Bypass ISP's 3rd-party DNS service (e.g., with DNSCrypt



  • Avatar

    It seems you didn't understand the concept of a proxy.

    The proxy listens on an IP address on your local machine for DNS queries on port 53 and forwards those encrypted to the DNS service of your choice (e.g. OpenDNS).  As you want also your router to go this path, this listener address cannot be the localhost IP address ( but must be the IP address of your computer (  Also your local DNS server address must be, so that DNS queries reach the listener entry of the dnscrypt-proxy.

    That said...

    • Set preferred DNS server in router as local machine internal IP (
    • Set preferred DNS server under local machine TCP/IPv4 properties to router (

    This would cause a loopback between the router and the local machine with your DNS queries going nowhere... 
    As said, you'll set the local machine also to as DNS server where the dnscrypt-proxy is listening on.
    • I'd then see: [NOTICE] Proxying from to

    Sure, you will see this.  If you want to use OpenDNS, you must not select "" [], but "opendns" [], of course.  What else?

    • Ran the following in cmd as admin: dnscrypt-proxy.exe --resolvers-list="C:\Program Files\DNSCrypt\bin\dnscrypt-resolvers.csv" --local-address= --install

    What is this good for?  Wanted to just install dnscrypt-proxy as a service?  Then the command is just: 
    dnscrypt-proxy.exe -R "name" -L "<full path to the dnscrypt-resolvers.csv file>" --install

    • Verified setting at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\dnscrypt-proxy\Parameters\LocalAddress as

    Yes, as I said, this is wrong.  Must be  The dnscrypt-proxy cannot listen on the router, just on the machine where it's installed.  And is not on the local machine, but on the router.

    • Ran the following in cmd as admin: ipconfig /flushdns 
    • Cleared browser DNS cache and restarted

    These are useless activities in this context.  Where did you find the related instructions?

    • Deselected Block internal IP addresses under my network's security settings at

    This is an irrelevant activity in this context.

    (No dice: "Oops. You're not using OpenDNS yet.")

    nslookup -port=443 -type=txt
    .. times out.

    You know now why this is... 
    And you forgot the trailing dot after the domain name.
    And sending to port 443 is of no sense in this context.  Your local machine and your router send everything DNS related to port 53. 

    After you have set up dnscrypt-proxy correctly, you can verify it by using this command: 
    nslookup -type=txt

    Comment actions Permalink
  • Avatar

    • Verified preferred DNS server setting in router as local machine internal IP (
    • Changed preferred DNS server under local machine TCP/IPv4 properties to proxy service at local machine (
    • Ran dnscrypt-proxy.exe --uninstall
    • Ran dnscrypt-proxy.exe -R opendns -L "C:\Program Files\DNSCrypt\bin\dnscrypt-resolvers.csv" --local-address= --install
    • Ran nslookup -type=txt
        [i] text= "dnscrypt enabled ... "[/i]
        Success! OpenDNS Updater and indicate OpenDNS enabled.

    Uninstalling and reinstalling the service as indicated corrected the registry value at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\dnscrypt-proxy\Parameters\LocalAddress to Prior to that, with manual adjustment of registry without restarting the service, I had been getting:

        [i][NOTICE] Proxying from to
        [WARNING] recvfrom<client>: [Connection reset by peer [WSAECONNRESET ]][/i]

    An aside for user reference, how to copy/paste in cmd:

    This issue is now fixed.
    Sincere thanks for taking the time to correct my mistakes and for sharing your expertise, rotblitz.

    Comment actions Permalink
  • Avatar

    Excellent!  Thanks for the feed-back.

    Comment actions Permalink
  • Avatar

    Thank you very much for @500 and @rotblitz for this tutorial. You're fantastic!

    Comment actions Permalink

Please sign in to leave a comment.