Getting Started With DNSCrypt On Windows

DNSCrypt is a new protocol for DNS queries, placing authentication onto regular lookup traffic. DNSCrypt helps prevent DNS spoofing using elliptic-curve cryptography to verify that responses haven’t been tampered with in transit. While queries are technically encrypted, DNSCrypt only guarantees authentication and not confidentiality. Nothing prevents the resolver from logging and often request/response sizes and timestamps are enough to fingerprint a user.


1. Download dnscrypt-proxy

This application is provided by dnscrypt.org and can be downloaded here. As of the time of writing, the latest version is 1.3.3. Since this guide is for Windows, download dnscrypt-proxy-win32-1.3.3.zip.

2. Extract dnscrypt-proxy
Open your downloaded file and extract the contents to your installation location; I placed them in C:/Program Files/DNSCrypt. There should be three files: dnscrypt-proxy.exe, hostip.exe, and libsodium-4.dll.

3. Install the service
Open the location of your dnscrypt-proxy.exe and Shift + right-click somewhere in the folder. In the menu, choose “Open command window here”. In the command line that opens up, type:

dnscrypt-proxy.exe --install

This will install the service, meaning you won’t need to start the program every time you restart your computer. Should you ever want to remove the service, follow the same steps as above but instead type:

dnscrypt-proxy.exe --uninstall

4. Setup the DNS provider in the registry
The dnscrypt-proxy service will read settings from the Windows registry. For this guide, we will use the CloudNS resolvers. To do this, first we will open the registry editor by opening the start menu and searching for “regedit.exe”. Open it and you should see something like this: registry
Note: Be very careful about editing things in the registry. You can mess up your computer badly.

Now we need to find this particular entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\dnscrypt-proxy\Parameters
It’s fairly straightforward to get to, just click through as if they were regular folders. You might need to create the Parameters key – if so, just right-click in the dnscrypt-proxy entry, choose New–>Key, and name it “Parameters”.
After this we set up the actual options for the proxy by creating subkeys as you can see in this screenshot:

dnscryt_settings

For each subkey, right-click and choose New–>String Value and type in the name of the setting. Then double-click the new subkey and type in the desired value. Here are the settings I used:
LocalAddress 127.0.0.1
ProviderKey 1971:7C1A:C550:6C09:F09B:ACB1:1AF7:C349:6425:2676:247F:B738:1C5A:243A:C1CC:89F4
ProviderName 2.dnscrypt-cert.cloudns.com.au
ResolverAddress 113.20.6.2:443

5. Change your connection settings
These are the basic settings we need. Now we can close the registry editor and change the network settings in Windows to use the IP address we specified in the registry (which in this case is 127.0.0.1).
change dns settingsYou can click for a bigger image.

Basically, just follow my MS-Paint guide above to set your DNS server to be your new proxy. The alternate DNS server can be whatever other DNS server you want to fall back on. I use one from the OpenNIC project. After you’re done, restart your computer and flush your DNS cache by opening a command line like we did earlier (it’s easiest to just Shift+right-click on the desktop) and type the command:

ipconfig /flushdns

Now you should be ready to go! If you want to test that everything is working, type this at the command line:

nslookup google.com

The output should look something like this:
nslookup

If you run into any problems, leave a comment or send me a message!

26 thoughts on “Getting Started With DNSCrypt On Windows”

  1. Hi, thanks for the post. Great info. I have one question what is the difference between dnscrypt-proxy-win32-full-1.3.3.zip and dnscrypt-proxy-win32-1.3.3.zip installation packages? thanks

    1. I believe the ‘full’ package includes the source code and some extra plugin files. The source is obviously there for compiling it yourself, but I’m not familiar with what the plugins do exactly.

  2. This works for device that access internet via wi-fi, right? I use DNSCrypt to unblock websites and it worked perfectly. It’s still working on my computer, but not anymore on my cellphone. It worked before, just suddenly blocked again. What should I do?

    1. It doesn’t matter if it’s wired or wireless, so something else must have changed. Either DNSCrypt is not setup correctly or the blocking mechanism is different now. I’m not familiar with configuring a cellphone to use it, but I would try to check whether the DNS lookups are being done using the proxy with whatever your phone’s equivalent to nslookup is.

      1. That was my fault, I changed the DNS on my iPhone exactly the same as yours, it’s fixed, and now it happens to me AGAIN.
        This time I didn’t do anything, but the same websites are blocked again.

