets encrypted?

DNSCurve uses Curve25519 for key exchange and XSalsa20Poly1305 for encryption.

5. Does DNSCurve prevent caching?

No. DNSCurve does not prevent caching.

6. Will DNS need to be changed to allow DNSCurve?

No. DNSCurve is being deployed on the Internet we have now.

7. Does DNSCurve require extra packets?

No. DNSCurve requires the same number of packets as normal DNS.

8. How does a DNSCurve resolver know if an authoritative DNS server supports DNSCurve?

An authoritative DNSCurve server has its Curve25519 public key in a label of its NS record. If the remote server advertises DNSCurve support in this way, the resolver encrypts the query.

9. What is the format of a DNSCurve public key?

• 54-byte label in Base-32;
• Beginning with the magic string "uz5";
• Remaining 51 bytes each one of 0123456789bcdfghjklmnpqrstuvwxyz;
• E.g.: uz5qry75vfy162c239jgx7v2knkwb01g3d04qd4379s6mtcx2f0828
• So a complete hostname could be e.g. uz5qry75vfy162c239jgx7v2knkwb01g3d04qd4379s6mtcx2f0828.example.com

10. What's the difference between DNSCurve and DNSCrypt?

With only minor changes, DNSCrypt is basically DNSCurve, brought to secure the link between a client and a resolver. They use the same cryptography and even the same magic string (R6fnvWJ8) in answers. DNSCurve is essentially link-level encrypted DNS via Curve25519XSalsa20Poly1305, and:

• DNSCurve is between resolvers and authoritative servers;
• DNSCrypt is DNSCurve between clients and resolvers.

11. Can I use both DNSCurve and DNSCrypt?

Yes, for example you can use DNSCrypt with a server that supports DNSCurve, e.g. dnscrypt-proxy => dnscrypt-wrapper => dqcache. However, end-users will typically support one or the other.

12. Can I use both DNSCurve and DoH/DoT?

Yes, like in the case with DNSCrypt, DoH (DNS-over-HTTPS) and DoT (DNS-over-TLS) are only used for queries sent by clients such as a web browser. Next, the actual DNS query sent by a recursive resolver to a content/authoritative DNS server can be protected with DNSCurve. DoH/DoT are not used between recursive resolvers and authoritative servers.

13. What are the differences between DNSSEC and DNSCurve?

Please see this answer.