Jump to content

How To: Set Up Encrypted DNS on Windows via OpenDNS's New Encrypted DNS Service (dnscrypt)


Recommended Posts

OpenDNS has been working on a new encrypted DNS service for the past 6 months or so. They've kept fairly quiet about it, though it has been mentioned on Slashdot and elsewhere. At first there were only OS X, BSD, and Linux clients available. However, a Windows client is now available for download at their GitHub repository [direct link to Win32 binary is here - you do NOT need to sign up for there beta program, or register with OpenDNS first]. I am not sure if it is considered 'final' or not. I just noticed it was there, tried it out - and it works .

Why encrypt my DNS queries?

Even if you use HTTPS on every site you visit, your DNS queries are painfully obvious to anyone. Whether it is your ISP, or a local sniffer, if you want privacy, your DNS queries are a glaring hole in it. In some cases, encrypted DNS queries may get you around site blockers/firewalls too (though not all cases).

How do I set it up?

First download the Windows client. I actually had a false positive when I downloaded it, so if you see such with Microsoft Security Essentials, then ignore it - I'm sure it will be fixed soon. OR, pay attention to it. This is all at your own risk, though I'm sure nothing dangerous is coming from OpenDNS's GitHub repository .

Once you download it, you'll see it is a single 32-bit EXE, though will work fine on Windows x64. I've tested it on Windows 7 x64.

Extract it somewhere. Now, you'll want to set it to start at boot, or even run as a service. There are numerous tools to run normal applications as a service, and numerous ways to start it on boot, so I'll let the reader work on that. You can start it manually if you prefer.

Once started, it sets up a local proxy server that will resolve DNS queries for you, through an encrypted connection to the OpenDNS server closest to you.

So, the next step is to *change* your DNS configuration to point to your local PC, since it now has a DNS server running on it ( in IPv4, or ::1 in IPv6). Since Windows is dual-stack, you *must* remember to change the IPv6 DNS configuration as well, to the local loopback (::1).

Go to your Network Connections, right click the Local Area Connection (or whichever you are using), and select 'Properties'. You'll see something like this:

Posted Image

Go to the IPv4 configuration by double clicking it and set it up like so:

Posted Image

Then go back and check the IPv6 configuration by double clicking it. Set it up to your preference. Notice how I also set IPv6 up to the local loopback (::1 in shorthand notation). The point is you want ALL resolution to go back to your local address, as that's the DNS server you want to use (the one running in the EXE).

Posted Image

After that, it should work. You'll want to test. To test, first SHUT DOWN the OpenDNS dnscrypt process (dnscrypt-proxy.exe). Clear your DNS cache with by running 'ipconfig /flushdns'. The idea is to make sure that you can now NOT resolve DNS queries. Doing an 'inverse test' is superior to doing a 'working test' because it ensures there is no unencrypted (standard) DNS resolution available.

Now see if some domain you've not visited anytime recently *fails* to resolve by trying a ping, or just visiting their web site. If it fails, then all is good! If it *succeeds* then you still have plaintext DNS queries being resolved and will need to double check your configuration.

Restart the dnscrypt process, and everything should now WORK. If it does, you're good!

To be triple sure, try the OpenDNS test URL: http://www.opendns.com/welcome/ . If you are using OpenDNS, it will tell you that you are. If you aren't, then it will tell you that you aren't. If you were using OpenDNS before, then this last test is not valid.

Setting up dnscrypt-proxy.exe to run Automatically as a Windows Service

I *strongly* recommend setting this dnscrypt-proxy.exe process to start automatically as a Windows Service. This is necessary so that a user need not log in for your DNS resolution to work. I used to distribute a utility that allowed this, MakeService, though later removed it after it was abused by malware authors. Still, there are plenty of freeware utilities that will allow you to set this up. If you can't find one you like, I can provide my old freeware utility. I've restored MakeService, but another (perhaps better) option is ServiceEx, also freeware and command line based.

With MakeService, the commands would be simple. Extract all into a folder, e.g. c:\edns\. That means, MakeService, and dnscrypt-proxy.exe. Then drop to the command prompt (cmd.exe) and run:


MakeService c:\edns\dnscrypt-proxy.exe /Name:dnscrypt /DisplayName:dnscrypt

More advanced setups

Of course, you will likely want ALL your network's DNS queries to be encrypted. You can do this a number of ways, including installing the client on your router, if using a router with an 'open' firmware. However, you can also simply set your router's DNS settings to point to the LAN address of the PC you just set up (or one that is always booted). That will cause all DNS queries to redirect back to this little server. Be sure to poke a hole through any firewall on that PC, to allow DNS query requests to get to it - but only LOCAL queries, don't let anyone from the Internet use you as a DNS resolver .

This proxy server dnscrypt client is available for almost every platform you can think of at this point, with more being added all the time. There is even one for iOS.

A final note

This does not mean people won't be able to see what IP addresses you access, or other potential information in your internet requests. However, this is one less thing they'll see. For increased security, so that nobody sees much of anything, look into an SSH tunnel. This requires a bit more advanced skills to set up, but it still pretty darn easy. All a sniffer would see is a connection to the tunnel's server, with a bunch of encrypted traffic.


Link to comment
Share on other sites

  • Replies 12
  • Views 4.3k
  • Created
  • Last Reply
Micah J Berman

thanks for this! i've been dying to find something like this for a while, my default router dns is blocking EVERYTHING at the moment except proxy protocols :/

Link to comment
Share on other sites

Quote from OpenDNS

"In December of last year we announced a preview of DNSCrypt, a first of its kind technology that encrypts all DNS traffic between you and OpenDNS. It solves a critical problem that faces all Internet users today: the potential for criminals to spy on your traffic, spoof websites and conduct man-in-the-middle attacks. These threats are most present on insecure public WiFi networks in places like airports and cafes, but insecure networks can also be found in many residences.

We first made a version for Mac available, so it wasn’t a surprise to us that after the welcome reception the technology saw from the security and DNS communities (including this endorsement from djb), the second most common question was, “When will this be available for Windows?”

The answer: soon. Or now. Depending on how eager you are to get your hands on an early version. Ultimately we expect DNSCrypt to vastly improve Internet security and privacy for people all over the world."

Thanks for this ,going to set it up now.

Link to comment
Share on other sites

i am using it for now :D .

just wounder how its work without adding Open dns numbers :think:

Link to comment
Share on other sites

Even the router mod community is working on this.

Shibby's build of TomatoUSB already has a DNSCrypt option.



- dnscrypt-proxy integration with GUI (basic -> network)

- UDPxy integration with GUI by Teaman (advanced -> firewall)

- qos-graphs fixed

- status-overview fixed (works autorefresh and show buttons)

- increase max of bwlimit entries from 40 to 80

- removed user-define imq settings (advanced -> firewall)

- don`t disable USB 3G box when storage checkbox is not checked

- ups monitor service inprovements

- two new buildtypes (BT and Mega without VPN)

- remove CIFS and JFFS from BT-VPN - was too big for 8MB routers

- Mega-VPN is now only for router with more than 8MB flash

- add UPS feature to AIO

Have Fun :)

Best Regards!

Just waiting for toastman's build to upgrade my firmware.
Link to comment
Share on other sites

  • 2 months later...

@ avmad

many 10x for the new GUI in sec installing software :).... the first way in thread main was more complicated ,


Link to comment
Share on other sites

  • 3 months later...


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...