How to use DNSCrypt on Windows.
First of all, go here and read.
http://dnscrypt.org/
Now download this:
https://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-proxy-win32-full-1.6.0.zip
Now grab the Service.
http://simonclausen.dk/dnscrypt-winservicemgr/DNSCrypt Windows Service Manager.zip
That makes it incredibly easy.
Now extract both somewhere and copy dnscrypt-winservicemgr.exe into the dnscrypt-proxy-win32 directory and move it wherever you want it to remain. Run the service and be sure to set it to use only the IPv4 servers and NEVER use any of the Cisco, Nawala, or OpenDNS servers.
Here is a list of the current servers. Be sure to choose one that does not log. And despite me already telling you what servers not to use, check here to see if anything has changed.
https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv
And go here and read some more.
https://github.com/Noxwizard/dnscrypt-winclient
Now download this:
https://github.com/Noxwizard/dnscrypt-winclient/archive/master.zip
And extract the zips into a temporary directory.
Now copy the files in \dnscrypt-proxy-win32\bin\ into \dnscrypt-winclient-master\binaries\Release\ and copy the \dnscrypt-winclient-master\ directory and all subdirectories and files into your program files directory or wherever you want it.
Now all you have to do is make a shortcut to the dnscrypt-winclient.exe file and put it somewhere handy for you.
Run it and you get a little window that pops up. Click "Show hidden adapters" and select all in the list. Now click the "Config" tab and select whatever server you want to use. DO NOT USE ANY THAT SAY IPv6. PIA does not support IPv6, so none of these will work. Click start once you have selected one to use. Minimize the window and do not "close" it. This is crucial.
*Edit* Do not click Install in the window. I have no idea what it does besides making it work as a Windows service. I have no idea if it functions correctly like this or retains any of the settings as it should.
*Edit* Updated for 1.4.3.
*Edit* Updated for 1.6.0 and the Windows Service manager.
http://dnscrypt.org/
Now download this:
https://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-proxy-win32-full-1.6.0.zip
Now grab the Service.
http://simonclausen.dk/dnscrypt-winservicemgr/DNSCrypt Windows Service Manager.zip
That makes it incredibly easy.
Now extract both somewhere and copy dnscrypt-winservicemgr.exe into the dnscrypt-proxy-win32 directory and move it wherever you want it to remain. Run the service and be sure to set it to use only the IPv4 servers and NEVER use any of the Cisco, Nawala, or OpenDNS servers.
Here is a list of the current servers. Be sure to choose one that does not log. And despite me already telling you what servers not to use, check here to see if anything has changed.
https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv
And go here and read some more.
https://github.com/Noxwizard/dnscrypt-winclient
Now download this:
https://github.com/Noxwizard/dnscrypt-winclient/archive/master.zip
And extract the zips into a temporary directory.
Now copy the files in \dnscrypt-proxy-win32\bin\ into \dnscrypt-winclient-master\binaries\Release\ and copy the \dnscrypt-winclient-master\ directory and all subdirectories and files into your program files directory or wherever you want it.
Now all you have to do is make a shortcut to the dnscrypt-winclient.exe file and put it somewhere handy for you.
Run it and you get a little window that pops up. Click "Show hidden adapters" and select all in the list. Now click the "Config" tab and select whatever server you want to use. DO NOT USE ANY THAT SAY IPv6. PIA does not support IPv6, so none of these will work. Click start once you have selected one to use. Minimize the window and do not "close" it. This is crucial.
*Edit* Do not click Install in the window. I have no idea what it does besides making it work as a Windows service. I have no idea if it functions correctly like this or retains any of the settings as it should.
*Edit* Updated for 1.4.3.
*Edit* Updated for 1.6.0 and the Windows Service manager.
Comments
DO NOT USE OpenDNS as your server. Check this list and use only the servers that say they do not log. (DNSSEC support is a nice bonus too.)
https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv
This version (dnscrypt-proxy-win32-full-1.4.1.zip) is good for windows 7x64?
Does it not work the same for you? I have a system tray icon when it runs, and the window is nowhere to be seen.
I actually do start it manually from a shortcut I made for it.
Because I honestly have no idea if it would bind to the correct TAP driver or not, I never tried the "Install" function that would in theory mean you would not need to start it manually ever again.
And since I clearly misunderstood your question, please let me clarify.
The only part you need to do is the last paragraph of the OP. Here it is so you do not have to scroll up for it.
"Run it and you get a little window that pops up. Click "Show hidden
adapters" and select all in the list. Now click the "Config" tab and
select whatever server you want to use. DO NOT USE ANY THAT SAY IPv6.
PIA does not support IPv6, so none of these will work. Click start once
you have selected one to use. Minimize the window and do not "close" it.
This is crucial."
If I missed anything or you have further questions, please do not hesitate to ask. I hope this helps.
I don't see any "start" or "minimize" buttons, so that's why I'm a little confused with your instructions.
I will make a screenshot so you can see what I see. (Actually two of them, so you can see the start and stop buttons each.)
And once I click stop, I see this.
