Why encrypt my DNS queries?
Even if you use HTTPS on every site you visit, your DNS queries are painfully obvious to anyone. Whether it is your ISP, or a local sniffer, if you want privacy, your DNS queries are a glaring hole in it. In some cases, encrypted DNS queries may get you around site blockers/firewalls too (though not all cases).
How do I set it up?
First download the Windows client. I actually had a false positive when I downloaded it, so if you see such with Microsoft Security Essentials, then ignore it - I'm sure it will be fixed soon. OR, pay attention to it. This is all at your own risk, though I'm sure nothing dangerous is coming from OpenDNS's GitHub repository ;).
Once you download it, you'll see it is a single 32-bit EXE, though will work fine on Windows x64. I've tested it on Windows 7 x64.
Extract it somewhere. Now, you'll want to set it to start at boot, or even run as a service. There are numerous tools to run normal applications as a service, and numerous ways to start it on boot, so I'll let the reader work on that. You can start it manually if you prefer.
Once started, it sets up a local proxy server that will resolve DNS queries for you, through an encrypted connection to the OpenDNS server closest to you.
So, the next step is to *change* your DNS configuration to point to your local PC, since it now has a DNS server running on it (127.0.0.1 in IPv4, or ::1 in IPv6). Since Windows is dual-stack, you *must* remember to change the IPv6 DNS configuration as well, to the local loopback (::1).
Go to your Network Connections, right click the Local Area Connection (or whichever you are using), and select 'Properties'. You'll see something like this:
Go to the IPv4 configuration by double clicking it and set it up like so:
Then go back and check the IPv6 configuration by double clicking it. Set it up to your preference. Notice how I also set IPv6 up to the local loopback (::1 in shorthand notation). The point is you want ALL resolution to go back to your local address, as that's the DNS server you want to use (the one running in the EXE).
After that, it should work. You'll want to test. To test, first SHUT DOWN the OpenDNS dnscrypt process (dnscrypt-proxy.exe). Clear your DNS cache with by running 'ipconfig /flushdns'. The idea is to make sure that you can now NOT resolve DNS queries. Doing an 'inverse test' is superior to doing a 'working test' because it ensures there is no unencrypted (standard) DNS resolution available.
Now see if some domain you've not visited anytime recently *fails* to resolve by trying a ping, or just visiting their web site. If it fails, then all is good! If it *succeeds* then you still have plaintext DNS queries being resolved and will need to double check your configuration.
Restart the dnscrypt process, and everything should now WORK. If it does, you're good!
To be triple sure, try the OpenDNS test URL: http://www.opendns.com/welcome/ . If you are using OpenDNS, it will tell you that you are. If you aren't, then it will tell you that you aren't. If you were using OpenDNS before, then this last test is not valid.
Setting up dnscrypt-proxy.exe to run Automatically as a Windows Service
I *strongly* recommend setting this dnscrypt-proxy.exe process to start automatically as a Windows Service. This is necessary so that a user need not log in for your DNS resolution to work. I used to distribute a utility that allowed this, MakeService, though later removed it after it was abused by malware authors. Still, there are plenty of freeware utilities that will allow you to set this up. If you can't find one you like, I can provide my old freeware utility. I've restored MakeService, but another (perhaps better) option is ServiceEx, also freeware and command line based.
With MakeService, the commands would be simple. Extract all into a folder, e.g. c:\edns\. That means, MakeService, and dnscrypt-proxy.exe. Then drop to the command prompt (cmd.exe) and run:
cd\ednsMore advanced setups
MakeService c:\edns\dnscrypt-proxy.exe /Name:dnscrypt /DisplayName:dnscrypt
Of course, you will likely want ALL your network's DNS queries to be encrypted. You can do this a number of ways, including installing the client on your router, if using a router with an 'open' firmware. However, you can also simply set your router's DNS settings to point to the LAN address of the PC you just set up (or one that is always booted). That will cause all DNS queries to redirect back to this little server. Be sure to poke a hole through any firewall on that PC, to allow DNS query requests to get to it - but only LOCAL queries, don't let anyone from the Internet use you as a DNS resolver ;).
This proxy server dnscrypt client is available for almost every platform you can think of at this point, with more being added all the time. There is even one for iOS.
A final note
This does not mean people won't be able to see what IP addresses you access, or other potential information in your internet requests. However, this is one less thing they'll see. For increased security, so that nobody sees much of anything, look into an SSH tunnel. This requires a bit more advanced skills to set up, but it still pretty darn easy. All a sniffer would see is a connection to the tunnel's server, with a bunch of encrypted traffic.
UPDATE: OpenDNS did issue a call for Beta Testers on Mar. 13 2012, http://blog.opendns.com/2012/03/13/call-for-beta-testers-dnscrypt-for-windows/