How to use DNSCrypt on Windows.

edited July 2015 in General Privacy Discussion Posts: 4,013
First of all, go here and read.
http://dnscrypt.org/

Now download this:
https://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-proxy-win32-full-1.6.0.zip

Now grab the Service.
http://simonclausen.dk/dnscrypt-winservicemgr/DNSCrypt Windows Service Manager.zip

That makes it incredibly easy.

Now extract both somewhere and copy dnscrypt-winservicemgr.exe into the dnscrypt-proxy-win32 directory and move it wherever you want it to remain. Run the service and be sure to set it to use only the IPv4 servers and NEVER use any of the Cisco, Nawala, or OpenDNS servers.

Here is a list of the current servers. Be sure to choose one that does not log. And despite me already telling you what servers not to use, check here to see if anything has changed.
https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv

And go here and read some more.
https://github.com/Noxwizard/dnscrypt-winclient

Now download this:
https://github.com/Noxwizard/dnscrypt-winclient/archive/master.zip

And extract the zips into a temporary directory.

Now copy the files in \dnscrypt-proxy-win32\bin\ into \dnscrypt-winclient-master\binaries\Release\ and copy the \dnscrypt-winclient-master\ directory and all subdirectories and files into your program files directory or wherever you want it.

Now all you have to do is make a shortcut to the dnscrypt-winclient.exe file and put it somewhere handy for you.

Run it and you get a little window that pops up. Click "Show hidden adapters" and select all in the list. Now click the "Config" tab and select whatever server you want to use. DO NOT USE ANY THAT SAY IPv6. PIA does not support IPv6, so none of these will work. Click start once you have selected one to use. Minimize the window and do not "close" it. This is crucial.

*Edit* Do not click Install in the window. I have no idea what it does besides making it work as a Windows service. I have no idea if it functions correctly like this or retains any of the settings as it should.

*Edit* Updated for 1.4.3.
*Edit* Updated for 1.6.0 and the Windows Service manager.
Post edited by OmniNegro on
«1

Comments

  • Posts: 4,013
    Note that when you use the VPN that is another device that will appear in the "NICs" tab that needs to be checked, and it will not show until you exit and restart DNSCrypt.

    DO NOT USE OpenDNS as your server. Check this list and use only the servers that say they do not log. (DNSSEC support is a nice bonus too.)
    https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv
  • Posts: 4,013
    Good Job! Thank you Omni :)
    You are very welcome. I hope someone will benefit from this and stop giving more data to Google and OpenDNS for free. Those trolls are fat enough. Feed them no more.
  • Posts: 18
    Hi,
    This version (dnscrypt-proxy-win32-full-1.4.1.zip) is good for windows 7x64?
  • Posts: 4,013
    That is the version I am using. And I use Windows 7 x64. So I would answer yes.
  • Do we need to manually start "dnscrypt-winclient.exe - Shortcut" each time we log into Windows? There is a check box infront of "start service when Windows starts", but your instructinos " Minimize the window and do not "close" it. This is crucial." make it sound like the actual window must always be open.
  • Posts: 4,013
    Do we need to manually start "dnscrypt-winclient.exe - Shortcut" each time we log into Windows? There is a check box infront of "start service when Windows starts", but your instructinos " Minimize the window and do not "close" it. This is crucial." make it sound like the actual window must always be open.
    It minimizes to the system tray. If you just click close it stops working instantly.

    Does it not work the same for you? I have a system tray icon when it runs, and the window is nowhere to be seen.

    I actually do start it manually from a shortcut I made for it.
  • Do we need to manually start "dnscrypt-winclient.exe - Shortcut" each time we log into Windows? There is a check box infront of "start service when Windows starts", but your instructinos " Minimize the window and do not "close" it. This is crucial." make it sound like the actual window must always be open.
    It minimizes to the system tray. If you just click close it stops working instantly.

    Does it not work the same for you? I have a system tray icon when it runs, and the window is nowhere to be seen.

    I actually do start it manually from a shortcut I made for it.
    That's not the question. I'm asking, do you only need to do the steps you describe once or each time you start the computer?
  • Posts: 4,013
    Do we need to manually start "dnscrypt-winclient.exe - Shortcut" each time we log into Windows? There is a check box infront of "start service when Windows starts", but your instructinos " Minimize the window and do not "close" it. This is crucial." make it sound like the actual window must always be open.
    It minimizes to the system tray. If you just click close it stops working instantly.

    Does it not work the same for you? I have a system tray icon when it runs, and the window is nowhere to be seen.

    I actually do start it manually from a shortcut I made for it.
    That's not the question. I'm asking, do you only need to do the steps you describe once or each time you start the computer?
    Each and every time you start the PC, or the VPN. If you start the VPN again later, you need to first close the existing copy of DNSCrypt running in the system tray then run it again so it will be able to bind to the TAP driver. The TAP driver is always there, but not listed unless you are running the VPN, and I am unsure if it is the same if you close the VPN and restart it or if it needs to be started again.

    Because I honestly have no idea if it would bind to the correct TAP driver or not, I never tried the "Install" function that would in theory mean you would not need to start it manually ever again.

    And since I clearly misunderstood your question, please let me clarify.

    The only part you need to do is the last paragraph of the OP. Here it is so you do not have to scroll up for it.
    "Run it and you get a little window that pops up. Click "Show hidden
    adapters" and select all in the list. Now click the "Config" tab and
    select whatever server you want to use. DO NOT USE ANY THAT SAY IPv6.
    PIA does not support IPv6, so none of these will work. Click start once
    you have selected one to use. Minimize the window and do not "close" it.
    This is crucial."

    If I missed anything or you have further questions, please do not hesitate to ask. I hope this helps.
  • Do we need to manually start "dnscrypt-winclient.exe - Shortcut" each time we log into Windows? There is a check box infront of "start service when Windows starts", but your instructinos " Minimize the window and do not "close" it. This is crucial." make it sound like the actual window must always be open.
    It minimizes to the system tray. If you just click close it stops working instantly.

    Does it not work the same for you? I have a system tray icon when it runs, and the window is nowhere to be seen.

    I actually do start it manually from a shortcut I made for it.
    That's not the question. I'm asking, do you only need to do the steps you describe once or each time you start the computer?
    Each and every time you start the PC, or the VPN. If you start the VPN again later, you need to first close the existing copy of DNSCrypt running in the system tray then run it again so it will be able to bind to the TAP driver. The TAP driver is always there, but not listed unless you are running the VPN, and I am unsure if it is the same if you close the VPN and restart it or if it needs to be started again.

    Because I honestly have no idea if it would bind to the correct TAP driver or not, I never tried the "Install" function that would in theory mean you would not need to start it manually ever again.

    And since I clearly misunderstood your question, please let me clarify.

    The only part you need to do is the last paragraph of the OP. Here it is so you do not have to scroll up for it.
    "Run it and you get a little window that pops up. Click "Show hidden
    adapters" and select all in the list. Now click the "Config" tab and
    select whatever server you want to use. DO NOT USE ANY THAT SAY IPv6.
    PIA does not support IPv6, so none of these will work. Click start once
    you have selected one to use. Minimize the window and do not "close" it.
    This is crucial."

    If I missed anything or you have further questions, please do not hesitate to ask. I hope this helps.
    When I turn on my computer and open dnscrypt winclient, this is what I see image

    I don't see any "start" or "minimize" buttons, so that's why I'm a little confused with your instructions.

  • edited October 2014 Posts: 4,013
    Well, you did one thing I have never done. You clicked Install. That is why you do not have an "Install" button. And you can click stop at any time to then see it replaced by start. (Unless that is not working the same when you install it.)

    I will make a screenshot so you can see what I see. (Actually two of them, so you can see the start and stop buttons each.)
    image

    And once I click stop, I see this.
    image

    I would personally like to know if there was a way to disable the Install button. I am always afraid I may eventually click it and since I do not know what it does exactly, that would be motive for me to reinstall it minus actually clicking install. (I know install is supposed to make it a Windows service, but I have no idea if you can kill it and restart it to get it to bind to the right interfaces.)

    *Edit* And thanks for the clarification. I edited the original post to instruct people not to use Install since I have no idea how it works.
    Post edited by OmniNegro on
  • Well, you did one thing I have never done. You clicked Install. That is why you do not have an "Install" button. And you can click stop at any time to then see it replaced by start. (Unless that is not working the same when you install it.)

    I will make a screenshot so you can see what I see. (Actually two of them, so you can see the start and stop buttons each.)
    image

    And once I click stop, I see this.
    image

    I would personally like to know if there was a way to disable the Install button. I am always afraid I may eventually click it and since I do not know what it does exactly, that would be motive for me to reinstall it minus actually clicking install. (I know install is supposed to make it a Windows service, but I have no idea if you can kill it and restart it to get it to bind to the right interfaces.)

    *Edit* And thanks for the clarification. I edited the original post to instruct people not to use Install since I have no idea how it works.
    Ok thanks. Is there anyway to check if DNScrypt is working correctly?
  • I would personally like to know if there was a way to disable the Install button.
    You can try running an earlier version?
    https://github.com/Vitili/dnscrypt-winclient

    Noxwizard's fork added install as service and custom providers.
    https://github.com/Noxwizard/dnscrypt-winclient/network
  • Posts: 4,013
    Ok thanks. Is there anyway to check if DNScrypt is working correctly?
    Yes. All you need to do is two things. First verify your PC can resolve things, and then check the address your network has setup to use for DNS. If it is 127.0.0.1 then it is certainly going through DNSCrypt since it would not work any other way.

    Here are the simple steps needed to determine what DNS server is used by Windows. There are two easy ways, the command line is actually easier, but people tend to hate it, so here is the other way.

    Right click the "Network tray" icon. Select and left click "Open Network and Sharing Center", find the interface you use on the right side under "Connect or Disconnect", click it. Now in the little window that pops up, click properties. Select, but do not toggle "Internet Protocol Version 4 (TCP/IPv4)" and click properties.

    Now you should see the DNS address specified as 127.0.0.1 and if not, then something is wrong, or you have selected the wrong interface. (That is why doing this from the command line is easier by far, you need not click more than one thing, and you never have to pick your interface.)

    Click Start and click run and type "cmd" to start a command prompt. Type "ipconfig /all" and hit enter. Scroll up and down to see the entries in the results. Try to find the interface you are using. And the DNS entries are stated in plain text.
  • Posts: 4,013
    I would personally like to know if there was a way to disable the Install button.
    You can try running an earlier version?
    https://github.com/Vitili/dnscrypt-winclient

    Noxwizard's fork added install as service and custom providers.
    https://github.com/Noxwizard/dnscrypt-winclient/network
    I think I will just be careful. And eventually I will make the mistake of misclicking and install it and perhaps I will learn more about it then. Thanks though.
  • Ok thanks. Is there anyway to check if DNScrypt is working correctly?
    Yes. All you need to do is two things. First verify your PC can resolve things, and then check the address your network has setup to use for DNS. If it is 127.0.0.1 then it is certainly going through DNSCrypt since it would not work any other way.

    Here are the simple steps needed to determine what DNS server is used by Windows. There are two easy ways, the command line is actually easier, but people tend to hate it, so here is the other way.

    Right click the "Network tray" icon. Select and left click "Open Network and Sharing Center", find the interface you use on the right side under "Connect or Disconnect", click it. Now in the little window that pops up, click properties. Select, but do not toggle "Internet Protocol Version 4 (TCP/IPv4)" and click properties.

    Now you should see the DNS address specified as 127.0.0.1 and if not, then something is wrong, or you have selected the wrong interface. (That is why doing this from the command line is easier by far, you need not click more than one thing, and you never have to pick your interface.)

    Click Start and click run and type "cmd" to start a command prompt. Type "ipconfig /all" and hit enter. Scroll up and down to see the entries in the results. Try to find the interface you are using. And the DNS entries are stated in plain text.
    I followed all the original steps above to get dnscrypt-winclient to work, and the DOS window that opens seems to confirm that  and says "Proxying from 127.0.0.1:53 to 77.66.84.233:5353"

    To test if DNSCrypt was working properly, I did the ipconfig /all and did not see any DNS entries for the NICs listed as 127.0.0.1. Could this be because I have hard-coded PIA's DNS entries in my Windows 8 network settings? I did this to secure my traffic, but perhaps I have to remove them to get DNSCrypt to work? Any advice would be welcomed.
  • edited October 2014 Posts: 4,013
    Ok thanks. Is there anyway to check if DNScrypt is working correctly?
    Yes. All you need to do is two things. First verify your PC can resolve things, and then check the address your network has setup to use for DNS. If it is 127.0.0.1 then it is certainly going through DNSCrypt since it would not work any other way.

    Here are the simple steps needed to determine what DNS server is used by Windows. There are two easy ways, the command line is actually easier, but people tend to hate it, so here is the other way.

    Right click the "Network tray" icon. Select and left click "Open Network and Sharing Center", find the interface you use on the right side under "Connect or Disconnect", click it. Now in the little window that pops up, click properties. Select, but do not toggle "Internet Protocol Version 4 (TCP/IPv4)" and click properties.

    Now you should see the DNS address specified as 127.0.0.1 and if not, then something is wrong, or you have selected the wrong interface. (That is why doing this from the command line is easier by far, you need not click more than one thing, and you never have to pick your interface.)

    Click Start and click run and type "cmd" to start a command prompt. Type "ipconfig /all" and hit enter. Scroll up and down to see the entries in the results. Try to find the interface you are using. And the DNS entries are stated in plain text.
    I followed all the original steps above to get dnscrypt-winclient to work, and the DOS window that opens seems to confirm that  and says "Proxying from 127.0.0.1:53 to 77.66.84.233:5353"

    To test if DNSCrypt was working properly, I did the ipconfig /all and did not see any DNS entries for the NICs listed as 127.0.0.1. Could this be because I have hard-coded PIA's DNS entries in my Windows 8 network settings? I did this to secure my traffic, but perhaps I have to remove them to get DNSCrypt to work? Any advice would be welcomed.
    I honestly have no idea what could cause that. I have to run DNSCrypt because of a trick my local ISP did to make people think their modems are bad so they will buy new ones. And because of that I have the DNS Leak Protection feature of PIA disabled.

    So it is very possible that setting conflicts with DNSCrypt. If anyone were able to confirm this it would be greatly appreciated. (I would love to, but there are only two ISPs in the area, and one is a dedicated line for my mother, so I am stuck with Charter and the crap they do.)

    *Edit* Also to clarify, I think the NIC will be anything but 127.0.0.1 however, and the DNS is the only thing I would expect to see using that.
    Post edited by OmniNegro on
  • Me again... I tried something different, where I removed PIA's DNS servers in Windows, and replaced that with 127.0.0.1 When I run dnscrypt-winclient-master it shows the proxying details from 127.0.0.1.53 to the server I chose, but then I keep getting a [WARNING] notice [Connection reset by peer [WSAECONNRESET]

    When I run ipconfig /all I see 127.0.0.1 as the DNS servers for all NICs.

    When I do a DNS Leak test, I see the DNS servers that I chose using the dnscrypt-winclient. Does this mean that DNSCrypt is working? What about the Warning message I receive above, is this an issue, and if so, how to solve that?

  • Posts: 4,013
    Does that warning happen for every server? Or just for the one you prefer?

    I hate to keep pestering you for details, but did you turn off DNS Leak Protection in the PIA client? I honestly have no idea how it even works, since I have heard that even with it disabled it would still set your DNS when you connect to the VPN.

    If you have not tried it already, I use the okTurtles resolver. They have a funny idea about using cryptographic currency as a means to replace DNS, but at this point, how could it be worse than normal DNS? (They explain it better on their site, but I do not buy into the claims they make. Except that DNS is broken. Everyone agrees with that.)
    http://okturtles.com/
  • Posts: 4,013
    And since I was too hasty and did not give a direct answer, here is another attempt.

    If you are using the right servers for DNS, and all DNS requests on your system are being tunneled through 127.0.0.1 then you most certainly have DNSCrypt working. You can kill the DNSCrypt program and set the same exact settings in DNS and get no response whatsoever from most servers. (Probably all of them really.)

    If DNSCrypt is running and started, it is working as it should be. That warning message may be due to the server you choose, or it may be just random packet loss effecting the connection. I would not worry one bit about it unless it gets annoying.
  • OK, here are a few more details and answers to your questions. I have DNS Leak Protection disabled. Tonight I selected okTurtles in dnscrypt-winclient, and I also got the same Warning message as before (Connection reset by peer [WSAECONNRESET]). That aside, the other distinction I wanted to make was that when I leave my DNS settings in Windows empty, ipconfig /all shows all DNS Servers as PIA's for the TAP-Win32 Adapter V9 and 192.168.1.1 for my Ethernet adapter. Then when I change the Windows DNS servers to 127.0.0.1, ipconfig /all shows DNS Servers for both NICs as 127.0.0.1. Can you clarify if I should/can leave the Windows DNS servers as 127.0.0.1?

  • One more question if you don't mind (I really appreciate your help so far!). When I use PIA's DNS Leak test (www.dnsleak.com) It shows the okTurtles DNS and IP, as well as my IP, but it says that it looks like my DNS may be leaking? Any advice on that result and how to test/troubleshoot DNS leak tests using DNSCRYPT?
  • Posts: 4,013
    Sorry for the delay. I was a bit busy with some minor chores.

    I have never seen that error message myself, and have no idea why you get it. I am reluctant to say what you should do, since the word "should" implies that the suggestions I would make may be better than nothing. What I am not hesitant to say is what *I* would do. I would leave DNSCrypt working as usual and not think a thing about it.

    The DNS Leak test says my DNS might be leaking too, for every last server. But it cannot tell me what my real IP is if I connect to the VPN first. So I consider that almost a disservice. An actual DNS leak would provide details that can be used to determine who is accessing what regardless of VPNs and proxies.

    If your setup shows your real IP while connected to the VPN, then there is a major problem. So if that is the case for you, please stop using DNSCrypt at once and re-enable the DNS Leak Protection in the VPN. (If like myself you spend most of the time not connected to the VPN, then DNSCrypt is still useful, if only to make it more difficult for eavesdroppers.)
  • Now I am curious as to whether I should be using BOTH DNSCrypt and PIA's VPN at the same time? Is DNSCrypt ignoring PIA's DNS servers since I have them entered in Windows to 127.0.0.1, and DNSCrypt is proxying from that DNS to the server I choose? Is PIA's VPN being used somehow, just not it's DNS servers? You mentioned that you are usually not connected to the VPN, is that because DNSCrypt is just as safe or is there another reason? Hope you don't mind the questions as I am learning a lot from this and hope to find a good method to connect securely to the Internet to maximize privacy - I guess that's why I thought using both would help.
  • Posts: 4,013
    Now I am curious as to whether I should be using BOTH DNSCrypt and PIA's VPN at the same time? Is DNSCrypt ignoring PIA's DNS servers since I have them entered in Windows to 127.0.0.1, and DNSCrypt is proxying from that DNS to the server I choose? Is PIA's VPN being used somehow, just not it's DNS servers? You mentioned that you are usually not connected to the VPN, is that because DNSCrypt is just as safe or is there another reason? Hope you don't mind the questions as I am learning a lot from this and hope to find a good method to connect securely to the Internet to maximize privacy - I guess that's why I thought using both would help.
    That is exactly what DNSCrypt does. It ushers out any other DNS in use and replaces it with itself. That is why I say to close it and reopen it after connecting to the VPN, because otherwise the VPN will setup DNS on it's own.

    As for how safe it is, I cannot give a perfect answer. But I do believe it is superior to any solution I have seen so far. It uses the SSL to negotiate a secure link to the DNS servers, just unlike typical SSL it uses a particular Elliptic-Curve to calculate the results. And while for a VPN, that is considered bad, for DNS, particularly if already using the VPN, it is unimportant. Here is some details about it if you want to read up on it.
    http://dnscurve.org/crypto.html
  • So, in layman's terms, would you recommend DNSCrypt over a VPN? Is it ok to use them both together? How can I tell if my DNS searches are safe, or safer using both services? DNSCurve looks interesting but a bit too technical for me, so I am hoping that I can find some way to secure myself as best as I can using PIA's VPN and/or DNSCrypt.
  • Posts: 4,013
    In layman's terms, if you are not using the VPN it is undebatabley better in every possible way. But when you connect to the VPN, you are equally safe with either. Although sticking to the VPN you may as well make it less complex and disable DNSCrypt since it makes it one more step that is not needed.

    DNSCrypt is based on DNSCurve. That is the only reason I linked in that page above.
  • Ok, now are there any benefits to running both at the same time? If DNSCrypt is taking care of my DNS server (127.0.0.1 mapped to whichever server I choose), overriding the VPN's DNS, then what is the VPN doing? I can't see (or understand) what might be happening in the background (such as your reference to DNSCurve), but I am wondering what the VPN is providing in terms of any anonymity or security during my browsing/downloading? Thanks again for your help.
  • DNSCrypt encrypts DNS (Domain Name System) requests. VPN encrypts content. They deal with two different aspects both of which are vulnerable to snooping and MITM attacks.
  • OpenDNS has a good article on DNS vulnerability:
    http://www.opendns.com/about/innovations/dnscrypt/


  • Posts: 4,013
    In several cases, it has been suggested that Elliptic-Curve cryptography can in many cases be compromised. But DNSCrypt is not one such case. They chose the curve to use on their own, with no input from the NSA like with other projects.

    See this for details of the weak keys.
    https://www.privateinternetaccess.com/pages/vpn-encryption#ecc_warning

    It took me forever to find the page since it has all but ceased to exist from the site and I could not remember what terms to use in my search, so I searched for "encryption" and an hour later I found it. Lol. I bookmarked it now for later use.
Sign In or Register to comment.