DNSCrypt On Windows

January 2018: DNSCrypt has come along way in the years since my guides were written. Recently, the version 2.0 beta was released that has a huge number of new features and is very easy to install. There have also been releases of graphical interfaces and installers that make it even simpler to get up and running. I will be leaving my guides up for posterity, but I consider them deprecated at this point.

This is an update to my original article, Getting Started With DNSCrypt On Windows. With the release of version 1.4.0, it’s much simpler to install the dnscrypt-proxy service.

Note: Also see this post about using ephemeral keys.

To start, download the latest version of DNSCrypt from here. At the time of writing, that would be “dnscrypt-proxy-win64-full-1.9.1.zip”. From that archive, extract the content of the bin folder; there should be six files. You can place them anywhere on your computer, but I am going to place them in “C:\Program Files\DNSCrypt\”.

dnscrypt-0

Next, open an elevated command prompt. On Windows 8.1, you can press Win-X and choose “Windows Command Prompt (Admin)”. On Windows 7, search the Start menu for “cmd”, right-click on cmd.exe, and select “Run as administrator”. From there, you should navigate to where you placed the DNSCrypt files. We do this using the “cd” command followed by the path, so in this example, you would run:

cd "C:\Program Files\DNSCrypt"

elevated_command_prompt

From there, we prepare to install the proxy service. First, you will need to select a DNS provider. You may have noticed a file called dnscrypt-resolvers.csv that is included in the download. This contains a listing of many DNS providers that support DNSCrypt. For each provider, it has a name, description, location, and whether they support things like DNSSEC and Namecoin. It also has the necessary IP addresses and public keys. For now, pick one that you like and copy the value in the first column. We are going to use CloudNS, so the name I need is “cloudns-can”. Now that we have a DNS provider, we will test to make sure the proxy can connect using this command:

dnscrypt-proxy.exe -R "cloudns-can" --test=0

If all goes well, you will get an output similar to this:


[NOTICE] Starting dnscrypt-proxy 1.4.0
[INFO] Initializing libsodium for optimal performance
[INFO] Generating a new key pair
[INFO] Done
[INFO] Server certificate #808464433 received
[INFO] This certificate looks valid
[INFO] Server key fingerprint is 1625:444B: ... :DBF8:5B48

If not, pick another name and try again. If it does work, then you can proceed to install. The command is the same except that instead of --test=0, we use --install. As of release 1.9.1, a caching plugin is also included, so we can enable that as well by adding --plugin=libdcplugin_example_cache.dll to our command.

dnscrypt-proxy.exe -R cloudns-can --plugin=libdcplugin_example_cache.dll --install

You should see something like this output to the terminal:


[INFO] The dnscrypt-proxy service has been installed and started
[INFO] The registry key used for this service is SYSTEM\Current
 ControlSet\Services\dnscrypt-proxy\Parameters
[INFO] Now, change your resolver settings to 127.0.0.1:53

As indicated, you just need to change your DNS settings to 127.0.0.1 and you will be all set (for instructions on that, you can look at the original article). For reference, here is what my terminal screen looked like after I was done:
dnscrypt-full

As always, don’t hesitate to comment or send me a message if you run into any issues!

96 thoughts on “DNSCrypt On Windows”

  1. The “:53” is indicating that we should be telling the computer to connect to port 53. Since that is the default port for DNS traffic already, we don’t have to worry about that.

  2. how can I select another DNS provider?? when i did in cmd.error:make sure you are using a elevated commd prompt and that the service hasn t been already installed

    1. As indicated, that error is either because you haven’t run the command prompt with administrative rights, or because the service is already installed.

      If you want to try uninstalling the service, you can run dnscrypt-proxy.exe --uninstall. Again, this must be run from an elevated-rights command prompt. Then you can reinstall with a different DNS provider.

  3. Hi. Can you give an example on how to make any plugin work?
    I’m currently getting an error like so:

    c:\usedones\dnscrypt-proxy-win32\bin>dnscrypt-proxy.exe –local-address=0.0.0.0 –resolver-name=opendns –loglevel=255 –plugin=
    C:\usedones\dnscrypt-proxy-win32\plugins\libdcplugin_example_ldns_aaaa_blocking.dll
    [NOTICE] Starting dnscrypt-proxy 1.4.0
    [INFO] Initializing libsodium for optimal performance
    [INFO] Loading plugin [C:\usedones\dnscrypt-proxy-win32\plugins\libdcplugin_example_ldns_aaaa_blocking.dll]
    [ERROR] Unable to load [C:\usedones\dnscrypt-proxy-win32\plugins\libdcplugin_example_ldns_aaaa_blocking.dll]: [The specified mod
    ule could not be found.]
    [ERROR] Unable to load plugins

    c:\usedones\dnscrypt-proxy-win32\bin>

    I’ve also tried the registry key variant but service won’t start, presumably with the same/similar error(which cannot be seen, because … dnscrypt running as windows service…)

