OpenDNS dnscrypt now available for Windows

[kupo]

See here -https://bitsum.com/forum/index.php/topic,1334.0.html
This is where I've read it. Previously it's just for Linux and Mac

[m00nbl00d]

Thanks!

I suppose it's time for OpenDNS.

[funkydude]

Hmm, not sure whether to trust it in its current beta state. Will give it a go.

[Victek123]

Quote:

Originally Posted by funkydude

Hmm, not sure whether to trust it in its current beta state. Will give it a go.

That's a rather complicated setup process. Can you post back and let us know if the instructions are accurate? They're going to have to automate it if they want DNScrypt to be widely adopted on Windows.

[funkydude]

Quote:

Originally Posted by Victek123

That's a rather complicated setup process. Can you post back and let us know if the instructions are accurate? They're going to have to automate it if they want DNScrypt to be widely adopted on Windows.

My thoughts exactly. I'll try and summarize the setup process simply:
Download file
Execute file (and leave it running like any windows app)
Set primary IPv4 DNS server to 127.0.0.1
Set primary IPv6 DNS server to ::1

Done, now every time you start Windows you need to execute that file/app for DNS to work. It really is a "hack job" right now. What I did was make a shortcut to the file in
:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Then it will start when your PC boots.

[m00nbl00d]

There's a GUI -https://raw.github.com/Noxwizard/dnscrypt-winclient/master/binaries/Release/dnscrypt-winclient.exe

You can also either run DNSCrypt has a service, or create a scheduled task running it as system, for instance. That way, it will start for any user.

[Hungry Man]

I'll wait for a stable release for Linux.

edit; Actually, it's apparently out for Linux. Got it working no problem.

[m00nbl00d]

I'm running it. One thing people should be aware, if some don't know about it, is that, considering it works as a proxy, then you can* no longer have specific DNS rules for individual applications. This means, you can either disable or remove those DNS rules.

* Well, you can, they just don't work/aren't needed anymore. lol

Obviously, I'm talking of a setup where you have global DNS rule disabled in your firewall/DNS client disabled, which would force applications to need a specific DNS rule.

By the way, in addition to what funkydude mentioned, you should first - if you got firewall outbound control - create a rule for DNSCrypt executable for OpenDNS DNS IP addresses on remote port 53 and protocol UDP. Leave this rule created and enabled; don't delete it!

Only then, is that you should change your network adapter DNS IPs to localhost (127.0.0.1 for IPv4 and ::1 for IPv6), if your device works that way. Mine does; I need to make the appropriate change in the device itself, which will then make the change in Windows.

[Hungry Man]

127.0.0.2 if you're on Ubuntu 12.04.

edit: And on Windows you should be able to use taskscheduler to get it running at startup. On linux just create the daemon and start it.

[noone_particular]

DNScrypt-proxy seems to work well on XP as far as I can determine. It does put a bit of a twist into firewall rules that are already configured to accommodate a local filtering proxy. Is there a test site that can confirm that the DNS requests are truly encrypted?

Moonblood,
The GUI app you linked to fails to initialize for me. Do you have a link to more info about it?

edit:
Does this require Net Framework?

[m00nbl00d]

Quote:

Originally Posted by noone_particular

DNScrypt-proxy seems to work well on XP as far as I can determine. It does put a bit of a twist into firewall rules that are already configured to accommodate a local filtering proxy. Is there a test site that can confirm that the DNS requests are truly encrypted?

Moonblood,
The GUI app you linked to fails to initialize for me. Do you have a link to more info about it?

edit:
Does this require Net Framework?

I'm not using the GUI. Sorry. And, yes, it does requite Net Framework. It's mentioned in the DNSCrypt Proxy page on Github. I forgot to mention it.

I went a step further in my setup, and I've created a dedicated standard user account just to run DNSCrypt.

I'm making use of PsExec to run it from any other user account. I'm going to automate the process, by scheduling a task. Also, I don't think one will need to create a task as system or even run as admin. You'd just need to run it under "Users" group.

One thing I'm confused about, is that DNSCrypt has a command line option named --user=. We're suppose to make use of it, so that DNSCrypt tool reduces the privileges it has for that user account, which in my case would be the dedicated user account. But, that command option doesn't seem to work, at all.

-edit-

I may actually see if I could use a PowerShell script instead, so that I can encrypt the password. I don't think PsExec encrypts it? There's been a long time since I last used it.

[m00nbl00d]

I'm wondering if --user=username needs to be like --user="username"

Will give it a try. It's frustrating...

[Hungry Man]

So am I going to have to install a packet sniffer to see if this is working?

