Encrypted DNS queries via OpenDNS dnscrypt for Windows

Started by Jeremy Collake, March 19, 2012, 04:31:14 AM

Previous topic - Next topic

Jeremy Collake

I wrote up this blog post, showing how to easily start using OpenDNS's new encrypted DNS service on Windows. It was previously only available on OS X, BSD, and Linux, but I happened to notice a Windows client -- which seems to work just great. Give it a try yourself. DNS query resolution is perhaps the largest, most glaring, open 'issue' if you're concerned about your internet browsing privacy. These queries resolve domain names into IP addresses, and thus reveal every domain you intend to visit each time one is made. By encrypting them, you are that much safer. Of course, people can still see where traffic is going, but this is at least an improvement ;).

URL: hXXp://thepileof.blogspot.com/2012/03/using-encrypted-dns-with-windows-via.html

COPY of blog post (formatting will be terrible):

OpenDNS has been working on a new encrypted DNS service for the past 6 months or so. They've kept fairly quiet about it, though it has been mentioned on Slashdot and elsewhere. At first there were only OS X, BSD, and Linux clients available. However, a Windows client is now available for download at their GitHub repository [direct link to Win32 binary is here - you do NOT need to sign up for there beta program, or register with OpenDNS first]. I am not sure if it is considered 'final' or not. I just noticed it was there, tried it out - and it works ;).

Why encrypt my DNS queries?

Even if you use HTTPS on every site you visit, your DNS queries are painfully obvious to anyone. Whether it is your ISP, or a local sniffer, if you want privacy, your DNS queries are a glaring hole in it. In some cases, encrypted DNS queries may get you around site blockers/firewalls too (though not all cases).

How do I set it up?
First download the Windows client. I actually had a false positive when I downloaded it, so if you see such with Microsoft Security Essentials, then ignore it - I'm sure it will be fixed soon. OR, pay attention to it. This is all at your own risk, though I'm sure nothing dangerous is coming from OpenDNS's GitHub repository ;).

Once you download it, you'll see it is a single 32-bit EXE, though will work fine on Windows x64. I've tested it on Windows 7 x64.

Extract it somewhere. Now, you'll want to set it to start at boot, or even run as a service. There are numerous tools to run normal applications as a service, and numerous ways to start it on boot, so I'll let the reader work on that. You can start it manually if you prefer.

Once started, it sets up a local proxy server that will resolve DNS queries for you, through an encrypted connection to the OpenDNS server closest to you.

So, the next step is to *change* your DNS configuration to point to your local PC, since it now has a DNS server running on it ( in IPv4, or ::1 in IPv6). Since Windows is dual-stack, you *must* remember to change the IPv6 DNS configuration as well, to the local loopback (::1).

Go to your Network Connections, right click the Local Area Connection (or whichever you are using), and select 'Properties'. You'll see something like this:

Go to the IPv4 configuration by double clicking it and set it up like so:

Then go back and check the IPv6 configuration by double clicking it. Set it up to your preference. Notice how I also set IPv6 up to the local loopback (::1 in shorthand notation). The point is you want ALL resolution to go back to your local address, as that's the DNS server you want to use (the one running in the EXE).

After that, it should work. You'll want to test. To test, first SHUT DOWN the OpenDNS dnscrypt process (dnscrypt-proxy.exe). Clear your DNS cache with by running 'ipconfig /flushdns'. The idea is to make sure that you can now NOT resolve DNS queries. Doing an 'inverse test' is superior to doing a 'working test' because it ensures there is no unencrypted (standard) DNS resolution available.

Now see if some domain you've not visited anytime recently *fails* to resolve by trying a ping, or just visiting their web site. If it fails, then all is good!  If it *succeeds* then you still have plaintext DNS queries being resolved and will need to double check your configuration.

Restart the dnscrypt process, and everything should now WORK. If it does, you're good!

To be triple sure, try the OpenDNS test URL: http://www.opendns.com/welcome/ . If you are using OpenDNS, it will tell you that you are. If you aren't, then it will tell you that you aren't. If you were using OpenDNS before, then this last test is not valid.

Setting up dnscrypt-proxy.exe to run Automatically as a Windows Service

I *strongly* recommend setting this dnscrypt-proxy.exe process to start automatically as a Windows Service. This is necessary so that a user need not log in for your DNS resolution to work. I used to distribute a utility that allowed this, MakeService, though later removed it after it was abused by malware authors. Still, there are plenty of freeware utilities that will allow you to set this up. If you can't find one you like, I can provide my old freeware utility. I've restored MakeService, but another (perhaps better) option is ServiceEx, also freeware and command line based.

With MakeService, the commands would be simple. Extract all into a folder, e.g. c:\edns\. That means, MakeService, and dnscrypt-proxy.exe. Then drop to the command prompt (cmd.exe) and run:
MakeService c:\edns\dnscrypt-proxy.exe /Name:dnscrypt /DisplayName:dnscrypt
More advanced setups
Of course, you will likely want ALL your network's DNS queries to be encrypted. You can do this a number of ways, including installing the client on your router, if using a router with an 'open' firmware. However, you can also simply set your router's DNS settings to point to the LAN address of the PC you just set up (or one that is always booted). That will cause all DNS queries to redirect back to this little server. Be sure to poke a hole through any firewall on that PC, to allow DNS query requests to get to it - but only LOCAL queries, don't let anyone from the Internet use you as a DNS resolver ;).

This proxy server dnscrypt client is available for almost every platform you can think of at this point, with more being added all the time. There is even one for iOS.

A final note
This does not mean people won't be able to see what IP addresses you access, or other potential information in your internet requests. However, this is one less thing they'll see. For increased security, so that nobody sees much of anything, look into an SSH tunnel. This requires a bit more advanced skills to set up, but it still pretty darn easy. All a sniffer would see is a connection to the tunnel's server, with a bunch of encrypted traffic.

UPDATE: OpenDNS did issue a call for Beta Testers on Mar. 13 2012, http://blog.opendns.com/2012/03/13/call-for-beta-testers-dnscrypt-for-windows/

Software Engineer. Bitsum LLC.


I shared this thread in another forum, if you don't mind. :D (I link it back here). Some of them are waiting for the release of the Windows version of dnscrypt.

Jeremy Collake

Share away ;). I updated the blog posting with information on how to use my MakeService utility.
Software Engineer. Bitsum LLC.

Jeremy Collake

1. Updated this post to reflect new information from blog (terrible formatting, may fix it later).
2. MakeService download works again (sorry)
Software Engineer. Bitsum LLC.