    1. I’m not near a Windows machine at the moment, but have you tried:
      1) Putting quotes around the full path to the plugin
      2) Using a relative link to the plugin, e.g. “-plugin=..\plugins\libdcplugin_example_ldns_aaaa_blocking.dll”
      3) Looking at the plugins readme, it says that a path “is not required for plugins sitting in the default plugins directory”, so you might even try just the plugin name. That actually conflicts with the Windows readme though, because that says you must have the full path…

      If none of that works, I’ll have a go and let you know what I find out.

      1. TL;DR: was missing dependency libgcc_s_dw2-1.dll
        and libeay32.dll
        which is required by libldns-1.dll
        basically, I had to copy downloaded libgcc_s_dw2-1.dll file in current folder (near dnscrypt-proxy.exe) and install Win32OpenSSL_Light-1_0_1g.exe (with putting the DLL files in Windows directory, not in openssl bin folder)

        —-long read (don’t):
        Thanks for replying. I have actually tried all that, except the quoting of the entire flag “-plugin=..\plugins\libdcplugin_example_ldns_aaaa_blocking.dll”
        but I’ll retry all now and show you how it looks:


        c:\usedones\dnscrypt-proxy-win32\bin>dnscrypt-proxy.exe –local-address=0.0.0.0 –resolver-name=opendns –loglevel=255 “–plugin
        =C:\usedones\dnscrypt-proxy-win32\plugins\libdcplugin_example_ldns_aaaa_blocking.dll”
        [NOTICE] Starting dnscrypt-proxy 1.4.0
        [INFO] Initializing libsodium for optimal performance
        [INFO] Loading plugin [C:\usedones\dnscrypt-proxy-win32\plugins\libdcplugin_example_ldns_aaaa_blocking.dll]
        [ERROR] Unable to load [C:\usedones\dnscrypt-proxy-win32\plugins\libdcplugin_example_ldns_aaaa_blocking.dll]: [The specified mod
        ule could not be found.]
        [ERROR] Unable to load plugins

        c:\usedones\dnscrypt-proxy-win32\bin>dir C:\usedones\dnscrypt-proxy-win32\plugins\libdcplugin_example_ldns_aaaa_blocking.dll
        Volume in drive C is
        Volume Serial Number is

        Directory of C:\usedones\dnscrypt-proxy-win32\plugins

        05/05/2014 18:27 17,968 libdcplugin_example_ldns_aaaa_blocking.dll
        1 File(s) 17,968 bytes

        I’ve also tried the .a and .la instead of the .dll (specified)
        It always says not found.
        When using no path it defaults to a predefined(inexistent) path, however even after making sure I created the path and copied all the files in it, it still doesn’t find it…


        c:\usedones\dnscrypt-proxy-win32\bin>dnscrypt-proxy.exe –local-address=0.0.0.0 –resolver-name=opendns –loglevel=255 “–plugin
        =libdcplugin_example_ldns_aaaa_blocking.dll”
        [NOTICE] Starting dnscrypt-proxy 1.4.0
        [INFO] Initializing libsodium for optimal performance
        [INFO] Loading plugin [C:/Users/Frank/src/dnscrypt-proxy/dnscrypt-proxy-win32/lib/dnscrypt-proxy/libdcplugin_example_ldns_aaaa_b
        locking.dll]
        [ERROR] Unable to load [C:/Users/Frank/src/dnscrypt-proxy/dnscrypt-proxy-win32/lib/dnscrypt-proxy/libdcplugin_example_ldns_aaaa_
        blocking.dll]: [The specified module could not be found.]
        [ERROR] Unable to load plugins

        c:\usedones\dnscrypt-proxy-win32\bin>dir c:\users\frank\src\dnscrypt-proxy\dnscrypt-proxy-win32\lib\dnscrypt-proxy\libdcplugin_e
        xample_ldns_aaaa*
        Volume in drive C is
        Volume Serial Number is

        Directory of c:\users\frank\src\dnscrypt-proxy\dnscrypt-proxy-win32\lib\dnscrypt-proxy

