-
Notifications
You must be signed in to change notification settings - Fork 1k
Installation Windows
Note: these instructions are for users familiar with the command line.
An alternative to use dnscrypt-proxy
on Windows is via Simple DNSCrypt or YogaDNS (not opensource) instead.
Launch PowerShell
with elevated privileges. cmd
is similar.
Download dnscrypt-proxy here: dnscrypt-proxy binaries.
There are quite a few files here, but dnscrypt-proxy-win64-*.zip
is the one you want.
So, download this file and extract it wherever you want. In can be in your home directory, or wherever you want, really.
For example: D:\dnscrypt-proxy
.
It is totally possible to have the executable file in one place, the configuration file in another place, the cache files elsewhere and the log files yet somewhere else. But if this is the first time you install the software, and you don't have any good reasons to makes things more complicated than they should be, just keep everything in the same directory. At least to start with, and to ensure that everything works as expected. Then, go crazy if you like. But please don't change everything before even starting the proxy once, and then complain that "it doesn't work". Start with something boring, and gradually tweak it. If you really need to.
Also, do not change your DNS settings at this point.
In the terminal, go to the directory you just extracted using the cd
command, i.e. something like:
cd D:\dnscrypt-proxy
cd /d D:\dnscrypt-proxy
for cmd.
The dir
command should print a bunch of files, among which dnscrypt-proxy.exe
and example-dnscrypt-proxy.toml
.
Create a configuration file based on the example one:
copy example-dnscrypt-proxy.toml dnscrypt-proxy.toml
And now, for something intense, run:
.\dnscrypt-proxy
Does it look like it started properly? If not, try to find out why. Here are some hints:
-
dnscrypt-proxy.toml: no such file or directory
: copy the example configuration file asdnscrypt-proxy.toml
as documented above. -
listen udp 127.0.0.1:53: bind: permission denied
: you are not using an elevated PowerShell (see step 1). -
listen udp 127.0.0.1:53: bind: address already in use
: something is already listening to the DNS port. Maybe something else, maybe a previous instance of dnscrypt-proxy that you didn't stop before starting a new one.
No errors? Amazing!
If dnscrypt-proxy is running, hit Control
and C
in the terminal window to stop it. And then to launch the server in an extra window, run:
start dnscrypt-proxy
Switch to your previous terminal window. Let's check that everything works by sending a first query using dnscrypt-proxy
:
.\dnscrypt-proxy -resolve example.com
Looks like it was successfully able to resolve example.com
? Sweet!
It's time to change your system DNS settings.
Open the network settings, and in the TCP/IP panel, if it's automatically, change it to manually, if it's manually, remove all existing DNS IP addresses (backup first), and then set it to 127.0.0.1
.
Try a few more things: web browsing, file downloads, use your system normally and see if you can still connect without any DNS-related issues.
If anything ever goes wrong, you can revert the settings (with the backup).
The dnscrypt-proxy.toml
file has plenty of options you can tweak. Tweak them if you like. But tweak them one by one, so that if you ever screw up, you will know what exact change made this happen.
The message bare keys cannot contain '\n'
typically means that there is a syntax error in the configuration file.
Hit Control
and C
in the dnscrypt-proxy
terminal window when you need to stop/restart it, type start dnscrypt-proxy
to start the server, and test. Tweak, restart, test, tweak, restart, test until you are satisfied.
Are you satisfied? Good, let's jump to step 5!
Hit Control
and C
in the dnscrypt-proxy
terminal window to stop the proxy.
Now, register this as a system service (still with elevated privileges):
.\dnscrypt-proxy -service install
If it doesn't spit out any errors, this is great! Your edition of Windows is compatible with the built-in installer.
Now that it's installed, it can be started:
.\dnscrypt-proxy -service start
Done!
If it does spit out errors, additional steps for your edition of Windows are required. Stay calm, do not drink coffee but hit the gym instead, then look for specific instructions.
Want to stop the service?
.\dnscrypt-proxy -service stop
Want to restart the currently running service after a configuration file change?
.\dnscrypt-proxy -service restart
Want to uninstall the service?
.\dnscrypt-proxy -service uninstall
Want to check that DNS resolution works?
.\dnscrypt-proxy -resolve example.com
Want to completely delete that thing?
.\dnscrypt-proxy -service uninstall
& Delete the directory. Done.
It's totally fine.
For advanced users, CLI interface will give you mamy real time information. Combined with other utils, you can minimize the CMD window to system tray. Recommendations:
Ref: A software that puts any application to the system tray
For normal users, you can run the proxy in totally hidden mode, using 3rd party launchers or scripts. For example, save the following code as dnscrypt-proxy.bat
beside dnscrypt-proxy.exe
, and then run it.
@echo off
setlocal EnableDelayedExpansion
set argv=%*
if "%~1"=="" (
set argv=%~dpn0.exe
)
set argv=!argv:\=\\\\!
set argv=!argv: =%%20!
mshta javascript:new%%20ActiveXObject('Wscript\.Shell').Run('!argv!',0);close()
In the system preferences, the system can be configured with a secondary resolver (such as your ISP's or a public one like 9.9.9.9
) in addition to the primary one (127.0.0.1
, aka dnscrypt-proxy
).
Windows applications will generally always try the primary server (thus, dnscrypt-proxy
) first, and only retry with the secondary when the primary is not responsive.
Configuring a backup server can be useful to keep the DNS service up and running during temporary outages of servers configured in the proxy. The obvious downside is that queries sent to the backup server will not be encrypted/authenticated.
In order to install a new version, stop the service, replace the executable file (dnscrypt-proxy
) with the new version, and start the service again.
Prior to this, taking a look at the release notes for possible breaking changes is a good idea. However, breaking changes are exceptional.
If you are having problems with Windows showing your network as offline while using dnscrypt-proxy, it may be due to a failing Windows Network Connectivity Status Indicator (NCSI) check. This can manifest as a yellow task bar icon or a tooltip indicating no or limited network connectivity.
On Windows 10 build 1709 or later, you can configure the check to do its DNS lookup on the interface where dns-proxy is running by enabling the Specify Global DNS policy inside Local Group Policy (Run gpedit.msc
). The setting can be found under Computer Configuration > Administrative Templates > Network > Network Connectivity Status Indicator.
If you do not have the group policy editor available on your Windows version, you can also enable the policy in the registry by running the following command as administrator:
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\Windows\NetworkConnectivityStatusIndicator" /v UseGlobalDNS /t REG_DWORD /d 1 /f
A reboot is required for the setting to take effect.
There are several other more detailed settings available to disable or modify the NCSI check. These can further increase your privacy and improve startup speed. Please read the Network Connectivity Status Indicator (NCSI) page for more information.
In somecases if you want to run dnscrypt-proxy as a non-root user you'll get the error "[FATAL] listen udp 0.0.0.0:53: bind: permission denied"
to solve this problem you can run the following command and allow dnscrypt to have access to a low level port :
sudo setcap cap_net_bind_service=+ep $(which dnscrypt-proxy)
- Home
- Installation
- Configuration
- Checking that your DNS traffic is encrypted
- Automatic Updates
- Server sources
- Combining blocklists
- Public Blocklist and other configuration files
- Building from source
- Run your own DNSCrypt server in under 10 minutes
- DNS stamps specifications
- Windows Tips
- dnscrypt-proxy in the media
- Planned Features