What privacy and security advantages does DNSCrypt offer compared with DoH/DoT?

1. DNSCrypt’s design: channel authentication and pinned keys

DNSCrypt was built to authenticate the communication channel between client and resolver and can include the resolver’s public key in a “stamp,” so clients explicitly trust the resolver key rather than relying solely on the WebPKI; that model helps prevent silent takeover if a DoH hostname or its certificate changes hands ^{[1] [2]}.

2. DoH/DoT’s model: standard TLS and broader ecosystem support

DoH and DoT use standardized TLS/HTTPS stacks and the global Certificate Authority system for authentication; that gives them wide native support in browsers and operating systems — a practical advantage in deployment and integration that DNSCrypt often lacks ^{[4] [5]}.

3. Practical security parity versus theoretical differences

Official DNSCrypt documentation and some guides state that “all the solutions above offer the same practical security level,” indicating the security benefits are similar in many operational contexts even if the mechanisms differ ^[3]. In other words, theoretical protocol differences don’t automatically translate into decisive real-world superiority.

4. Privacy visibility and blocking: mixed tradeoffs

DoH traffic is designed to look like normal HTTPS and can be intermixed on port 443, making it harder for network operators to block DNS queries without disrupting web traffic; that provides a privacy/anti-censorship benefit DoH can claim ^{[6] [4]}. Available sources do not give a clear statement that DNSCrypt is better at evading blocking than DoH — only that DoH can hide among HTTPS flows ^[6].

5. Independence from the WebPKI: DNSCrypt’s argument for reduced CA risk

DNSCrypt proponents highlight that DoH’s reliance on traditional public CAs creates an attack surface: if a DoH hostname’s ownership changes and a new operator obtains a valid certificate, the resolver could be impersonated unless certificate pinning or special measures are used. DNSCrypt’s stamp-based public-key binding aims to restore “DNSCrypt-level assurance” by tying the client to a specific resolver key ^[2].

6. Performance and maturity concerns in real deployments

Users and forum reports show mixed performance impressions: some have reported DNSCrypt being slower in practice compared with DoH/DoT ^[7], while other community discussions rank DNSCrypt highly for privacy preference but acknowledge DoH/DoT are increasingly the default because many platforms support them ^{[8] [9]}.

7. Compatibility and operational convenience

Because DoH/DoT are standardized and integrated into major browsers and OSes, they can be configured centrally and benefit from widespread tooling; DNSCrypt is still viable and used (including as a proxy), but it is less universally baked into mainstream client stacks — a practical disadvantage for non‑technical users ^{[6] [5]}.

8. What the sources don’t say (limits of the record)

Available sources do not present comprehensive, side‑by‑side empirical measurements across latency, encryption strength, long‑term key management incidents, or large-scale privacy leakage studies that would definitively show DNSCrypt is superior in all privacy or security metrics (not found in current reporting). They also do not assert DNSCrypt is obsolete — rather, they place it alongside DoH/DoT with tradeoffs ^{[3] [1]}.

9. Bottom line for practitioners: choose by threat model and environment

If your top concern is tight, explicit server-key binding and avoiding reliance on the CA system, DNSCrypt’s stamp/key model is an advantage ^{[2] [1]}. If you prioritize standardization, native browser/OS support, and easier deployment or evasion of network blocks by blending with HTTPS, DoH or DoT are the practical choices ^{[4] [6]}. The available guidance emphasizes tradeoffs rather than claiming one protocol is universally better ^[3].

If you want, I can map specific threat models (e.g., on‑path adversary, malicious CA, corporate monitoring) to recommended options and cite the sources above.