OpenDNS dnscrypt now available for Windows

Discussion in 'privacy technology' started by kupo, Apr 1, 2012.

Thread Status:
Not open for further replies.
  1. kupo

    kupo Registered Member

    See here -,1334.0.html
    This is where I've read it. Previously it's just for Linux and Mac
  2. m00nbl00d

    m00nbl00d Registered Member


    I suppose it's time for OpenDNS. :D
  3. funkydude

    funkydude Registered Member

    Hmm, not sure whether to trust it in its current beta state. Will give it a go.
  4. Victek

    Victek Registered Member

    That's a rather complicated setup process. Can you post back and let us know if the instructions are accurate? They're going to have to automate it if they want DNScrypt to be widely adopted on Windows.
  5. funkydude

    funkydude Registered Member

    My thoughts exactly. I'll try and summarize the setup process simply:
    Download file
    Execute file (and leave it running like any windows app)
    Set primary IPv4 DNS server to
    Set primary IPv6 DNS server to ::1

    Done, now every time you start Windows you need to execute that file/app for DNS to work. It really is a "hack job" right now. What I did was make a shortcut to the file in
    :\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
    Then it will start when your PC boots.
  6. m00nbl00d

    m00nbl00d Registered Member

    There's a GUI -

    You can also either run DNSCrypt has a service, or create a scheduled task running it as system, for instance. That way, it will start for any user.
  7. Hungry Man

    Hungry Man Registered Member

    I'll wait for a stable release for Linux.

    edit; Actually, it's apparently out for Linux. Got it working no problem.
    Last edited: Apr 1, 2012
  8. m00nbl00d

    m00nbl00d Registered Member

    I'm running it. One thing people should be aware, if some don't know about it, is that, considering it works as a proxy, then you can* no longer have specific DNS rules for individual applications. This means, you can either disable or remove those DNS rules. :D

    * Well, you can, they just don't work/aren't needed anymore. lol

    Obviously, I'm talking of a setup where you have global DNS rule disabled in your firewall/DNS client disabled, which would force applications to need a specific DNS rule.

    By the way, in addition to what funkydude mentioned, you should first - if you got firewall outbound control - create a rule for DNSCrypt executable for OpenDNS DNS IP addresses on remote port 53 and protocol UDP. Leave this rule created and enabled; don't delete it!

    Only then, is that you should change your network adapter DNS IPs to localhost ( for IPv4 and ::1 for IPv6), if your device works that way. Mine does; I need to make the appropriate change in the device itself, which will then make the change in Windows.
    Last edited: Apr 1, 2012
  9. Hungry Man

    Hungry Man Registered Member if you're on Ubuntu 12.04.

    edit: And on Windows you should be able to use taskscheduler to get it running at startup. On linux just create the daemon and start it.
  10. noone_particular

    noone_particular Registered Member

    DNScrypt-proxy seems to work well on XP as far as I can determine. It does put a bit of a twist into firewall rules that are already configured to accommodate a local filtering proxy. Is there a test site that can confirm that the DNS requests are truly encrypted?

    The GUI app you linked to fails to initialize for me. Do you have a link to more info about it?

    Does this require Net Framework?
    Last edited: Apr 1, 2012
  11. m00nbl00d

    m00nbl00d Registered Member

    I'm not using the GUI. Sorry. :( And, yes, it does requite Net Framework. It's mentioned in the DNSCrypt Proxy page on Github. I forgot to mention it.

    I went a step further in my setup, and I've created a dedicated standard user account just to run DNSCrypt.

    I'm making use of PsExec to run it from any other user account. :D I'm going to automate the process, by scheduling a task. Also, I don't think one will need to create a task as system or even run as admin. You'd just need to run it under "Users" group.

    One thing I'm confused about, is that DNSCrypt has a command line option named --user=. We're suppose to make use of it, so that DNSCrypt tool reduces the privileges it has for that user account, which in my case would be the dedicated user account. But, that command option doesn't seem to work, at all. o_O


    I may actually see if I could use a PowerShell script instead, so that I can encrypt the password. I don't think PsExec encrypts it? There's been a long time since I last used it. :D
  12. m00nbl00d

    m00nbl00d Registered Member

    I'm wondering if --user=username needs to be like --user="username" :doubt:

    Will give it a try. It's frustrating... :argh:
  13. Hungry Man

    Hungry Man Registered Member

    So am I going to have to install a packet sniffer to see if this is working?
  14. funkydude

    funkydude Registered Member

    Other than using the "you're using OpenDNS" confirmation page, yes. But put it this way, if it wasn't working you'd have no DNS resolution at all.
  15. Hungry Man

    Hungry Man Registered Member

    Yeah I got confused because when I turned it off my pages were still loading. Apparently that was from the cache. I guess that's good enough confirmation for me.

    edit: And I don't know if anyone else is on linux but here's an AppArmor profile for the service. Can't guarantee it won't break it, but it's working for me.
    Last edited: Apr 1, 2012
  16. m00nbl00d

    m00nbl00d Registered Member

    I hope someone can give me some assistance.

