DNSCrypt is a software application for securing communications between a client (your own PC) and a DNS resolver (server).
What is DNSCrypt?
DNSCrypt solves the DNS leak problem. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven’t been tampered with. Your ISP often intercepts the DNS resolvers you use, and then swap them with their own DNS resolver. This can be used to do various things, whether it’s to log their customers’ activities, inject ads to your browser, or even block certain domains.
What’s wrong with DNS queries? For one, they’re not encrypted. That opens the door to:
- Spying: Attackers use DNS to spy on Internet users’ online activity via DNS replay, observation, and timing attacks. DNSLeaks are well-known an a common problem.
- Man-in-the-middle attacks: When an attacker intercepts the communication stream and
impersonates both the local and remote station. - Resolver impersonation: Intermediaries hijack DNS traffic destined for trusted naming servers, rerouting them to malicious name servers; which in turn, provide fraudulent query responses.
What it doesn’t do
DNSCrypt does not replace a VPN – but it can help to resolve the three mentioned problems. When you type a name in the URL field of a web browser, you expect to go to the appropriate web site. But if something or someone is messing with the DNS query, that may not be the case. For example, instead of going to your bank’s website, you may be sent to a very good copy of the actual website specifically to steal your banking credentials.
Requirements
- Windows (this guide is focused on Windows)
- DNSCrypt via e.g. a GUI like SimpleDNSCrypt
- See how to enable IPv6 (in case you use it) here.
- 5 minutes time
Installation
Download the x86 or x64 according to your Windows version.
First start and setup
Once the setup has been completed, and you run the app, you will see this.
The top part (the bigger tiles) of this window is your network adapters. Active network adapters that aren’t linked to the DNSCrypt service are marked grey, and when you link it to the DNSCrypt service, it will turn green. Inactive adapters are marked grey.
The middle part is where you configure your DNS resolvers. So far Simple DNSCrypt doesn’t have support for secondary resolvers, but this will come in a later update. The bottom part of the window is an option to toggle your DNSCrypt services off.
To configure your DNSCrypt service, first you will have to choose which DNSCrypt resolvers you will use. In this example we prefer Soltysiak, the most current list will be downloaded each time you open the program and then periodically in the background, in case you want to check the servers before you install the program, here is always the latest dnscrypt-resolver.csv list.
Now check and click on a network adapter to activate the service for that adapter. Basically, what this does is replace your preferred DNS server to 127.0.0.1
, since that’s where the DNSCrypt service runs on. IPv6 user need to set it to ::1
.
That’s it! Now run the DNS leak test again and it should show now the choosed dnsresolver instead of your ISP one.
Optional: In case you not want/like IPv6 you can disable it under the ‘Advance Settings‘ among several other options, you can also block ads or block specific Domain’s/IP’s or IP-ranges. The benefit is here that you can work with regular expressions, which means instead of blocking, ads.facebook.com, ads1.facebook.com you simply can block all ads domain at all via *.ads.
SimpleDNSCrypt does not provide a backup solution (yet) in case you want to backup your blocked IP’s or settings, you can manually copy & paste the entire folders oder only the specific files located in:
- C:\Program Files (x86)\bitbeans\Simple DNSCrypt\data
- C:\Program Files\bitbeans\Simple DNSCrypt\data
Then paste it into your new installation, after a restart the rules should be recovered. The resolver needs to stop/start to recognize the change.
2 responses to “DNSCrypt Windows Guide”
My problem with nslookup has stopped. It now shows correct results, like the results shown by Haravikk at arstechinca.
I think I know why.
I have been using Simple DNSCrypt to install and adjust settings for the dnscrypt-proxy process and service (which presumably encrypts my DNS lookup queries and directs them to a good list of DNS resolvers who don’t keep logs, etc.).
Simple DNSCrypt has various “switches” for its settings. However, I think Simple DNSCrypt is buggy about those switches and is not toggling through the settings the way we think they are. Those switches require some “jiggling”.
Just now, for different reasons, I toggled back and forth the switches at “Main Menu – Using IPv6 Server” (leaving it off) and “Advanced Settings – Block IPv6” (leaving it on). Now nslookup works.
I think the jiggling in Simple DNSCrypt did the trick.
Could someone else try, please?
LikeLike
Dear CK – Your article here at https://chefkochblog.wordpress.com/2018/01/09/dnscrypt-windows-guide/ is the best I’ve seen so far.
However, Simple DNSCrypt and/or dnscrypt-proxy are giving me an odd problem with nslookup, on my Win 7 Pro 64-bit machine, on what was my old Verizon DSL and is now my new Verizon FIOS .
Please see my posts at
https://community.cloudflare.com/t/nslookup-gives-dns-timed-out-on-1-1-1-1-with-simple-dnscrypt/15959/6
and
starting with Haravikk’s post at https://arstechnica.com/civis/viewtopic.php?p=35144937#p35144937 and going down.
What do yout think?
LikeLike