[funkydude]

Quote:

Originally Posted by Hungry Man

So am I going to have to install a packet sniffer to see if this is working?

Other than using the "you're using OpenDNS" confirmation page, yes. But put it this way, if it wasn't working you'd have no DNS resolution at all.

[Hungry Man]

Yeah I got confused because when I turned it off my pages were still loading. Apparently that was from the cache. I guess that's good enough confirmation for me.

edit: And I don't know if anyone else is on linux but here's an AppArmor profile for the service. Can't guarantee it won't break it, but it's working for me.

http://www.wilderssecurity.com/showp...6&postcount=63

[m00nbl00d]

I hope someone can give me some assistance.

As I mentioned earlier, there's been a long time since I last used PsExec from Sysinternals. I have the following command:

"C:\PsExecFolder\PsExec.exe" -d -e -u username -p p4ssw0rd "C:\DNSCryptFolder\DNSCrypt.bat"

If I open the cmd line and copy & paste it, then DNSCrypt will run as username, but if I run it via a batch file, then it won't run.

Am I missing some other obvious command, that will allow me to run it using a batch file?

I actually tried "C:\PsExecFolder\PsExec.exe" -d -e -u username -p p4ssw0rd "cmd" "/c "C:\DNSCryptFolder\DNSCrypt.bat"", but it just opens cmd line window with the name C:\DNSCryptFolder\DNSCrypt.bat.

The above command should first start PsExec as username, then it would open a new cmd line window and pass the rest of the command. But, it won't pass it, and I don't know why.

So, what am I missing?

[m00nbl00d]

DNSCrypt appears to work fine under Sandboxie.

[noone_particular]

It seems to work fine on XP when started from HKLM...Run. I haven't tried any of the command line switches. With the DNS service disabled, the cache flushed, and applications prevented from resolving their own DNS via firewall rules, I can confirm it is handling the DNS resolving. Haven't verified that it is encrypted.

[treehouse786]

i have a few questions if anyone would be kind enough to answer.

what exactly does dnscrypt achieve?
how can encrypting dns request help with privacy?
would using dnscrypt help with regards to this situation?
would it only affect the browser or all windows dns requests?
does it adversely affect online gaming by way of increased ping?

cheers in advance

[Hungry Man]

Quote:

what exactly does dnscrypt achieve?

It's like SSL for your DNS server. You have your computer -> router -> ISP -> hacker -> OpenDNS.

No one between you and OpenDNS can see your DNS requests now.

Quote:

how can encrypting dns request help with privacy?

When paired with SSL you're hiding your information from anyone between you and the places you contact.

Quote:

would using dnscrypt help with regards to this situation?

Probably not unless used in conjunction with something like TOR.

Quote:

would it only affect the browser or all windows dns requests?

All DNS requests.

Quote:

does it adversely affect online gaming by way of increased ping?

Nope.

[adik1337]

My ISP is using a DNS proxy. Although DNScrypt is "working" (no connection if it is not running, with connection if it is), everytime I check "you're using OpenDNS" confirmation page, it always tell me that I am not using opendns (same thing with the 2 other OpenDns tests).

Thoughts?

[treehouse786]

@Hungry Man

thank you for those answers

[noone_particular]

Quote:

And, yes, it does requite Net Framework. It's mentioned in the DNSCrypt Proxy page on Github. I forgot to mention it.

That settles that. Guess I don't need a GUI.

The proxy seems to work as claimed, but I'm having a hard time seeing how this is of any benefit. No, an entity won't be able to see the DNS info, but if they're monitoring your traffic, they'll see where you connect to anyway. I don't see it helping against government snooping as they most likely have access to the DNS anyway.

I guess my questions are these:
Who does this protect us from? What is the benefit of encrypting the DNS traffic when your browser or other app will be connecting to the site? What does this hide that won't be immediately revealed by the next connections your system makes?

[Hungry Man]

Quote:

Who does this protect us from? What is the benefit of encrypting the DNS traffic when your browser or other app will be connecting to the site? What does this hide that won't be immediately revealed by the next connections your system makes?

It pairs with SSL, really.

1) No one can interfere with the DNS request, redirecting you to a hacked website or phishing page.

2) No one can see what page you're going to.

If you aren't using SSL they can just use that information. If you are using SSL, they pair nicely.

[noone_particular]

#1 makes sense. #2 doesn't. After you resolve the DNS, you'll go to that page. Encrypted or not, the destination is visible unless your using Tor or an equivalent in which case you can route the DNS thru it as well. The only instance I see where this improves privacy is if you're using a remote proxy while resolving DNS directly. Other than that, I don't see what the encryption conceals that your next connections won't reveal anyway.