        05/05/2014 18:27 17,968 libdcplugin_example_ldns_aaaa_blocking.dll
        05/05/2014 18:27 4,496 libdcplugin_example_ldns_aaaa_blocking.dll.a
        05/05/2014 18:27 1,177 libdcplugin_example_ldns_aaaa_blocking.la
        3 File(s) 23,641 bytes

        I’ve also tried one other plugin: libdcplugin_example_ldns_blocking

        same thing.

        even tried double backslashes with/without doublequotes on the specified path
        (not pasting ’cause too much spam, the error is the same tho)

        Does this have anything to do with the fact that I’m on windows 7 64bit and not 32bit? because when trying to run dnscrypt-winclient.exe I get the error like:
        libdcplugin_example.dll.a is either not designed to run on Windows or it contains an error. Oh wait, those are for .a and .la but not for the .dll however I do get this(for the .dll guessing):
        The program can’t start because libgcc_s_dw2-1.dll is missing from your computer. Try reinstalling the program to fix this problem.

        So it seems to me, that’s why dnscrypt would say file not found (erroneously if you ask me), let me try to fix this by getting that .dll
        looks like that .dll is needed for libldns-1.dll
        and also needed is: libeay32.dll

        actually now that I think about it, the error is kinda right: “[The specified module could not be found.]” except that it does refer to a different .dll than the one where the error is after, (module=dll) specifically it’s saying that: libgcc_s_dw2-1.dll module couldn’t be found

        Now I’m getting
        [ERROR] Unable to load [C:\usedones\dnscrypt-proxy-win32\plugins\libdcplugin_example_ldns_aaaa_blocking.dll]: [The specified procedure could not be found.]

        and I know it’s because it’s not loading the libeay32.dll which i put in the current folder (just like I put libgcc_s_dw2-1.dll which it does load) but rather it’s loading the one from c:\windows\syswow64\libeay32.dll
        which seems to be the same version(File Version reported in properties for both .dlls is: 0.9.8.11) except file date is from 2009.
        Now I get no error with those two in current folder with dnscrypt-winclient.exe which leads me to believe that for some reason dnscrypt is loading the one from syswow64, in which case just updating openssl should work(?) trying…
        installing Win32 OpenSSL v1.0.1g Light
        and apparently I was missing this:
        Visual C++ 2008 Redistributables
        so installing that first. (tho, I checked Add/Remove programs and I see me having both x86 and x64 versions (9.0.30729.6161)of that, even the 2005, 2010 and 2012 ones too), but regardless I’ll run the setup.
        ok it updated the syswow64 libeay32.dll to version 1.0.1.7 however the error remains:
        ah well nevermind, removing the old libeay32.dll from current folder (the .dll which is apparently working in dnscrypt-winclient.exe) makes it work.

          1. Thank you! For a great article.

            (side note: I’m not getting any notifications that someone replied, I had to visit and check manually – wondering if this is normal/expected)

  4. Hi, if i’m on a Windows pc behind a router, and the router’s DNS are set to OpenDNS servers
    a) would there be any additional benefit of installing dnscrypt-proxy on the PC?
    b) if yes, how to set it up properly in the given situation?
    c) how to verify whether it’s doing a proper job after installation?

    I couldn’ find any answers relating to this so far. Hope you can help.

    1. a) Yes, it would still be useful in that case. For one thing, I seem to recall that OpenDNS logs lookup queries, so from a privacy standpoint it would be better to use a provider that doesn’t log. From a security standpoint, using DNSCrypt prevents someone from listening to or tampering with your DNS lookups in transit.

      b) You don’t need anything special when setting it up. The directions above will work.

      c) To verify, see my first post about DNSCrypt. Essentially, all you need to do is open a command prompt, run nslookup on a domain, and see that the DNS server being used is your local computer (127.0.0.1).

  5. i chose another DNS resolver. in the client, the insecure (because it logs) OpenDNS server is shown up, but on the DNS Leak Test site, i can see the custom DNS Server! is DNSCrpyt still working or should i set the DNS server back to default to the IP 208.67.220.220?

    1. Are you saying that you have your computer setup to use OpenDNS, but the leak test showed a DNSCrypt server? That might be something to do with the DNS cache, if you didn’t flush it after changing resolver settings. I would prioritise trusting whatever your local settings are over what the leak test site says, at least before clearing your cache.

  6. hi, if I have a windows server box, and I set it up as dns server (forwarders to say openDns), is it possible to setup DnsCrypt on that server, and then setup all other networked client pc to get the dns from that windows server box (and still encrypted)?

    1. I have not personally used Windows for a DNS server, so I can’t comment on any specifics, but you should be able to set up your Windows box to forward requests to the DNSCrypt proxy. You might look at the readme section about using DNSCrypt with a cache, as it will likely be a similar setup.

      The encryption between the proxy/forwarder server and the DNS provider would still work fine in that setup.

  7. So I’ve set up the latest 1.4 package, and everything look like it worked according to your guide. I’ve flushed DNS via ipconfig and then did /renew and then ran a nslookup on google.com and got the following….

    1.1.168.192.in-addr.arpa
    primary name server = localhost
    responsible mail addr = nobody.invalid
    serial = 1
    refresh = 600 (10 mins)
    retry = 1200 (20 mins)
    expire = 604800 (7 days)
    default TTL = 10800 (3 hours)
    Server: UnKnown
    Address: 192.168.1.1 this is my router IP

    Non-authoritative answer:
    Name: google.com
    Addresses: 2607:f8b0:4009:805::1008
    173.194.35.46
    173.194.35.35
    173.194.35.32
    173.194.35.36
    173.194.35.33
    173.194.35.38
    173.194.35.39
    173.194.35.34
    173.194.35.40
    173.194.35.37
    173.194.35.41

    From what I can tell it is not working. Suggestions?

    1. You might try running
      nslookup google.com 127.0.0.1
      to manually check against the proxy. It could be that it’s falling back to your router, so if it can’t connect it should error out.

  8. Running nslookup google.com 127.0.0.1 I get the following…

    1.0.0.127.in-addr.arpa
    primary name server = localhost
    responsible mail addr = nobody.invalid
    serial = 1
    refresh = 600 (10 mins)
    retry = 1200 (20 mins)
    expire = 604800 (7 days)
    default TTL = 10800 (3 hours)
    (root) ??? unknown type 41 ???
    Server: UnKnown
    Address: 127.0.0.1

    Non-authoritative answer:
    Name: google.com
    Addresses: 2607:f8b0:4004:806::1007
    173.194.46.72
    173.194.46.66
    173.194.46.68
    173.194.46.78
    173.194.46.70
    173.194.46.71
    173.194.46.64
    173.194.46.67
    173.194.46.65
    173.194.46.73
    173.194.46.69

    So this would mean that it is working, but going to my router first as nslookup google.com still returns my previous result?

    1. I found and installed a DNScrypt GUI and found that it was not binding to my NIC. Using the GUI I set it and now DNS resolved through local host. All is well!

  9. Everything went according to the guide, but when I set my DNS to 127.0.0.1 and try nslookup I get:

    DNS request timed out.
    timeout was 2 seconds.
    Server: UnKnown
    Address: 127.0.0.1

    DNS request timed out.
    timeout was 2 seconds.

  10. Changed the name in the registry, restarted the service, same thing. Tried 3 different DNS servers. Bad luck? But the –test=0 check succeeds?

  11. Just installed this as a windows service on my always on computer, changed the registry settings to the local IP, added a firewall exception and now my router (with DNS caching) can use DNSCrypt with opendns. Awesome!

  12. [ERROR] Unable to read [\C:\Users\Narender\Downloads\DNSCrypt Windows Service Ma
    nager\dnscrypt-resolvers.csv]

    it shows error while installing proxy service.

    1. That error means it can’t read/understand the .csv file that contains information about the different DNSCrypt providers. Unless you explicitly tell it otherwise when installing, the proxy service looks for that file in the same folder as the .exe, so make sure it exists there. It’s also possible that it got corrupted somehow, so you might try extracting it from the archive again. If you need to open it to look at the resolvers, I also recommend doing that in Notepad/Wordpad and not Excel because it can do strange things to .csv files sometimes.

  13. this is maybe a stupid question, but does getting of DNSCrypt on my computer actually change my IP address from internet point of view?

    1. It doesn’t change your IP address like a VPN/proxy. It encrypts the request/reply when you look up DNS record. When you type in somewebsite.com into your browser, your computer has to look up the IP address of the server for that website. Normally these can be seen (and possibly modified) by your ISP or a malicious attacker. DNSCrypt establishes a secure connexion between you and the DNS server, meaning that the queries aren’t being tracked or changed. Of course, that still doesn’t prevent the DNS provider from logging your queries, so keep that in mind too.

  14. hey, thank you for a great tutorial :) also if I may ask… Is it possible to use dns crypt without opendns service? Or its more pointless that way without opendns? thx in advance

    1. Yes, there are quite a few providers other than OpenDNS. When you download the dnscrypt package, it includes a text file with a list of DNS providers. You can just specify the name from that file when installing, or specify the details yourself if the provider you want is not included.

