Forums/OpenDNS Community/DNSCrypt

Answered

how to install the best version of DNSCrypt?

acz
asked this on July 03, 2013 23:36

I installed DNSCrypt 0.0.6 (updated 6 August 2012) very easily from the OpenDNS website. So that seems to have put 9 files into the directory called C:\Program Files (x86)\OpenDNS\DNSCrypt and it seems to be working, including the green status icon.

As I tried to educate myself, I learned that smart people are continuing to improve the program, and that newer versions exist at GitHub, but I did not find a Windows installer there.

I did download a newer version of of dnscrypt-proxy.exe and a file called hostip.exe. The instructions I followed told me to unzip those two files into another directory, open a DOS cmd window, and then type "dnscrypt-proxy --install"

but I received this:                           [ERROR] unable to install service

So I am not sure how to proceed now. Should I simply copy the newer dsnscrypt-proxy.exe file into the OpenDNS\DNSCrypt directory ?? Or is there a simple installer that I have missed at another website?

I know nothing about Linux, or OSX, and I am running Windows 7 Pro 64-bit on a Lenovo laptop that travels a lot, so security is important to me.

Thank you for OpenDNS, and for DNSCrypt, and my apologies for this newbie query if it is in the wrong place.

 

Comments

User photo
rotblitz
Check Answer

"open a DOS cmd window, and then type "dnscrypt-proxy --install"
but I received this:                           [ERROR] unable to install service
"

You must start the Command Prompt window in elevated mode (right-click and "Run as Administrator"). Non-admin command prompt windows act like for a regular user. Installing a service is strictly an administrator task.

Also, there is no "DOS" when running cmd.exe. Although it looks a bit like this, it isn't.

"So I am not sure how to proceed now."

Best is you uninstall your current DNSCrypt GUI to also clean up the registry and stuff. Then you may recreate the directory OpenDNS\DNSCrypt to store the two .exe files there. Then you run the install command from an elevated command prompt window.

If you had special settings in the old DNSCrypt GUI, you can have these also with the registry settings described in the README file.
https://github.com/opendns/dnscrypt-proxy/blob/master/README-WINDOWS.markdown

"if it is in the wrong place."  -  You got it perfectly right!

July 04, 2013 02:26
User photo
acz
Thank you rotblitz! That seemed to work fine, the installation did not generate any error message. Now, based on the instructions over on github say "Change your DNS settings to 127.0.0.1" -- how do I do that? Meanwhile, I can start the Windows Task Manager, and under the Services tab I can see dnscrypt-proxy PID 2336 is running. Yay. I am going to reboot and see if it starts in the background automatically. But is there another way to check that it is indeed running and operating properly? Thank you for your patience!
July 06, 2013 23:40
User photo
rotblitz

You follow https://store.opendns.com/setup/computer/ but use 127.0.0.1 instead of the OpenDNS resolver addresses.

July 07, 2013 03:21
User photo
acz
Thanks again. I think I am learning some interesting stuff about the internet. I tried to test what is going on as follows: 1. I opened a CMD window as Administrator, and navigated to the DNSCrypt directory 2. typed dnscrypt-proxy.exe –install and saw this response [INFO] the dnscrypt-proxy service and been installed and started 3. Exited from the CMD window, and made sure that I could surf the web normally 4. Opened another CMD window, and typed nslookup sears.com and saw this response Server: resolver1.opendns.com Address: 208.67.222.222 Non-authoritative answer: Name: sears.com Address: 74.122.182.100 Now in this case, I assume that the OpenDNS address was supplied by my router (right?) 5. Without closing that CMD window, I went through the process at the link you provided (very carefully) and set my DNS to 127.0.0.1 6. Back in the CMD window, I again typed nslookup sears.com but this time I had a different response: 1.0.0.127.in-addr.arpa primary name server = localhost responsible mail addr = nobody.invalid serial = 1 refresh =600 retry = 1200 expire = 604800 default TTL = 10800 (root) ??? unknown type 41 ??? Server: UnKnown Address: 127.0.0.1 Non-authoritative answer: Name: sears.com Address: 74.122.182.100 So I don’t need to understand all of those items, but it seems to be working (hooray). One more question: will have to go through that process of manually setting my Wireless Connection DNS to 127.0.0.1 each time I connect with a new WiFi network? Thank you.
July 08, 2013 02:14
User photo
acz

sorry, I don't know why all the formatting got lost in the previous message.

