DNSCrypt Ephemeral Keys

Normally DNSCrypt uses the same public key for each request when contacting the DNS resolver. Technically the resolver could use this to link the public key to multiple IP addresses (particularly a problem with a mobile device like a laptop or smartphone).

To help fix this, dnscrypt-proxy recently added support for ephemeral keys, which means it creates a new key pair for each request. This does add some extra CPU time to each request, but for devices that may change IP addresses a lot, it might be worth enabling. If you have a static IP, or a dynamic IP that changes infrequently, it’s probably not as useful. That being said, if there are multiple users of dnscrypt-proxy behind the same IP address, then I would think it could help mask which requests are being sent by separate users (e.g. without ephemeral keys, the DNS provider could determine that key A visits Gmail and ArsTechnica while key B visits Yahoo and the BBC).

To enable ephemeral keys, add the -E tag when installing, like so:

dnscrypt-proxy.exe -E -R cloudns-can -L "dnscrypt-resolvers.csv" --install

DNSCrypt On Windows

January 2018: DNSCrypt has come along way in the years since my guides were written. Recently, the version 2.0 beta was released that has a huge number of new features and is very easy to install. There have also been releases of graphical interfaces and installers that make it even simpler to get up and running. I will be leaving my guides up for posterity, but I consider them deprecated at this point.

This is an update to my original article, Getting Started With DNSCrypt On Windows. With the release of version 1.4.0, it’s much simpler to install the dnscrypt-proxy service.

Note: Also see this post about using ephemeral keys.

To start, download the latest version of DNSCrypt from here. At the time of writing, that would be “dnscrypt-proxy-win64-full-1.9.1.zip”. From that archive, extract the content of the bin folder; there should be six files. You can place them anywhere on your computer, but I am going to place them in “C:\Program Files\DNSCrypt\”.

dnscrypt-0

Next, open an elevated command prompt. On Windows 8.1, you can press Win-X and choose “Windows Command Prompt (Admin)”. On Windows 7, search the Start menu for “cmd”, right-click on cmd.exe, and select “Run as administrator”. From there, you should navigate to where you placed the DNSCrypt files. We do this using the “cd” command followed by the path, so in this example, you would run:

cd "C:\Program Files\DNSCrypt"

elevated_command_prompt

From there, we prepare to install the proxy service. First, you will need to select a DNS provider. You may have noticed a file called dnscrypt-resolvers.csv that is included in the download. This contains a listing of many DNS providers that support DNSCrypt. For each provider, it has a name, description, location, and whether they support things like DNSSEC and Namecoin. It also has the necessary IP addresses and public keys. For now, pick one that you like and copy the value in the first column. We are going to use CloudNS, so the name I need is “cloudns-can”. Now that we have a DNS provider, we will test to make sure the proxy can connect using this command:

dnscrypt-proxy.exe -R "cloudns-can" --test=0

If all goes well, you will get an output similar to this:


[NOTICE] Starting dnscrypt-proxy 1.4.0
[INFO] Initializing libsodium for optimal performance
[INFO] Generating a new key pair
[INFO] Done
[INFO] Server certificate #808464433 received
[INFO] This certificate looks valid
[INFO] Server key fingerprint is 1625:444B: ... :DBF8:5B48

If not, pick another name and try again. If it does work, then you can proceed to install. The command is the same except that instead of --test=0, we use --install. As of release 1.9.1, a caching plugin is also included, so we can enable that as well by adding --plugin=libdcplugin_example_cache.dll to our command.

dnscrypt-proxy.exe -R cloudns-can --plugin=libdcplugin_example_cache.dll --install

You should see something like this output to the terminal:


[INFO] The dnscrypt-proxy service has been installed and started
[INFO] The registry key used for this service is SYSTEM\Current
 ControlSet\Services\dnscrypt-proxy\Parameters
[INFO] Now, change your resolver settings to 127.0.0.1:53

As indicated, you just need to change your DNS settings to 127.0.0.1 and you will be all set (for instructions on that, you can look at the original article). For reference, here is what my terminal screen looked like after I was done:
dnscrypt-full

As always, don’t hesitate to comment or send me a message if you run into any issues!

Getting Started With DNSCrypt On Windows

DNSCrypt is a new protocol for DNS queries, placing authentication onto regular lookup traffic. DNSCrypt helps prevent DNS spoofing using elliptic-curve cryptography to verify that responses haven’t been tampered with in transit. While queries are technically encrypted, DNSCrypt only guarantees authentication and not confidentiality. Nothing prevents the resolver from logging and often request/response sizes and timestamps are enough to fingerprint a user.


1. Download dnscrypt-proxy

This application is provided by dnscrypt.org and can be downloaded here. As of the time of writing, the latest version is 1.3.3. Since this guide is for Windows, download dnscrypt-proxy-win32-1.3.3.zip.

2. Extract dnscrypt-proxy
Open your downloaded file and extract the contents to your installation location; I placed them in C:/Program Files/DNSCrypt. There should be three files: dnscrypt-proxy.exe, hostip.exe, and libsodium-4.dll.

3. Install the service
Open the location of your dnscrypt-proxy.exe and Shift + right-click somewhere in the folder. In the menu, choose “Open command window here”. In the command line that opens up, type:

dnscrypt-proxy.exe --install

This will install the service, meaning you won’t need to start the program every time you restart your computer. Should you ever want to remove the service, follow the same steps as above but instead type:

dnscrypt-proxy.exe --uninstall

4. Setup the DNS provider in the registry
The dnscrypt-proxy service will read settings from the Windows registry. For this guide, we will use the CloudNS resolvers. To do this, first we will open the registry editor by opening the start menu and searching for “regedit.exe”. Open it and you should see something like this: registry
Note: Be very careful about editing things in the registry. You can mess up your computer badly.

Now we need to find this particular entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\dnscrypt-proxy\Parameters
It’s fairly straightforward to get to, just click through as if they were regular folders. You might need to create the Parameters key – if so, just right-click in the dnscrypt-proxy entry, choose New–>Key, and name it “Parameters”.
After this we set up the actual options for the proxy by creating subkeys as you can see in this screenshot:

dnscryt_settings

For each subkey, right-click and choose New–>String Value and type in the name of the setting. Then double-click the new subkey and type in the desired value. Here are the settings I used:
LocalAddress 127.0.0.1
ProviderKey 1971:7C1A:C550:6C09:F09B:ACB1:1AF7:C349:6425:2676:247F:B738:1C5A:243A:C1CC:89F4
ProviderName 2.dnscrypt-cert.cloudns.com.au
ResolverAddress 113.20.6.2:443

5. Change your connection settings
These are the basic settings we need. Now we can close the registry editor and change the network settings in Windows to use the IP address we specified in the registry (which in this case is 127.0.0.1).
change dns settingsYou can click for a bigger image.

Basically, just follow my MS-Paint guide above to set your DNS server to be your new proxy. The alternate DNS server can be whatever other DNS server you want to fall back on. I use one from the OpenNIC project. After you’re done, restart your computer and flush your DNS cache by opening a command line like we did earlier (it’s easiest to just Shift+right-click on the desktop) and type the command:

ipconfig /flushdns

Now you should be ready to go! If you want to test that everything is working, type this at the command line:

nslookup google.com

The output should look something like this:
nslookup

If you run into any problems, leave a comment or send me a message!