DNSCrypt Windows Guide

DNSCrypt is a software application for securing communications between a client (your own PC) and a DNS resolver (server).

simplednscrypt_logo
Official SimpleDNSCrypt tool Logo

What is DNSCrypt?

DNSCrypt solves the DNS leak problem. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven’t been tampered with. Your ISP often intercepts the DNS resolvers you use, and then swap them with their own DNS resolver. This can be used to do various things, whether it’s to log their customers’ activities, inject ads to your browser, or even block certain domains.

What’s wrong with DNS queries? For one, they’re not encrypted. That opens the door to:

  • Spying: Attackers use DNS to spy on Internet users’ online activity via DNS replay, observation, and timing attacks. DNSLeaks are well-known an a common problem.
  • Man-in-the-middle attacks: When an attacker intercepts the communication stream and
    impersonates both the local and remote station.
  • Resolver impersonation: Intermediaries hijack DNS traffic destined for trusted naming servers, rerouting them to malicious name servers; which in turn, provide fraudulent query responses.
Before DNSCrypt
Someone is trying to use Googles DNS,
After DNSCrypt
The default DNS server from the tested ISP is showing instead of the standard DNS servers provided by Google Public DNS. This is a simple example case of a DNS leak.

What it doesn’t do

DNSCrypt does not replace a VPN – but it can help to resolve the three mentioned problems. When you type a name in the URL field of a web browser, you expect to go to the appropriate web site. But if something or someone is messing with the DNS query, that may not be the case. For example, instead of going to your bank’s website, you may be sent to a very good copy of the actual website specifically to steal your banking credentials.

Requirements

  • Windows (this guide is focused on Windows)
  • DNSCrypt via e.g. a GUI like SimpleDNSCrypt
  • See how to enable IPv6 (in case you use it) here.
  • 5 minutes time

Installation

Download the x86 or x64 according to your Windows version.

SimpleDNSCryptInstaller
The MSI installer is easy to handle and it explains every installation step.
SimpleDNSCryptSetup
Most options are a matter of taste, set it based on your needs.
SimpleDNSCrypt default dir
The default installation dir is good to go.

First start and setup

Once the setup has been completed, and you run the app, you will see this.

 

Soltysiak

The top part (the bigger tiles) of this window is your network adapters. Active network adapters that aren’t linked to the DNSCrypt service are marked grey, and when you link it to the DNSCrypt service, it will turn green. Inactive adapters are marked grey.

The middle part is where you configure your DNS resolvers. So far Simple DNSCrypt doesn’t have support for secondary resolvers, but this will come in a later update. The bottom part of the window is an option to toggle your DNSCrypt services off.

To configure your DNSCrypt service, first you will have to choose which DNSCrypt resolvers you will use. In this example we prefer Soltysiak, the most current list will be downloaded each time you open the program and then periodically in the background, in case you want to check the servers before you install the program, here is always the latest dnscrypt-resolver.csv list.

fre
Choose your favourite server here, the little alarm clock can measure the latency/response time from (it takes a while to see the result in ms next to each server in the list).
SimpleDNSCryptToogles
Toggle this switch to activate your DNSCrypt service, the secondary service is optional and in case that the first server is down/maintainance/offline.

Now check and click on a network adapter to activate the service for that adapter. Basically, what this does is replace your preferred DNS server to 127.0.0.1, since that’s where the DNSCrypt service runs on. IPv6 user need to set it to ::1.

thjt
The Ethernet interface is green, the resolver is running. You can activate multiple interfaces at the same time!

That’s it! Now run the DNS leak test again and it should show now the choosed dnsresolver instead of your ISP one.

Optional: In case you not want/like IPv6 you can disable it under the ‘Advance Settings‘ among several other options, you can also block ads or block specific Domain’s/IP’s or IP-ranges. The benefit is here that you can work with regular expressions, which means instead of blocking, ads.facebook.com, ads1.facebook.com you simply can block all ads domain at all via *.ads.

Advance Settings
The default settings are good enough here.
Extension Manager
The Plugin/Extension manager is something you can use and tweak, if you not use IPv6 then disable it, the logging is useful in case you want to catch dns-requests (for e.g. system-wide adblocking).
dw
The IP/domain ‘blocker’ works with regular expressions rules which makes it easier to block thousands of domains, you need to enable logging for this function, which creates a small .txt file on your drive which collects all dns-requests.

SimpleDNSCrypt does not provide a backup solution (yet) in case you want to backup your blocked IP’s or settings, you can manually copy & paste the entire folders oder only the specific files located in:

  • C:\Program Files (x86)\bitbeans\Simple DNSCrypt\data
  • C:\Program Files\bitbeans\Simple DNSCrypt\data

Then paste it into your new installation, after a restart the rules should be recovered. The resolver needs to stop/start to recognize the change.

Advertisements

2 thoughts on “DNSCrypt Windows Guide

  1. My problem with nslookup has stopped. It now shows correct results, like the results shown by Haravikk at arstechinca.

    I think I know why.

    I have been using Simple DNSCrypt to install and adjust settings for the dnscrypt-proxy process and service (which presumably encrypts my DNS lookup queries and directs them to a good list of DNS resolvers who don’t keep logs, etc.).

    Simple DNSCrypt has various “switches” for its settings. However, I think Simple DNSCrypt is buggy about those switches and is not toggling through the settings the way we think they are. Those switches require some “jiggling”.

    Just now, for different reasons, I toggled back and forth the switches at “Main Menu – Using IPv6 Server” (leaving it off) and “Advanced Settings – Block IPv6” (leaving it on). Now nslookup works.

    I think the jiggling in Simple DNSCrypt did the trick.

    Could someone else try, please?

    Like

  2. Dear CK – Your article here at https://chefkochblog.wordpress.com/2018/01/09/dnscrypt-windows-guide/ is the best I’ve seen so far.

    However, Simple DNSCrypt and/or dnscrypt-proxy are giving me an odd problem with nslookup, on my Win 7 Pro 64-bit machine, on what was my old Verizon DSL and is now my new Verizon FIOS .

    Please see my posts at
    https://community.cloudflare.com/t/nslookup-gives-dns-timed-out-on-1-1-1-1-with-simple-dnscrypt/15959/6
    and
    starting with Haravikk’s post at https://arstechnica.com/civis/viewtopic.php?p=35144937#p35144937 and going down.

    What do yout think?

    Like

Comments are closed.

Blog at WordPress.com.

Up ↑

%d bloggers like this: