Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Installing DNSCrypt on Windows
04-11-2014, 01:54 AM, (This post was last modified: 04-11-2014, 05:15 PM by 4cc.)
Installing DNSCrypt on Windows
Installing DNSCrypt on Windows

This is for a basic beginner DNSCrypt installation on Windows, with no other addons (such as third party DNS caching). It took us a few hours to install, debug, test, and document but should not take so long for most people. See Temp9 message below - there is a "DNSCrypt Windows Service Manager" program that can make your DNSCrypt setup much easier, especially for home users. If you don't have excessive layers of security like our network did, it will be a lot easier to install DNSCrypt with that manager program.

This came about from a recommendation by Temp9 at
This setup requires technical experience with IP configs and DNS. It will 'break' your current Internet connection and make a new one with different settings. Don't do it if you don't know how to repair your IP settings to their working condition, in case this install does not work on your network. Always document your current settings before changing them.

Download from

What will you gain by using DNSCrypt?

Encrypting DNS-requests is useful, because it:
1. prevents manipulation of your dns-requests (MITM)
2. prevents recognizing of dns-requests (Spying)
3. prevents logging of dns-requests (Spying or selling of your data)
4. secures communications between a client and its first-level resolver.

So DNSCrypt can prevent Man-In-The-Middle (MITM) attacks for DNS trickery, for example by your ISP or employer or hijackers. (But this has nothing to do with browser HTTPS - it is just for DNS only.)

DNSCrypt wraps all DNS traffic with encryption.
DNSCrypt does not use the same crypto library as SSL (browser HTTPS).

What do you lose by using DNSCrypt?

1. Your local firewall logs no longer show your DNS server IP - instead they show on port 53.
2. There is no local log or visibility of what DNSCrypt is doing. There is no logging available for the Windows version of DNSCrypt (anyway we don't know it yet). You can monitor just the DNS cache via ipconfig /displaydns but this is not long term efficient.
3. Do not know who wrote the DNSCrypt software, or if it contains any spyware or phone-homes. This is the same problem with all software.

Your ISP will be able to see your computer has traffic going to your chosen DNS Server, but will not be able to intercept or log what site address you are asking for, because that part is encrypted by DNSCrypt.

But as soon as you go to that website for which you just asked DNS to provide the address, then your ISP can log your browser activity. DNSCrypt only protects and hides your DNS questions, not your browser activity.

The DNSCrypt default setup uses the popular OPENdns Resolver servers, although this guide will show you how to insert any other DNS Resolver that supports the DNSCryptor protocol based upon elliptic-curve cryptography. But it is better security to select a Resolver that includes DNSSEC, and has No Logs.

Follow the install directions here:

In his step 4 we could not get his chosen Resolver to work (in Parameters) but we got this one working:
OpenNIC (no logs) Japan
Server address
Provider name
Public key 8768:C3DB:F70A:FBC6:3B64:8630:8167:2FD4:EE6F:E175:ECFD:46C9:22FC:7674:A1AC:2E2A (no wrap)

There are others free Resolvers listed at, and Temp9 recommended this one

We had to reboot after installation and testing changes. But for troubleshooting we found could avoid some reboots by checking all the places that can interfere with your new DNS settings:

1. Registry settings for DNSCrypt (as in the instructions above)
2. Windows network connection (disable and enable to reset)
3. Firewall settings, are they blocking your new DNSCrypt?
4. Peerblock may be confusing the issue during troubleshooting
5. run ipconfig /flushdns (in cmd window)
6. Stop and restart the dns-crypt service.
7. If you use a hosts file it still works like always.
8. IPConfig /displaydns will temporarily log your DNS resolutions, can see DNSCrypt results here
9. Windows DNS Client service - leave it on. If you disable it there is no DNS caching and no displaydns log (DNSCrypt does no caching, this means that incoming queries will not be cached and every single query will require a round-trip to the upstream Resolver, if you disable Windows DNS Client.)
10. And then Firefox also runs its own DNS caching which interferes with testing and has no visibility, so we disabled it with these instructions, other browsers have their own way.

Here is a test that claims to tell you if your ISP is proxying your DNS queries:
But there are other ways to intercept your DNS, which is why we should use DNSCrypt, all things considered.

If someone care to simplify and write better English please do so and delete this one.
04-11-2014, 01:54 PM, (This post was last modified: 04-11-2014, 02:03 PM by temp9.)
RE: Installing DNSCrypt on Windows
That's a nice guide! Certainly more extensive than anything I could ever have done. Thanks.

Just a note here that you don't need to install anything except DNSCrypt in order to use the DNSSEC resolvers - just pick one. All the work is done on the resolver's end. So that simplifies the process. At least that's the case with Windows.

I'll tell folks how easy it was for me, using on my Windows machine.

I downloaded the "DNSCrypt Windows Service Manager" from the link on ran it as Administrator, selected the network adapter, chose a server, and clicked Enable. That's it. I don't recall if I even had to reboot. It was surprisingly simple and effective.

You can see a picture of the UI on this page:

ETA: I second the use of it's a good site to check your DNS resolver. Their is another one here that is run by AirVPN:

Again, thanks for the guide. DNSCrypt is not a magic bullet that solves all security issues or anything, but it's a nice addition to your privacy and security tools.
04-11-2014, 05:30 PM, (This post was last modified: 04-12-2014, 06:28 AM by 4cc.)
RE: Installing DNSCrypt on Windows
Thank you Temp9, the references to DNSSEC were removed, because we now understand that DNSSEC is not something the user has to add. It is automatic in Windows versions 7 and greater, and lower versions of Windows won't use any DNSSEC but also do not break if DNSSEC is present.

Also we tried the 'DNSCrypt Windows Service Manager' on another computer, and it is easier as it does all the registry & IP changes for you, and is much easier for testing out different Resolvers. However it does phone home to at every load, what data it is sending is unknown.

Possibly Related Threads...
Thread Author Replies Views Last Post
  Microsoft says Windows 8 is a Failure! shortwave 14 2,668 05-15-2013, 09:56 PM
Last Post: ComradeRed
  Clover: Windows Explorer with Tabs (freeware) thokling 0 678 04-08-2013, 03:50 PM
Last Post: thokling
  How NSA access was built into Windows BlackFerdy 2 1,072 11-29-2012, 06:38 PM
Last Post: fujiinn
  New Critical Bug In All Current Windows Versions pax681 2 1,497 01-30-2011, 09:30 AM
Last Post: pax681
  Iconoclast icon stuck in windows media player Orwell63 5 2,935 11-29-2010, 05:32 PM
Last Post: yeti
  Windows CE-based ATM's can easily be made to dole out $, security researcher says h3rm35 2 1,955 09-08-2010, 05:09 AM
Last Post: icosaface
Exclamation Highly Dangerous Zero-day Windows Trojan Targets Espionage h3rm35 2 987 08-03-2010, 07:00 PM
Last Post: h3rm35
  Windows Update KB971033 will deactivate your cracked Windows 7 h3rm35 1 2,010 02-25-2010, 09:55 AM
Last Post: Justinfinity
  Windows 7 Update "Phones Home" to Microsoft Every 90 Days drummer 0 785 02-13-2010, 03:17 AM
Last Post: drummer
  I tunes sucks the you know what in the Windows format! Weyland 1 820 02-10-2010, 05:18 AM
Last Post: mastermg

Forum Jump:

Users browsing this thread: 1 Guest(s)