  15. …\dnscrypt-proxy.exe –resolver-name=cloudns-can –resolvers-list=”C:\Program Files\dnscrypt-proxy-win32\bin\dnscrypt-resolvers.csv” –install
    [error] unabel to instal l the service
    [error] make sure than you are using an elevated command prompt and than the service hasn’t been already installed

    THANK’S FOR YOUR HELP FREIND :)

  16. hi there,
    so I decided to go for it and secure my network, however it kinda failed – http://i.imgur.com/wmERkll.png?1
    could someone of you help me out, please?
    I also tried to go with Simon Clausen’s Windows Service Manager but no luck with that either (program wont even start – maybe coz I run Win7 x64?) also one more question if I may: if I would go with that outdated official dnscrypt gui and I would replace all the fails from latest dnscrypt-proxy… do I have any chance of success ?

    1. This is not solver bullit, man.

      ISP uses not so trivial or stupid censorship tool now. You need a good tor-based solution.

  17. How does one confirm that their DNS requests are now indeed being encrypted from computer besides using NSLOOKUP to Google and seeing that it used the local loopback address to get there?

    It seems there are several ways (if your not careful during setup) that DNS requests could still be routed in an unencrypted state outbound from your PC.

    For example, if you fill in a secondary DNS server on the network card you would be unaware that your requests are being sent unencrypted if the computer felt the need to fall back to the secondary DNS server settings. Also, you would probably never know that something may have gone wrong with the DNSCrypt Proxy service or .CSV file list at some point along the way.

    In any case, I would be interested in hearing of different ways that someone could do a spot check for visual confirmation that traffic is indeed being encrypted and that something hasn’t occurred within the configuration which may compromise the settings found here in this document.

    The only thing that comes to mind as a way to check would be for those savvy enough to dig into the Firewall Logs. I haven’t looked at this point but I wonder if you could see Outbound requests over 443 heading towards whatever Resolver Name/IP was chosen during the install of the Service.

    Thanks and great article by the way

    1. I think the easiest way to check if lookups are encrypted is to stop the dnscrypt-proxy service and try visiting a webpage. If you were technically-inclined, you can also fire up something like Wireshark/Windump and capture packets sent on port 53 (or whatever port the DNS server is using). If you can see the domain being requested in the capture, then obviously something is wrong.

  18. So, here’s the thing. I use Windows. I want to use DNSCrypt, but I come here and see all this “type this” instruction sort of stuff. That’s exactly why I don’t run Linux, so the end result is that I’m not using this. Until this thing runs auto-pilot you can safely bet everything you own that most people are just going to close this and go somewhere else.

  19. I installed DnsCrypt on my laptop. I already have OpenDNS set on my router. I am trying to figure out if DnsCrypt is functioning properly(I think it is). Possibly you can give me some insight? This is the output I get when I run a nslookup for newegg.com
    C:\windows\system32>nslookup newegg.com
    1.0.0.127.in-addr.arpa
    primary name server = localhost
    responsible mail addr = nobody.inv
    serial = 1
    refresh = 600 (10 mins)
    retry = 1200 (20 mins)
    expire = 604800 (7 days)
    default TTL = 10800 (3 hours)
    (root) ??? unknown type 41 ???
    Server: UnKnown
    Address: 127.0.0.1

    Non-authoritative answer:
    Name: newegg.com
    Addresses: 216.52.208.187
    204.14.213.187

  20. dear Dominus Temporis,

    would you please confirm/disprove chris’ considerations? (#comment-2897). I believe windump would come in handy.

    ps. please, update your article once again due to the issue #151 :)

    1. For clarity, I replied above to Chris’ comment. I don’t think I’ve ever run into issue #151. Does it happen even when you specify the full path to resolvers.csv during installation?

      Edit: Actually, I did some testing and I only have that problem when I don’t explicitly specify the path to the resolver list, which was already in the guide.

  21. If i want to use Unbound, how to add this command?
    # dnscrypt-proxy –local-address=127.0.0.1:40 –daemonize

    Since to install DNSCrypt using this command.
    dnscrypt-proxy.exe -R cloudns-can -L “C:\Program Files\DNSCrypt\dnscrypt-resolvers.csv” –install

    Can i add additional command directly like this?
    dnscrypt-proxy.exe -R cloudns-can -L “C:\Program Files\DNSCrypt\dnscrypt-resolvers.csv” –install –local-address=127.0.0.1:40 –daemonize

    1. I haven’t messed around with Unbound before, but I believe you are correct in using dnscrypt-proxy.exe -R cloudns-can -L "C:\Program Files\DNSCrypt\dnscrypt-resolvers.csv" --install --local-address=127.0.0.1:40 --daemonize

  22. Hi, I’m using DnsCrypt with Windows Service Manager. Problem is sometimes I suddenly lose internet either in current browser which using at that moment, either at all. don’t know what causes this, I changed to another dns resolver but the same. Maybe I should check TCP box in WCM instead of UDP?

