Pi-Hole + DNSCrypt Most of DNS requests doesn't returning SECURE

Expected Behaviour:

Forward most of the dns request with a SECURE return on the admin interface.

Actual Behaviour:

A lot of dns request are returning INSECURE. With some OK forwarded.

Debug Token:


Hello there,
I used pi hole with DNSCrypt going through scaleway-fr and anon relays.

I would like to know if you can help me on my behaviour.

Best regards,
Thank you for your work and your time.

See How do I interperet the DNSSEC column in the query log? for info on DNSSEC and what the results mean.

As of Pi-hole 3.3, you can see the DNSSEC status in the query log.

  • SECURE are records that have been signed and verified to be unchanged from the authoritative DNS server
  • INSECURE are records that either have no signature or DNSSEC is not implemented for the domain; either the domain is unsigned and not implementing DNSSEC or there are other issues
  • BOGUS are records that have been signed but have changed or been altered from the authoritative DNS server

You will see INSECURE, but that does not mean a bad record–just has not been implemented. BOGUS records are something to look at, either they have been altered in transit or the domain maintainer has not updated the records correctly. At present, 90% of the records you see will be INSECURE as there is not a lot of DNSSEC uptake currently.

If you see BOGUS on a test for a known bad record then things look like they are configured correctly. As more domains move to utilizing DNSSEC the INSECURE will tend to fade away, but we are a long ways away from full adoption of the technology.


I’ve take a look at the doc, but i prefer to be certain. Thank you for your answer !

As extra question, do you know how can i really be sure that my dns request are encrypted by DNSCrypt from my Pi ?


No, I don’t. You’d need to ask the DNSCrypt folks about that.

1 Like

Will do !

Thank you again.

1 Like