    As I mentioned earlier, there's been a long time since I last used PsExec from Sysinternals. I have the following command:

    "C:\PsExecFolder\PsExec.exe" -d -e -u username -p p4ssw0rd "C:\DNSCryptFolder\DNSCrypt.bat"

    If I open the cmd line and copy & paste it, then DNSCrypt will run as username, but if I run it via a batch file, then it won't run.

    Am I missing some other obvious command, that will allow me to run it using a batch file? :oops: :doubt:

    I actually tried "C:\PsExecFolder\PsExec.exe" -d -e -u username -p p4ssw0rd "cmd" "/c "C:\DNSCryptFolder\DNSCrypt.bat"", but it just opens cmd line window with the name C:\DNSCryptFolder\DNSCrypt.bat. o_O

    The above command should first start PsExec as username, then it would open a new cmd line window and pass the rest of the command. But, it won't pass it, and I don't know why.

    So, what am I missing? :argh: :ouch:
  17. m00nbl00d

    m00nbl00d Registered Member

    DNSCrypt appears to work fine under Sandboxie. :D
  18. noone_particular

    noone_particular Registered Member

    It seems to work fine on XP when started from HKLM...Run. I haven't tried any of the command line switches. With the DNS service disabled, the cache flushed, and applications prevented from resolving their own DNS via firewall rules, I can confirm it is handling the DNS resolving. Haven't verified that it is encrypted.
  19. treehouse786

    treehouse786 Registered Member

    i have a few questions if anyone would be kind enough to answer.

    what exactly does dnscrypt achieve?
    how can encrypting dns request help with privacy?
    would using dnscrypt help with regards to this situation?
    would it only affect the browser or all windows dns requests?
    does it adversely affect online gaming by way of increased ping?

    cheers in advance
  20. Hungry Man

    Hungry Man Registered Member

    It's like SSL for your DNS server. You have your computer -> router -> ISP -> hacker -> OpenDNS.

    No one between you and OpenDNS can see your DNS requests now.

    When paired with SSL you're hiding your information from anyone between you and the places you contact.

    Probably not unless used in conjunction with something like TOR.

    All DNS requests.

  21. adik1337

    adik1337 Registered Member

    My ISP is using a DNS proxy. Although DNScrypt is "working" (no connection if it is not running, with connection if it is), everytime I check "you're using OpenDNS" confirmation page, it always tell me that I am not using opendns (same thing with the 2 other OpenDns tests).

  22. treehouse786

    treehouse786 Registered Member

    @Hungry Man

    thank you for those answers :thumb:
  23. noone_particular

    noone_particular Registered Member

    That settles that. Guess I don't need a GUI.

    The proxy seems to work as claimed, but I'm having a hard time seeing how this is of any benefit. No, an entity won't be able to see the DNS info, but if they're monitoring your traffic, they'll see where you connect to anyway. I don't see it helping against government snooping as they most likely have access to the DNS anyway.

    I guess my questions are these:
    Who does this protect us from? What is the benefit of encrypting the DNS traffic when your browser or other app will be connecting to the site? What does this hide that won't be immediately revealed by the next connections your system makes?
  24. Hungry Man

    Hungry Man Registered Member

    It pairs with SSL, really.

    1) No one can interfere with the DNS request, redirecting you to a hacked website or phishing page.

    2) No one can see what page you're going to.

    If you aren't using SSL they can just use that information. If you are using SSL, they pair nicely.
  25. noone_particular

    noone_particular Registered Member

    #1 makes sense. #2 doesn't. After you resolve the DNS, you'll go to that page. Encrypted or not, the destination is visible unless your using Tor or an equivalent in which case you can route the DNS thru it as well. The only instance I see where this improves privacy is if you're using a remote proxy while resolving DNS directly. Other than that, I don't see what the encryption conceals that your next connections won't reveal anyway.
Thread Status:
Not open for further replies.