    1. You can try using TCP, but if you’re having issues with your connection dropping it’s unlikely to help. It sounds to me like general internet troubles.

  23. But with my ISP’s dns this wasn’t happening. It’s like I’m watching movie and player suddenly stops and other sites aren’t loading also, then if I do troubleshooting on Network Access when it finishes it says “what type of networking problems are you having?” and with this internet connection is back again. It’s some mystery to me and this happened only when I began using DNSProxy. I’m thinking that maybe it needs some windows services to work properly, myself I have disabled Dns Client and some other services in windows because of security concerns.

  24. Excellent article, I just have one question:
    If I wanted to run a secondary dnscrypt resolver, for example both cloudns-can and cloudns-syd how would I do so?

  25. I too have OpenDNS set in the router – and now I apparently have dnscrypt.eu working. According to OpenDNS Updater I am not using OpenDNS. In Adapter Properties Preferred DNS Server is 127.0.0.1.
    (I’ve got a line fault with painfully-slow connection and frequently none, so I’m not going to run any CLI lookups for now).
    But, given the answer to an (much) earlier comment, DNSCrypt is handling DNS and OpenDNS is not. I thought what was in the router was fixed and what was on the OS could do nothing about that; that, short of router vulnerability, until I enter my highly-secure password – or the router was reset and the considerably less secure default password – that was that. You know, I was planning on going into the router and manually changing the DNS provider.
    I do run Linux, but I’m in Windows, and let’s forget about the possibility of Linux being compromised. The idea that Microsoft can change my DNS provider regardless of what I’ve set in the router, troubles me greatly!
    Have I got the gist of it?

    1. Okay, an hour or so later, or a year or two at dial-up speed, a thought has fought it’s way to the surface:
      The router doesn’t know to forward a DNS lookup, because it is encrypted.

  26. Hi…
    Regarding the Simple DNScrypt version …how can I simply verify that it is indeed working? …IPv4 dns server addresses are 127.0.0.1 & 127.0.0.2. now?

    I had these:
    77.109.148.136
    77.109.148.137 ……from the Swiss Privacy Foundation before.

    Any help much appreciated.
    Cheers

    1. You can do the same test using nslookup and verify that 127.0.0.1 and 127.0.0.2 are responding to queries. You could also use a site like dnsleaktest.com and see whether the DNS server you configured is the one shown.

  27. installed and all looks good until i try nslookup google.com i get : C:\dnscrypt-proxy-win32>nslookup google.com
    Server: UnKnown
    Address: 127.0.0.1

    *** UnKnown can’t find google.com: No response from server

    1. I generally see that when the resolver is down (it’s mostly a volunteer effort and some of them are not as reliable as others). I would try downloading an updated resolver list and then reinstall with a different/updated server.

  28. I have managed to instal Dnscrypt according to instructions.
    However I am NOT able to alter the DNS to 127.0.0.1:53.
    I have a BT Home Hub router on BT Broadband which states
    that it cannot be altered. There is no entry in Network
    Connections or Adapter for the DNS to be altered.
    Windows 10.

    1. The base instructions here wouldn’t work on your router anyways, because it’s set to listen for local connexions only. Under Windows 10, the network settings will look slightly different, but overall it’s the same process.

      1. Open the Network & Internet settings in the control panel or the Network and Sharing Center. There will be a link to “Change adapter settings” or “Change adapter options”.
      2. Right-click on the adapter you’re using (typically labelled “Ethernet” on a standard wired connexion) and select “Properties”.
      3. Pick “Internet Protocol Version 4 (TCP/IPv4)” from the list and open the properties for that.
      4. Fill in 127.0.0.1 for the preferred DNS server.

      Here’s a screencap for reference as well.

