DNSCrypt is a software application for securing communications between a client (your own PC) and a DNS resolver (server).
What is DNSCrypt?
DNSCrypt solves the DNS leak problem. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven’t been tampered with. Your ISP often intercepts the DNS resolvers you use, and then swap them with their own DNS resolver. This can be used to do various things, whether it’s to log their customers’ activities, inject ads to your browser, or even block certain domains.
What’s wrong with DNS queries? For one, they’re not encrypted. That opens the door to:
- Spying: Attackers use DNS to spy on Internet users’ online activity via DNS replay, observation, and timing attacks. DNSLeaks are well-known an a common problem.
- Man-in-the-middle attacks: When an attacker intercepts the communication stream and
impersonates both the local and remote station.
- Resolver impersonation: Intermediaries hijack DNS traffic destined for trusted naming servers, rerouting them to malicious name servers; which in turn, provide fraudulent query responses.
What it doesn’t do
DNSCrypt does not replace a VPN – but it can help to resolve the three mentioned problems. When you type a name in the URL field of a web browser, you expect to go to the appropriate web site. But if something or someone is messing with the DNS query, that may not be the case. For example, instead of going to your bank’s website, you may be sent to a very good copy of the actual website specifically to steal your banking credentials.
- Windows (this guide is focused on Windows)
- DNSCrypt via e.g. a GUI like SimpleDNSCrypt
- See how to enable IPv6 (in case you use it) here.
- 5 minutes time
First start and setup
Once the setup has been completed, and you run the app, you will see this.
The top part (the bigger tiles) of this window is your network adapters. Active network adapters that aren’t linked to the DNSCrypt service are marked grey, and when you link it to the DNSCrypt service, it will turn green. Inactive adapters are marked grey.
The middle part is where you configure your DNS resolvers. So far Simple DNSCrypt doesn’t have support for secondary resolvers, but this will come in a later update. The bottom part of the window is an option to toggle your DNSCrypt services off.
To configure your DNSCrypt service, first you will have to choose which DNSCrypt resolvers you will use. In this example we prefer Soltysiak, the most current list will be downloaded each time you open the program and then periodically in the background, in case you want to check the servers before you install the program, here is always the latest dnscrypt-resolver.csv list.
Now check and click on a network adapter to activate the service for that adapter. Basically, what this does is replace your preferred DNS server to
127.0.0.1, since that’s where the DNSCrypt service runs on. IPv6 user need to set it to
That’s it! Now run the DNS leak test again and it should show now the choosed dnsresolver instead of your ISP one.
Optional: In case you not want/like IPv6 you can disable it under the ‘Advance Settings‘ among several other options, you can also block ads or block specific Domain’s/IP’s or IP-ranges. The benefit is here that you can work with regular expressions, which means instead of blocking, ads.facebook.com, ads1.facebook.com you simply can block all ads domain at all via *.ads.
SimpleDNSCrypt does not provide a backup solution (yet) in case you want to backup your blocked IP’s or settings, you can manually copy & paste the entire folders oder only the specific files located in:
- C:\Program Files (x86)\bitbeans\Simple DNSCrypt\data
- C:\Program Files\bitbeans\Simple DNSCrypt\data
Then paste it into your new installation, after a restart the rules should be recovered. The resolver needs to stop/start to recognize the change.