DNSCrypt Windows Guide

DNSCrypt is a software application for securing communications between a client (your own PC) and a DNS resolver (server).

Official SimpleDNSCrypt tool Logo

What is DNSCrypt?

DNSCrypt solves the DNS leak problem. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven’t been tampered with. Your ISP often intercepts the DNS resolvers you use, and then swap them with their own DNS resolver. This can be used to do various things, whether it’s to log their customers’ activities, inject ads to your browser, or even block certain domains.

What’s wrong with DNS queries? For one, they’re not encrypted. That opens the door to:

• Spying: Attackers use DNS to spy on Internet users’ online activity via DNS replay, observation, and timing attacks. DNSLeaks are well-known an a common problem.
• Man-in-the-middle attacks: When an attacker intercepts the communication stream and
  impersonates both the local and remote station.
• Resolver impersonation: Intermediaries hijack DNS traffic destined for trusted naming servers, rerouting them to malicious name servers; which in turn, provide fraudulent query responses.

Someone is trying to use Googles DNS,

The default DNS server from the tested ISP is showing instead of the standard DNS servers provided by Google Public DNS. This is a simple example case of a DNS leak.

What it doesn’t do

DNSCrypt does not replace a VPN – but it can help to resolve the three mentioned problems. When you type a name in the URL field of a web browser, you expect to go to the appropriate web site. But if something or someone is messing with the DNS query, that may not be the case. For example, instead of going to your bank’s website, you may be sent to a very good copy of the actual website specifically to steal your banking credentials.

Requirements

• Windows (this guide is focused on Windows)
• DNSCrypt via e.g. a GUI like SimpleDNSCrypt
• See how to enable IPv6 (in case you use it) here.
• 5 minutes time

Installation

Download the x86 or x64 according to your Windows version.

The MSI installer is easy to handle and it explains every installation step.

Most options are a matter of taste, set it based on your needs.

The default installation dir is good to go.

First start and setup

Once the setup has been completed, and you run the app, you will see this.

 

The top part (the bigger tiles) of this window is your network adapters. Active network adapters that aren’t linked to the DNSCrypt service are marked grey, and when you link it to the DNSCrypt service, it will turn green. Inactive adapters are marked grey.

The middle part is where you configure your DNS resolvers. So far Simple DNSCrypt doesn’t have support for secondary resolvers, but this will come in a later update. The bottom part of the window is an option to toggle your DNSCrypt services off.

To configure your DNSCrypt service, first you will have to choose which DNSCrypt resolvers you will use. In this example we prefer Soltysiak, the most current list will be downloaded each time you open the program and then periodically in the background, in case you want to check the servers before you install the program, here is always the latest dnscrypt-resolver.csv list.

Choose your favourite server here, the little alarm clock can measure the latency/response time from (it takes a while to see the result in ms next to each server in the list).

Toggle this switch to activate your DNSCrypt service, the secondary service is optional and in case that the first server is down/maintainance/offline.

Now check and click on a network adapter to activate the service for that adapter. Basically, what this does is replace your preferred DNS server to 127.0.0.1, since that’s where the DNSCrypt service runs on. IPv6 user need to set it to ::1.

The Ethernet interface is green, the resolver is running. You can activate multiple interfaces at the same time!

That’s it! Now run the DNS leak test again and it should show now the choosed dnsresolver instead of your ISP one.

Optional: In case you not want/like IPv6 you can disable it under the ‘Advance Settings‘ among several other options, you can also block ads or block specific Domain’s/IP’s or IP-ranges. The benefit is here that you can work with regular expressions, which means instead of blocking, ads.facebook.com, ads1.facebook.com you simply can block all ads domain at all via *.ads.

The default settings are good enough here.

The Plugin/Extension manager is something you can use and tweak, if you not use IPv6 then disable it, the logging is useful in case you want to catch dns-requests (for e.g. system-wide adblocking).

The IP/domain ‘blocker’ works with regular expressions rules which makes it easier to block thousands of domains, you need to enable logging for this function, which creates a small .txt file on your drive which collects all dns-requests.

SimpleDNSCrypt does not provide a backup solution (yet) in case you want to backup your blocked IP’s or settings, you can manually copy & paste the entire folders oder only the specific files located in:

• C:\Program Files (x86)\bitbeans\Simple DNSCrypt\data
• C:\Program Files\bitbeans\Simple DNSCrypt\data

Then paste it into your new installation, after a restart the rules should be recovered. The resolver needs to stop/start to recognize the change.