    1. Hey, it looks like they released a new version of the proxy, so I’m going to need to update the guide. They seem to have made it a lot easier to install, so you should be able to follow the documentation here without any problems.

      Edit: Actually, I’m having trouble getting 1.4.0 to work, and other people are too (from what I see on GitHub). I would stick to 1.3.3 for now.

  3. Hi dominustemporis, your guide is wonderfull but,at point three, when I try to install the service with command “dnscript-proxy.exe –install” windows 8.1 tells me this: ERROR unable to install the service!!! why???
    waiting your answer….thanks….

    1. The error message is pretty generic, but my first guess would be that you might need to run the command with an elevated command prompt. On Windows 8.1, you should be able to press the Windows key + the X key and select “Windows Command Prompt (Admin)” or something along those lines. Alternatively, you can search for “cmd.exe” in the start menu and run it as Administrator from there.

  4. seems to work OK, my only issue is I have a VPN Router with DD wrt. The test it shows my Server and IP instead of the host 127 ? my server address does not get out as that is masked by the VPN .The 3rd and forth line are similar to your test. The dns leak test shows the chosen resolver from nslookup as do the dns leak tests Should i be concerned is some thing a miss/

  5. turns out, the local area connection was only on part. The other was the wireless network connection to the router also needed to be changed to 127.0 once i changed the wireless connection, came up as in your instructions. thanks for the great instructions.

  6. Hi. just wondering as your using a alternate dns if you can setup that up through dnscrypt also? is there a a way of testing your dns requests are encrypted, and ive read theres a fallback option to a unsecured dns without the user even knowing about it, does this option exist in dnscrypt so it can be turned off?

    thanks

    1. DNSCrypt doesn’t support adding an alternate DNS server, although that would be a nice feature to have. You might be able to run a second instance of the proxy on another address/port, but I haven’t played with that.

      If you set the dnscrypt-proxy address as your only resolver, then it should not fall back to an unsecured connexion. If you want to test your setup in addition to using nslookup, you could use something like Wireshark to inspect the DNS traffic.

  7. Hello.
    I’m sorry for my english .
    I tried to install dnscrypt on a PC with DNS setting on the router . When I set the DNS server 127.0.0.1 not I connect to the Internet more . Something wrong ?
    Thank you.

  8. I noticed that if instead of entering 127.0.0.1 , I enter 192.168.1.1 ( IP router ) internet works again but I do not know if it works dnscrypt .
    Help me please .

    1. It sounds like the DNS server or the proxy is not working. When you enter your router IP, you’re switching to the DNS server it provides (typically from your ISP by default).

  9. When I run Simon Clausens Windows Service Manager it shows the service as Enabled. Excellent and easy to use. However, if I run the dnscrypt-winclient the comand prompt window initially shows the certificate is valid and the proxy service is running fine, but soon thereafter it shows errors – connection reset by the server, or words to that effect.
    I have opened port 1194 in my firewall but this did not seem to help.
    My question is, when using Simon’s simple gui interface, how do I know if the service is working correctly?
    Thanks.

  10. sorry, I should have put the proper error msg above:
    [NOTICE] Proxying from 127.0.0.1:53 to 176.56.237.171:443
    [WARNING] recvfrom(client): [Connection reset by peer [WSAECONNRESET ]]

    1. I haven’t seen that message in the context of dnscrypt, but it’s generally an indication of a server-side problem. Have you tried connecting to a different DNS provider?

      1. Yes, I have tried every server in the list and they all generate the error. I suspect it is an SSL error but have no idea how to fix it on my side. The problem is, if you install the service you do not see error messages. But if you run it from the Windows GUI then the command box it opens shows the error messages. I suspect many people are running this oblivious of the errors. If I do a Leak Test, it shows the correct server, but does not prove that my dns queries are still encrypted, only that they are being resolved by that server.

        1. The proxy won’t send a query without encrypting it, so as long as it’s the only resolver configured on your computer you should be fine.

          Edit: Have you seen this issue on Github? It looks like it could be similar.

  11. I need some help. After selecting OpenDNS, the register key acess failed
    this is the error message “HKEY_LOCAL_MACHINE\SYSTEM\currentControlSet\Services\dnscrypt-proxy\Paramètre”

Leave a Reply to Dominus Temporis Cancel reply

Your email address will not be published. Required fields are marked *