I would personally like to know if there was a way to disable the Install button. I am always afraid I may eventually click it and since I do not know what it does exactly, that would be motive for me to reinstall it minus actually clicking install. (I know install is supposed to make it a Windows service, but I have no idea if you can kill it and restart it to get it to bind to the right interfaces.)
*Edit* And thanks for the clarification. I edited the original post to instruct people not to use Install since I have no idea how it works.
https://github.com/Vitili/dnscrypt-winclient
Noxwizard's fork added install as service and custom providers.
https://github.com/Noxwizard/dnscrypt-winclient/network
Here are the simple steps needed to determine what DNS server is used by Windows. There are two easy ways, the command line is actually easier, but people tend to hate it, so here is the other way.
Right click the "Network tray" icon. Select and left click "Open Network and Sharing Center", find the interface you use on the right side under "Connect or Disconnect", click it. Now in the little window that pops up, click properties. Select, but do not toggle "Internet Protocol Version 4 (TCP/IPv4)" and click properties.
Now you should see the DNS address specified as 127.0.0.1 and if not, then something is wrong, or you have selected the wrong interface. (That is why doing this from the command line is easier by far, you need not click more than one thing, and you never have to pick your interface.)
Click Start and click run and type "cmd" to start a command prompt. Type "ipconfig /all" and hit enter. Scroll up and down to see the entries in the results. Try to find the interface you are using. And the DNS entries are stated in plain text.
To test if DNSCrypt was working properly, I did the ipconfig /all and did not see any DNS entries for the NICs listed as 127.0.0.1. Could this be because I have hard-coded PIA's DNS entries in my Windows 8 network settings? I did this to secure my traffic, but perhaps I have to remove them to get DNSCrypt to work? Any advice would be welcomed.
So it is very possible that setting conflicts with DNSCrypt. If anyone were able to confirm this it would be greatly appreciated. (I would love to, but there are only two ISPs in the area, and one is a dedicated line for my mother, so I am stuck with Charter and the crap they do.)
*Edit* Also to clarify, I think the NIC will be anything but 127.0.0.1 however, and the DNS is the only thing I would expect to see using that.
When I run ipconfig /all I see 127.0.0.1 as the DNS servers for all NICs.
When I do a DNS Leak test, I see the DNS servers that I chose using the dnscrypt-winclient. Does this mean that DNSCrypt is working? What about the Warning message I receive above, is this an issue, and if so, how to solve that?
I hate to keep pestering you for details, but did you turn off DNS Leak Protection in the PIA client? I honestly have no idea how it even works, since I have heard that even with it disabled it would still set your DNS when you connect to the VPN.
If you have not tried it already, I use the okTurtles resolver. They have a funny idea about using cryptographic currency as a means to replace DNS, but at this point, how could it be worse than normal DNS? (They explain it better on their site, but I do not buy into the claims they make. Except that DNS is broken. Everyone agrees with that.)
http://okturtles.com/
If you are using the right servers for DNS, and all DNS requests on your system are being tunneled through 127.0.0.1 then you most certainly have DNSCrypt working. You can kill the DNSCrypt program and set the same exact settings in DNS and get no response whatsoever from most servers. (Probably all of them really.)
If DNSCrypt is running and started, it is working as it should be. That warning message may be due to the server you choose, or it may be just random packet loss effecting the connection. I would not worry one bit about it unless it gets annoying.
I have never seen that error message myself, and have no idea why you get it. I am reluctant to say what you should do, since the word "should" implies that the suggestions I would make may be better than nothing. What I am not hesitant to say is what *I* would do. I would leave DNSCrypt working as usual and not think a thing about it.
The DNS Leak test says my DNS might be leaking too, for every last server. But it cannot tell me what my real IP is if I connect to the VPN first. So I consider that almost a disservice. An actual DNS leak would provide details that can be used to determine who is accessing what regardless of VPNs and proxies.
If your setup shows your real IP while connected to the VPN, then there is a major problem. So if that is the case for you, please stop using DNSCrypt at once and re-enable the DNS Leak Protection in the VPN. (If like myself you spend most of the time not connected to the VPN, then DNSCrypt is still useful, if only to make it more difficult for eavesdroppers.)
As for how safe it is, I cannot give a perfect answer. But I do believe it is superior to any solution I have seen so far. It uses the SSL to negotiate a secure link to the DNS servers, just unlike typical SSL it uses a particular Elliptic-Curve to calculate the results. And while for a VPN, that is considered bad, for DNS, particularly if already using the VPN, it is unimportant. Here is some details about it if you want to read up on it.
http://dnscurve.org/crypto.html
DNSCrypt is based on DNSCurve. That is the only reason I linked in that page above.
http://www.opendns.com/about/innovations/dnscrypt/
See this for details of the weak keys.
https://www.privateinternetaccess.com/pages/vpn-encryption#ecc_warning
It took me forever to find the page since it has all but ceased to exist from the site and I could not remember what terms to use in my search, so I searched for "encryption" and an hour later I found it. Lol. I bookmarked it now for later use.