Thanks again. I think I am learning some interesting stuff about the internet. I tried to test what is going on as follows:

1. I opened a CMD window as Administrator, and navigated to the DNSCrypt directory

2. typed dnscrypt-proxy.exe –install and saw this response

            [INFO] the dnscrypt-proxy service and been installed and started

3. Exited from the CMD window, and made sure that I could surf the web normally

4. Opened another CMD window, and typed nslookup sears.com

and saw this response

   Server: resolver1.opendns.com
   Address: 208.67.222.222

   Non-authoritative answer:
  Name: sears.com
  Address: 74.122.182.100

Now in this case, I assume that the OpenDNS address was supplied by my router (right?)

5. Without closing that CMD window, I went through the process at the link you provided (very carefully) and set my DNS to 127.0.0.1

6. Back in the CMD window, I again typed nslookup sears.com

but this time I had a different response:

1.0.0.127.in-addr.arpa
primary name server = localhost
responsible mail addr = nobody.invalid
serial = 1
refresh =600
retry = 1200
expire = 604800
default TTL = 10800

(root) ??? unknown type 41 ???
Server: UnKnown
Address: 127.0.0.1

Non-authoritative answer:

Name: sears.com Address: 74.122.182.100

So I don’t need to understand all of those items, but it seems to be working (hooray).

One more question: will have to go through that process of manually setting my Wireless Connection DNS to 127.0.0.1 each time I connect with a new WiFi network? Thank you.

 

 

July 08, 2013 02:20
User photo
rotblitz

First of all, you did everything correct.

"Now in this case, I assume that the OpenDNS address was supplied by my router (right?)"

Either this, or you had configured it manually. This doesn't make a difference at the end. You did not go through the DNSCrypt proxy in this case, but sent your DNS lookups to OpenDNS directly: Server: resolver1.opendns.com  -   Address: 208.67.222.222.

"but this time I had a different response"

Yes, your DNS lookups now go to Server: UnKnown  -  Address: 127.0.0.1 where the DNSCrypt proxy is listening to service /  forward your DNS lookups to OpenDNS.

Either way, the DNS lookup result is the same for sears.com: 74.122.182.100, as should be.

You can also verify that you're using DNSCrypt if you want:

nslookup -type=txt debug.opendns.com.

"will have to go through that process of manually setting my Wireless Connection DNS to 127.0.0.1 each time I connect with a new WiFi network?"

No, not if you're using the same WiFi/WLAN adapter.

Please note, this kind of OpenDNS is for networks you own, not necessarily for your devices in other networks. If the network admins (or even their ISP) want, they simply could block you from using a 3rd party DNS service like OpenDNS, so this would look like no internet connection at all. In this case you'll have to reconfigure the computer to obtain the network settings automatically. And then back to 127.0.0.1 when at home.

July 08, 2013 05:52
User photo
acz

Excellent. So using DNSCrypt in this way can prevent man-in-the-middle attacks, and will hide DNS requests from my own ISP at home. Are you saying that it may be possible to use DNSCrypt with public WiFi (airport, library, cafe) depending upon how that public router & ISP is set up?

And finally, I presume that DNSCrypt would not apply at all when using a VPN, because the DNS service that is set at the server end of the VPN would prevail.

Thank you!

July 08, 2013 12:46
User photo
rotblitz

"Are you saying that it may be possible to use DNSCrypt with public WiFi (airport, library, cafe) depending upon how that public router & ISP is set up?"

Yes, this is meant. No matter, you should not run an Updater in other networks and therefore not register someone else's IP address with your home network. You would break content filtering for your home network, and you may impact other users in the guest network with being bound to your settings.

If you need some kind of content filtering in other networks, you'll have to use the OpenDNS FamilyShield addresses, i.e. you had to change the behaviour of the DNSCrypt Proxy to forward to a FamilyShield address by amending/introducing the related registry entry. By default it forwards to 208.67.220.220, but FamilyShield would be 208.67.222.123 or 208.67.220.123.

"And finally, I presume that DNSCrypt would not apply at all when using a VPN, because the DNS service that is set at the server end of the VPN would prevail."