  29. Thank you for your extremely prompt and understanding reply.
    The ‘screencap’ was of great assistance.

  30. Hi!

    If I check IPv6 in Network Connections Properties, I got
    C:\>nslookup google.hr
    Server: dsldevice.lan
    Address: bla::bla:bla:bla:bla

    Non-authoritative answer:
    Name: google.hr
    Addresses: bla::bla:bla:bla:bla
    83.139.67.29
    83.139.67.23
    83.139.67.59
    83.139.67.44
    83.139.67.57
    83.139.67.34
    83.139.67.30
    83.139.67.45
    83.139.67.19
    83.139.67.42
    83.139.67.38
    83.139.67.27
    83.139.67.49
    83.139.67.53
    83.139.67.15

    If I uncheck IPv6 in Network Connections Properties, I got
    C:\>nslookup google.hr
    Server: localhost
    Address: 127.0.0.1

    Non-authoritative answer:
    Name: google.hr
    Addresses: bla::bla:bla:bla:bla
    216.58.211.99

    I think that DNSCrypt doesn’t work when I check IPv6, does it?

    PS: If I put ::1 in DNS Server in IPv6 I got
    C:\>nslookup google.hr
    Server: UnKnown
    Address: ::1

    *** UnKnown can’t find google.hr: No response from server

      1. Thank you, Dominus, for a fast response.

        Yes, I’ve looked that section and I tried ::1 and after that ::FFFF:127.0.0.1 and DNSCrypt doesn’t work if IPv6 is enabled.

        1. Hmm. After re-reading your question, I want to clarify – are you looking to have dnscrypt-proxy respond to requests on the IPv6 interface, or are you looking for it to respond to queries with IPv6 addresses? If it’s the latter, then I believe the proxy is working the way you have it setup (perhaps run dnsleaktest.com to be sure). If you want it to listen on IPv6, you can just edit the “LocalAddress” value in the registry to be ::1.

          1. I want to enable Internet Protocol Version 6 (TCP/IPv6) in the Ethernet Properties and after that I want to get something like this:

            C:\>nslookup -type=txt debug.opendns.com
            1.0.0.127.in-addr.arpa
            primary name server = localhost
            responsible mail addr = nobody.invalid
            serial = 1
            refresh = 600 (10 mins)
            retry = 1200 (20 mins)
            expire = 604800 (7 days)
            default TTL = 10800 (3 hours)
            Server: UnKnown
            Address: 127.0.0.1

            Non-authoritative answer:



            debug.opendns.com text = “dnscrypt enabled (8888888888888888A)”

            After I enabled IPv6, I don’t want to I get this (same parameters, only enabled IPv6):

            C:\>nslookup -type=txt debug.opendns.com
            Server: dsldevice.lan
            Address: bla::bla:bla:bla:bla

            DNS request timed out.
            timeout was 2 seconds.
            DNS request timed out.
            timeout was 2 seconds.
            *** Request to dsldevice.lan timed-out

            I can’t edit Registry Key because I don’t want to install DNSCrypt service. I just want to run in manually when I need it.

            Sorry if I can’t explain it to you better :(

            1. Okay, I think that’s clearer. With IPv6 enabled on my network adapter and using the “cisco” (aka OpenDNS) resolver, running nslookup -type=txt debug.opendns.com yields this:

              C:\Users\myusername>nslookup -type=txt debug.opendns.com
              1.0.0.127.in-addr.arpa
                      primary name server = localhost
                      responsible mail addr = nobody.invalid
                      serial  = 1
                      refresh = 600 (10 mins)
                      retry   = 1200 (20 mins)
                      expire  = 604800 (7 days)
                      default TTL = 10800 (3 hours)
              (root)  ??? unknown type 41 ???
              Server:  UnKnown
              Address:  127.0.0.1
              Non-authoritative answer:
              debug.opendns.com       text = "server 1.tree"
              debug.opendns.com       text = "flags 00 0 00 0000000000000000"
              debug.opendns.com       text = "originid 0"
              debug.opendns.com       text = "actype 0"
              debug.opendns.com       text = "source 1.2.3.4:0000"
              debug.opendns.com       text = "dnscrypt enabled (0000000000000)"
              (root)  ??? unknown type 41 ???

              You could spedify the listening interface manually with --local-address, but I’m not sure that would fix your specific issue. You might want to open an issue on Github and see if someone more familiar has any input.

  31. WOW! this thing worked like a charm. Now i can bypass the dns in my router that was blocking me from playing games.. thanks a bunch ^_^

  32. You can also cache DNS queries with Unbound:
    http://unbound.nlnetlabs.nl/documentation/unbound-windows-manual-02.pdf

    I installed dnscrypt with:

    dnscrypt-proxy.exe -R “dnscrypt.eu-nl” -a 127.0.0.2:40 –install

    & in C:\Program Files (x86)\Unbound\service

    add:

    ##### Settings for dnscrypt #####
    forward-zone:
    name: “.”
    forward-addr: 127.0.0.2@40

    (unbound listens on port 53 @ 127.0.0.1 && ::1)

    Your dns queries will be faster & this reduces the load on the DNS resolvers.

  33. Hi there,
    1. Is it possible for ISP to block DNScrypt? Because I tried Simple DNS Crypt v0.3.2 on 2 ISPs. It works for ISP A and for ISP B, I cant browse anything if I turned on the service/resolver. How to check if DNScrypt worked or not on ISP B?

    2. What is DNSSEC?

    Thank you very much.

    1. Hey,

      1. I don’t believe that DNSCrypt does anything to mask its traffic, so in theory I think it’s possible for an ISP to block it. Did you use the same resolver both times, or at least try more than one server on ISP B? I’ve found that some of the services can be flaky sometimes, so it’s worth testing against more than one.

      2. DNSSEC is an extension to the DNS system to help authenticate that DNS records returned by an authority are records that were set by the domain owner (and not a malicious entity). Here’s a post that goes fairly in-depth about the DNS system and what DNSSEC adds to it: https://blog.cloudflare.com/dnssec-an-introduction/

      1. 1. I only use first resolver, and have at least tried different 5 resolvers. They all did not work on ISP B. So I guess it is really blocked by ISP B.

        Thanks for your reply

  34. Hello,I had done all steps of this documents.
    But I find this Problem

    D:\Program Files\dnscrypt-proxy-win64> dnscrypt-proxy.exe -R cloudns-can –install
    [ERROR] No resolver named [cloudns-can] found in the [D:\Program Files\dnscrypt-proxy-win64\dnscrypt-resolvers.csv] list

    1. It appears the cloudns-can server was removed from the resolver list. If you look in the dnscrypt-proxy-win64 folder, you should see a file called ‘dnscrypt-resolvers.csv’. Replace “cloudns-can” with the name of a current resolver. For example, the new command might be dnscrypt-proxy.exe -R d0wn-lu-ns1 --install.

  35. After my PC restarted, I can’t use DNScrypt. After my first install, it works okay, I can browser blocked site, but after my PC restarted, it back again. What should I do now? I already tried to reinstall it again but failed.

    1. I found the problem. Previously I change the DNScrypt folder directory. I returned the folder back, uninstal it, and then install it again on new directory.

      No my question:
      1. Is it possible to uninstall it if I don’t know the folder directory? In case I accidentally delete the folder and realised it after long time. I can’t re-install it as long as it’s still installed.
      2. How safe this software? Usually I’m using Google DNS until my ISP block it.

      Thanks

        1. I think you would have to delete the registry keys and then remove the service
        2. Great question. There are really two places you’re putting your trust: the software and the DNS server. On the software side, the person maintaining DNSCrypt, Frank Denis, also manages libsodium, a widely used rypto library. Personally, I’m not particularly worried about the client software. On the DNS server side, you really have to look at who is running the server, what their usage terms are (non-logging, etc.), and what your threat model is. From what I recall Google DNS logs permenantly, but perhaps it’s still better than having your ISP log your queries. The same goes for using any of the other DNSCrypt servers in list. You may want to run your own instead, or you might trust/distrust the other services based on personal criteria.
  36. hi, i have a problem uninstalling the dnscrypt service.
    it gave me this message on my command prompt:
    [ERROR] unable to uninstall the service

    can you help me troubleshoot?
    recently i installed malwarebytes on my pc, but i had blue screens after that, so i uninstalled the program.
    do you think it affected my computer and my dnscrypt?

  37. I’ll bookmark this tutorial to refer when I’m more tech-savvy.
    Right now, Simple DNSCrypt has installed DNSCrypt on my Win 7 Pro 64-bit machine. Only issue is that Simple DNSCrypt runs version 2.0.8 of DNSCrypt and I don’t see how to make it update to version 2.0.12.
    Thanks.

    1. Simple DNSCrypt updated itself to version 0.5.5 (64-bit), and it shows it is now using dnscrypt-proxy 2.0.14, so that’s good.
      It continues to run well. In Simple DNSCrypt, I have again selected cloudflare’s 1.1.1.1 as my ONLY resolver, and it shows exclusively when I go to https://www.dnsleaktest.com/ .
      HOWEVER, if I go to a deeper test at https://ipleak.net/ , I get one odd result: In the DNS Address section, the result is “0 servers, 100 errors”. Why?
      Thanks.

      1. Good question, I’m not sure why that would be. I’m also using dnscrypt-proxy 2.0.14 (although manually installed) and they both return the correct DNS servers. Perhaps it’s a browser issue?

Leave a Reply to JK Cancel reply

Your email address will not be published. Required fields are marked *