Yes and no. If the VPN tunnel comes with a virtual connection (i.e. an own LAN connection as tunnel entry to your active connection), kind of OpenVPN technology, you certainly can configure this to use OpenDNS, also with DNSCrypt. But again, the public IP address of this connection is not yours, so don't run an Updater to register it with your home network.

In all other VPN cases the remotely configured DNS service (at the VPN server end) is being used.

July 08, 2013 15:49
User photo
kwan2
I have a VPN running PPTP/SSTP , but have Open DNS IPs in my v4 properties, think i have disabled v6, i just upgraded to the GUI 0.0.6 and am getting 'current dns resolver: none available' ; according to what you've written above, it sounds like i should put the VPNs DNS Ip's into the v4 properties and not opendns's ? and /or how do i get the gui to work, apparently dns IS being resolved, maybe its defaulting to the VPN's, while i'm on VPN and to Open DNS when i'm not ?
July 08, 2013 22:04
User photo
rotblitz

"maybe its defaulting to the VPN's, while i'm on VPN and to Open DNS when i'm not ?"

Yes, this may well be. As I said, in all other VPN cases the remotely configured DNS service (at the VPN server end) is being used.

July 08, 2013 23:26
User photo
kwan2
so I can't use dns crypt while on vpn ?
July 09, 2013 01:45
User photo
rotblitz

Read my message from July 08, 2013 15:49 again, all answered. It depends.

July 09, 2013 09:54
User photo
kwan2

ty for your answer, rotblitz, i am seeking clarfication, up to you, i've read your reply, and did not understand sir

July 09, 2013 10:42
User photo
rotblitz

Well, I would not know how to explain it easier. What you can do:

Connect to your VPN as usual, and then post the complete plain text output of the following commands here, and we can possibly see if OpenDNS can be used with this VPN:

ipconfig /all

route print

July 09, 2013 11:24
User photo
kwan2

i would if i knew how to cut and paste from a terminal   basically with ipconfig  the VPN DNS servers say 0.0.0.0 and 0.0.4.4     for  the enet adapter dns server says 127.0.0.1  and my dns suffix  is  my provider   

July 09, 2013 18:48
User photo
kwan2

this is on my desktop, when dnscrypt is up and running 0.0.6  ;  on my laptop  i am getting   can't find a dns server  with 0.0.6  whereas with 0.0.5  it was working ; funny though i don't recall putting in the 127.0.0.1  i thought  i had  opendns  ip  numbers in  ipv4   not 127.0.0.1

July 09, 2013 18:51
User photo
rotblitz

"i would if i knew how to cut and paste from a terminal"

I see, IT is not for you. Also from what you said else. :(

Right-click within the command prompt window, and select the related action from the context menu.
Or click the icon in the left upper corner to select from options.

"funny though i don't recall putting in the 127.0.0.1  i thought  i had  opendns  ip  numbers in  ipv4   not 127.0.0.1"

No matter what you have put in, the DNSCrypt with GUI changed this to 127.0.0.1, else DNSCrypt would not work.

July 10, 2013 05:00
User photo
kwan2

ROTBITZ,   when I run  DNSCrypt  0.0.6   i get  current DNS resolver : none available  (while VPN is connected)  here is  the ipconfig /all ; 0.0.5  did NOT have this issue,  the wireless IF says 127.0.0.1  ....

 

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : 
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : xxxxx.rr.com

PPP adapter VPN - 279057-SSTP:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VPN - 279057-SSTP
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.200.148.149(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0
DNS Servers . . . . . . . . . . . : 8.8.8.8
8.8.4.4
NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : xxxxxxx.rr.com
Description . . . . . . . . . . . : Realtek RTL8188CE 802.11b/g/n WiFi Adapte
r
Physical Address. . . . . . . . . : 20-10-7A-
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.128(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Saturday, July 06, 2013 6:53:21 AM
Lease Expires . . . . . . . . . . : Thursday, July 11, 2013 7:56:30 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe FE Family Controller
Physical Address. . . . . . . . . : A0-B3-CC-6B-FA-94
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{AA38D-5660-415B-A809-BFA69}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter 6TO4 Adapter:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2002:c0c8:9495::c0(Preferred)
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 8.8.8.8
8.8.4.4
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{9923-7B1E-46BF-A703-4766389D42F5}:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : :200:5efe:192.200.148.149%17(Preferr
ed)
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 8.8.8.8
8.8.4.4
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.xxxxx.rr.com:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : xxxxxx.rr.com
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

C:\Windows\system32>route print
===========================================================================
Interface List
27...........................VPN - 279057-SSTP
12...20 10 7a 58 3e 7e ......Realtek RTL8188CE 802.11b/g/n WiFi Adapter
11...a0 b3 cc 6b fa 94 ......Realtek PCIe FE Family Controller
1...........................Software Loopback Interface 1
16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
15...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
28...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.128 4250
0.0.0.0 0.0.0.0 On-link 192.200.148.149 26
127.0.0.0 255.0.0.0 On-link 127.0.0.1 4531
127.0.0.1 255.255.255.255 On-link 127.0.0.1 4531
127.255.255.255 255.255.255.255 On-link 127.0.0.1 4531
192.168.1.0 255.255.255.0 On-link 192.168.1.128 4506
192.168.1.128 255.255.255.255 On-link 192.168.1.128 4506
192.168.1.255 255.255.255.255 On-link 192.168.1.128 4506
192.200.144.41 255.255.255.255 192.168.1.1 192.168.1.128 4251
192.200.148.149 255.255.255.255 On-link 192.200.148.149 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 4531
224.0.0.0 240.0.0.0 On-link 192.168.1.128 4508
224.0.0.0 240.0.0.0 On-link 192.200.148.149 26
255.255.255.255 255.255.255.255 On-link 127.0.0.1 4531
255.255.255.255 255.255.255.255 On-link 192.168.1.128 4506
255.255.255.255 255.255.255.255 On-link 192.200.148.149 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
15 1030 2002::/16 On-link
15 286 2002:c0c8:9495::c0c8:9495/128
On-link
17 281 fe80::200:5efe:192.200.148.149/128
On-link
1 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

C:\Windows\system32>

July 10, 2013 23:14
User photo
rotblitz

"when I run  DNSCrypt  0.0.6"

Best is to get rid of the GUI and install the dnscrypt-proxy alone as acz did above. You shouldn't have to care about the GUI.

"the wireless IF says 127.0.0.1"

It does, indeed, as should be. But when using your VPN, a virtual ethernet adapter "PPP adapter VPN - 279057-SSTP" comes up, tunneling into your wireless connection. And there you have Google DNS (8.8.8.8 and 8.8.4.4) configured. Change this to 127.0.0.1, and it will possibly work also when using the VPN.

If it still does not work, or you have no DNS at all, you will have to configure a persistent route ("route add .....") to route out your DNS lookups through the 192.168.1.1 gateway on interface 192.168.1.128 only, so that the DNS traffic doesn't go through the VPN.

July 11, 2013 00:46
User photo
acz

Rotblitz, you said this:

"No matter, you should not run an Updater in other networks and therefore not register someone else's IP address with your home network."

I certainly would never wish to alter any IP other than my own.  In fact I do not even understand what you mean by "run an Updater",
could you please explain that part?

My query was based upon the idea of sitting at a cafe, connecting first to the public router at the cafe (insecure), then setting my DNS to 127.0.0.1 by the instruction you gave earlier, which should insulate me from man-in-the-middle attacks.  Finally, I should test if I can start up a commercial VPN service (even more secure).  Or is there another way?

Thanks for education on this subject.

 

July 11, 2013 00:49
User photo
rotblitz

"In fact I do not even understand what you mean by "run an Updater", could you please explain that part?"

If you don't know what is meant, you certainly didn't install this small program offered by OpenDNS, called the OpenDNS Updater. It is to keep your changing IP address information updated for your network at OpenDNS, so that your DNS lookups can be associated with your settings.

"My query was based upon the idea of sitting at a cafe, connecting first to the public router at the cafe (insecure), then setting my DNS to 127.0.0.1 by the instruction you gave earlier, which should insulate me from man-in-the-middle attacks."

Beside the fact that you set your DNS to 127.0.0.1 because of DNSCrypt already, so no need to do it again, no, it doesn't protect you from man-in-the-middle attacks, because only your DNS traffic is encrypted then, not so the rest of your traffic, e.g. non-HTTPS web traffic, which is often the majority. OpenDNS is not a proxy and not a VPN service, but a DNS service, as can be easily seen from their name. So they can deal with your DNS traffic only.

"Finally, I should test if I can start up a commercial VPN service (even more secure).  Or is there another way?"

You could of course use a VPN service to make all your traffic encrypted, not just your DNS traffic (as with DNSCrypt), if you are concerned enough about any attacks, and if you are willing to blindly trust the VPN service provider as well (because this could theoretically be and actually is a man-in-the-middle too). Whatever, with some more in-depth knowledge such efforts are often not needed. You can protect yourself easier and cheaper else.

And yes, the most secure currently known methods are VPNs and the likes, especially services like TOR and similar. However, for the most purposes HTTPS encrypted connections are sufficient unless you're a member of a secret service. ;-)

Another alternative, even easier, is to either not sit at a cafe, or to not go online when sitting at a cafe... ;-)
This is what real professionals do, really.

July 11, 2013 06:42
User photo
kwan2

i don't have a  this file  in the  dir   hostip.exe

--install here  just says   it's 'unrecognized option'   as  does  dns-proxy.exe -help 

2) i don't see how one 'uninstalls dnscrypyt'  in win7,  it's not in programs list , and there is no free standing uninstaller,  Does it get 'installed' ?

 "And there you have Google DNS (8.8.8.8 and 8.8.4.4) configured. Change this to 127.0.0.1"

........hmm, i'm not sure how google dns  got into this, or where the config  is coming from , i only know to change dns  entries  in the 'properties'  of ipV4...

........is there a reason to use both dnscrypt  and the vpn ? maybe i can just use opendns  over the vpn  , and dnscrypt off the vpn  and/or how to config that way ?

July 11, 2013 11:06
User photo
rotblitz

Generally, you got the wrong order: first uninstall, then download and install. You can't install what you even haven't downloaded yet.

"i don't have a  this file  in the  dir   hostip.exe"

Yes, you didn't download it yet with the dnscrypt-proxy.

"--install here  just says   it's 'unrecognized option'   as  does  dns-proxy.exe -help "

Yes, you didn't download this either. You still have the old version.

"i don't see how one 'uninstalls dnscrypyt'  in win7,  it's not in programs list , and there is no free standing uninstaller,  Does it get 'installed' ?"

Good question, I don't know either. Well you had at least to disable auto-start of the old DNSCrypt.

  1. Go into the services control panel (services.msc), and stop the OpenDNSCrypt service and set it to "Manual" or "Disabled".
  2. Then go into the Startup folder, and set the file OpenDNSCrypt.lnk to hidden.

Then you follow https://github.com/opendns/dnscrypt-proxy/blob/master/README-WINDOW...

  1. I.e. you download the latest dnscrypt-proxy.exe (and hostip.exe), win32 in a ZIP archive, e.g. from http://download.dnscrypt.org/dnscrypt-proxy/
    and extract it in e.g. the same folder where DNSCrypt resides now, thereby overwriting the existing dnscrypt-proxy.exe there.
  2. dnscrypt-proxy.exe --install
  3. If not already done, in IPv4 properties change your DNS settings to 127.0.0.1

That should be it!

"hmm, i'm not sure how google dns  got into this, or where the config  is coming from , i only know to change dns  entries  in the 'properties'  of ipV4..."

Yes, this is how any DNS resolver addresses comes to this place: someone entered those in the IPv4 properties. So replace them by 127.0.0.1 now to use DNSCrypt.

"........is there a reason to use both dnscrypt  and the vpn ? maybe i can just use opendns  over the vpn  , and dnscrypt off the vpn  and/or how to config that way ?"

Well, do you have a reason to use OpenDNS and/or DNSCrypt at all? If you have a good reason to use DNSCrypt without VPN, the same good reason would apply for DNSCrypt with VPN. Why not. And if you have the dnscrypt-proxy installed, why still use pure OpenDNS without DNSCrypt? It's not any more difficult or what. It really doesn't matter if you enter 208.67.222.222 and 208.67.220.220 or just 127.0.0.1, right? The latter is even quicker. You should know what you want to achieve, not me. You asked for it.

July 11, 2013 14:12
User photo
kwan2

so did opendns  write  this  dns-proxy ?  or do you work for opendns?  or just a supporter of the  proxy ?  ; i'm a bit confused, if all the github stuff, is official opendsn software?   :) 

 

it appears there is a proxy  in the opendns crypt  dir/folder,  but your saying  that is an 'older' one ?  which does include an --install option 

 

PS those google  DNS numbers, are NOT in my ipV4 properties, i'm guessing they must be in the VPN's  , I have asked them the same question and waiting to hear back ... 

 

 

July 11, 2013 14:25
User photo
rotblitz

"so did opendns  write  this  dns-proxy ?"  -  Yes.

"or do you work for opendns?"  -  No.

"or just a supporter of the  proxy ?"  -  No, just a supporter of OpenDNS users seeking for help, being an OpenDNS user only like you.

"i'm a bit confused, if all the github stuff, is official opendsn software?"  -  Yes, but everything under https://github.com/opendns only.

"it appears there is a proxy  in the opendns crypt  dir/folder,  but your saying  that is an 'older' one ?  which does include an --install option"

This is an older version, without the --install option, as you have clearly experienced: 'unrecognized option'

"those google  DNS numbers, are NOT in my ipV4 properties, i'm guessing they must be in the VPN's"

No, they must be there, because for this interface "PPP adapter VPN - 279057-SSTP" DHCP is disabled. The only way they can come to there is that someone entered them manually.

July 11, 2013 14:58
User photo
jedisct1

dnscrypt is not a product but a protocol. And there are implementations of this protocol.

Github is a popular web site for sharing code.

I work for opendns and I wrote the protocol and a client implementing this protocol called dnscrypt-proxy.

This client is on Github, so that it's not a blackbox: everybody can review it, check that it doesn't contain an obvious backdoor, contribute, report bugs and suggest ideas. Github is a perfect place for that. There is also a server, also available on Github for the same reasons.

People wrote graphical user interfaces for the client. What they do is start dnscrypt-proxy, and change your DNS settings to 127.0.0.x when you click a button.
DNSCrypt-Winclient (also available on GitHub), DNSCrypt Win Client (GUI made by OpenDNS), GuizmoDNS (for iPhone), and the DNSCrypt OSX Client, all do the same thing. Firmwares for routers also provide web interfaces to it.

They all are just optional front-ends to start and stop dnscrypt-proxy. And all of them are configured to use OpenDNS servers by default.

These user interfaces haven't been updated for a long time, with the exception of router firmwares. Some, like DNSCrypt-Winclient, don't ship their own copy of dnscrypt-proxy, which make it easier to update the proxy independently.

The OpenDNS user interface (both the one for Windows and the one for OSX) ship with their own copy. The OSX user interface ships with whatever was the current dnscrypt-proxy version when the user interface was built.

Version 0.0.5 of the OpenDNS user interface for Windows shipped with whatever was the current dnscrypt-proxy version at that time. And it was a long time ago, when dnscrypt-proxy was still in beta.
Version 0.0.6 of the user interface forgot to update dnscrypt-proxy itself, so it's still installing the same version as 0.0.5. This code was really only for beta testers. The interface changed to a stable one, the code has been rewritten from scratch since, and dnscrypt-proxy went out of beta 1 year ago.

dnscrypt-proxy and dnscrypt-wrapper are still constantly being updated, both for performance and security. dnscrypt.org is the place to download the current version of the client proxy.
Github is where its source code is hosted, if you want to review it.
The protocol is going to change really soon for an overdue update in order to support perfect forward secrecy and the certificate verification system is going to change in order to automatically perform key updates. If you're still running a test version from 2 years ago, you won’t be able to take advantage of this.

If you know how to change the DNS settings yourself, I'd recommend not using a user interface. All of them are still considered experimental and have known issues.
On Windows, start the proxy as a native Windows service as instructed by Rotblitz.
This is the most reliable and secure way to run it, and the easiest way to stay up to date.

July 11, 2013 17:56
User photo
jedisct1

Also, if you buy OpenDNS Umbrella, it will enable a lot of additional OpenDNS features like malware protection.

In addition, it will let you download another user interface for Mac and Windows, made by OpenDNS, which is fully supported by OpenDNS and gets frequent upgrades.

July 11, 2013 19:06
User photo
kwan2

rotblitz:  but didn't you say  this  before 

"maybe its defaulting to the VPN's, while i'm on VPN and to Open DNS when i'm not ?"

Yes, this may well be. As I said, in all other VPN cases the remotely configured DNS service (at the VPN server end) is being used

so the google DNS could be coming from the VPNs  side,  I don't see  anywhere I could change the VPN IF  DNS settings myself  in win 7  on the ethernet card v4 properties setting...

 

jedisct1: if i were to install the proxy, who would that keep me up to date, wouldn't i have to go and redownload it and install  which each update ?

originally i was just using the dnscrypt 'beta' on my laptop, once in a while at sbux, when i go there, otherwise, my understanding is for home use,  it is  not important, but  maybe  i will start using it at home if it might be ?

July 11, 2013 19:51
User photo
kwan2

i Was able to install the proxy and it started, but  when I  run    the dns lookup  i get this :

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\windows\system32>nslookup sears.com
Server: resolver1.opendns.com
Address: 208.67.222.222

Non-authoritative answer:
Name: sears.com.joeISP.rr.com
Address: 67.215.65.132


C:\windows\system32>

is that right ?  the Name  looks like is   attached my providers domain to it ..

July 11, 2013 20:04
User photo
jedisct1

Yes, you should append an extra "." to the domain name when using nslookup: nslookup sears.com.

If you don't, the default domain name is appended.

 

July 11, 2013 20:15
User photo
kwan2

so does it otherwise look like dns-crypt is up and running ?  

July 11, 2013 20:23
User photo
kwan2

hmm , went back in and changed the eth0 v4  to 127.0.0.1  and now get this 

C:\windows\system32>nslookup google.com.
1.0.0.127.in-addr.arpa
primary name server = localhost
responsible mail addr = nobody.invali
serial = 1
refresh = 600 (10 mins)
retry = 1200 (20 mins)
expire = 604800 (7 days)
default TTL = 10800 (3 hours)
(root) ??? unknown type 41 ???
Server: UnKnown
Address: 127.0.0.1

Non-authoritative answer:
Name: google.com
Addresses: 2607:f8b0:4007:800::1006
74.125.224.233
74.125.224.229
74.125.224.238
74.125.224.232
74.125.224.226
74.125.224.231
74.125.224.227
74.125.224.228
74.125.224.224
74.125.224.230
74.125.224.225


C:\windows\system32>

July 11, 2013 20:33
User photo
jedisct1

Looks good!

July 11, 2013 20:34
User photo
kwan2

if i were to buy a new router and install openvpn  on it,   would the router, use the computer dns-crypt service, if i put  127.0.0.1 into the router, or would it default back to the win7 dns 127.0.0.1  if i leave the openvpn dns  blank ?

July 24, 2013 10:34
User photo
rotblitz

If you put 127.0.0.1 as DNS server into the router, you most likely do not have DNS anymore at all unless you install the dnscrpyt-proxy on the router. The address 127.0.0.1 is the local loopback address, only pointing back to the same machine it is configured on.

If you have the dnscrypt-proxy installed on the computer, it works only on this computer unless you get the dnscrypt-proxy to listen on the computer's IP address, and then configure this computer's address on other devices including the router as DNS server address. Then these devices' DNS lookups will go to the computer and through the dnscrypt-proxy.

July 24, 2013 11:12
User photo
jedisct1

If your router is running an open firmware like Tomato Shibby or Advanced Tomato, you don't need to worry much about it.

In particular, you don't need to change your DNS settings. Just check the "use dnscrypt" box, and it will play well with OpenVPN. OpenDNS will be used by default, but the web interface of these router firmwares also let you change the dnscrypt-proxy command-line if you like to use a different service.

OpenVPN can either use the server-provided name servers, or keep the default one. I don't remember if the Tomato UI let you change that, but I can check.

If you don't need your current resolver's features, using the one provided by the VPN provider is a better choice, since it will you faster content delivery for content served by CDNs.

July 24, 2013 11:41
User photo
halebop

frustrated

 

October 19, 2013 00:51
User photo
salonpas23

I don't have the "Parameters" folder in regedit. How?

April 18, 2014 09:55
User photo
jedisct1
April 18, 2014 10:00
User photo
salonpas23

This works for device that access internet via wi-fi, right? I use DNSCrypt to unblock websites and it worked perfectly. It's still working on my computer, but not anymore on my cellphone. It worked before, just suddenly blocked again. What should I do?

April 19, 2014 05:22
User photo
rotblitz

"This works for device that access internet via wi-fi, right?"

No, it doesn't matter how your device is connected.

"It's still working on my computer, but not anymore on my cellphone."

It may no longer be installed on your smartphone.  So reinstall it again.

April 19, 2014 12:31