Monday, March 19, 2012

How To: Set Up Encrypted DNS on Windows via OpenDNS's New Encrypted DNS Service (dnscrypt)

OpenDNS has been working on a new encrypted DNS service for the past 6 months or so. They've kept fairly quiet about it, though it has been mentioned on Slashdot and elsewhere. At first there were only OS X, BSD, and Linux clients available. However, a Windows client is now available for download at their GitHub repository [direct link to Win32 binary is here - you do NOT need to sign up for there beta program, or register with OpenDNS first]. I am not sure if it is considered 'final' or not. I just noticed it was there, tried it out - and it works ;).

Why encrypt my DNS queries?

Even if you use HTTPS on every site you visit, your DNS queries are painfully obvious to anyone. Whether it is your ISP, or a local sniffer, if you want privacy, your DNS queries are a glaring hole in it. In some cases, encrypted DNS queries may get you around site blockers/firewalls too (though not all cases).

How do I set it up?
First download the Windows client. I actually had a false positive when I downloaded it, so if you see such with Microsoft Security Essentials, then ignore it - I'm sure it will be fixed soon. OR, pay attention to it. This is all at your own risk, though I'm sure nothing dangerous is coming from OpenDNS's GitHub repository ;).

Once you download it, you'll see it is a single 32-bit EXE, though will work fine on Windows x64. I've tested it on Windows 7 x64.

Extract it somewhere. Now, you'll want to set it to start at boot, or even run as a service. There are numerous tools to run normal applications as a service, and numerous ways to start it on boot, so I'll let the reader work on that. You can start it manually if you prefer.

Once started, it sets up a local proxy server that will resolve DNS queries for you, through an encrypted connection to the OpenDNS server closest to you.

So, the next step is to *change* your DNS configuration to point to your local PC, since it now has a DNS server running on it (127.0.0.1 in IPv4, or ::1 in IPv6). Since Windows is dual-stack, you *must* remember to change the IPv6 DNS configuration as well, to the local loopback (::1).

Go to your Network Connections, right click the Local Area Connection (or whichever you are using), and select 'Properties'. You'll see something like this:



Go to the IPv4 configuration by double clicking it and set it up like so:


Then go back and check the IPv6 configuration by double clicking it. Set it up to your preference. Notice how I also set IPv6 up to the local loopback (::1 in shorthand notation). The point is you want ALL resolution to go back to your local address, as that's the DNS server you want to use (the one running in the EXE).


After that, it should work. You'll want to test. To test, first SHUT DOWN the OpenDNS dnscrypt process (dnscrypt-proxy.exe). Clear your DNS cache with by running 'ipconfig /flushdns'. The idea is to make sure that you can now NOT resolve DNS queries. Doing an 'inverse test' is superior to doing a 'working test' because it ensures there is no unencrypted (standard) DNS resolution available.

Now see if some domain you've not visited anytime recently *fails* to resolve by trying a ping, or just visiting their web site. If it fails, then all is good!  If it *succeeds* then you still have plaintext DNS queries being resolved and will need to double check your configuration.

Restart the dnscrypt process, and everything should now WORK. If it does, you're good!

To be triple sure, try the OpenDNS test URL: http://www.opendns.com/welcome/ . If you are using OpenDNS, it will tell you that you are. If you aren't, then it will tell you that you aren't. If you were using OpenDNS before, then this last test is not valid.

Setting up dnscrypt-proxy.exe to run Automatically as a Windows Service

I *strongly* recommend setting this dnscrypt-proxy.exe process to start automatically as a Windows Service. This is necessary so that a user need not log in for your DNS resolution to work. I used to distribute a utility that allowed this, MakeService, though later removed it after it was abused by malware authors. Still, there are plenty of freeware utilities that will allow you to set this up. If you can't find one you like, I can provide my old freeware utility. I've restored MakeService, but another (perhaps better) option is ServiceEx, also freeware and command line based.

With MakeService, the commands would be simple. Extract all into a folder, e.g. c:\edns\. That means, MakeService, and dnscrypt-proxy.exe. Then drop to the command prompt (cmd.exe) and run:
cd\edns
MakeService c:\edns\dnscrypt-proxy.exe /Name:dnscrypt /DisplayName:dnscrypt
More advanced setups
Of course, you will likely want ALL your network's DNS queries to be encrypted. You can do this a number of ways, including installing the client on your router, if using a router with an 'open' firmware. However, you can also simply set your router's DNS settings to point to the LAN address of the PC you just set up (or one that is always booted). That will cause all DNS queries to redirect back to this little server. Be sure to poke a hole through any firewall on that PC, to allow DNS query requests to get to it - but only LOCAL queries, don't let anyone from the Internet use you as a DNS resolver ;).

This proxy server dnscrypt client is available for almost every platform you can think of at this point, with more being added all the time. There is even one for iOS.

A final note
This does not mean people won't be able to see what IP addresses you access, or other potential information in your internet requests. However, this is one less thing they'll see. For increased security, so that nobody sees much of anything, look into an SSH tunnel. This requires a bit more advanced skills to set up, but it still pretty darn easy. All a sniffer would see is a connection to the tunnel's server, with a bunch of encrypted traffic.

UPDATE: OpenDNS did issue a call for Beta Testers on Mar. 13 2012, http://blog.opendns.com/2012/03/13/call-for-beta-testers-dnscrypt-for-windows/


8 comments:

  1. Nice article, I had been wondering if IPv6 was worth setting or disabling.
    I've been eagerly waiting to give dnscrypt a try on Windows for some time.
    For a while I've been using my own CentOS based VPN server with a reverse lookup rule in iptables that only allows me to connect from an address that has been updated to my IP at that time (DynDNS updater). But, I did want to put dnscrypt in place just in case the connectivity during travel wasn't fast enough or stable enough for VPN. To make dnscrypt run as a service I used FireDaemon.

    ReplyDelete
  2. Thanks for the tip on FireDaemon. I knew there were lots of other freeware utilities out there for this. It is an easy chore, programmatically. My little util (aptly named MakeService) never had a GUI anyway.

    I intend to soon add dnscrypt-proxy to a third-party firmware (OpenWRT) on an older router. This router will serve as an encrypted DNS server for my network. I imagine this work will be useful to many people once completed. Of course, ANY always-on PC could do the same, though perhaps leave a lot larger power footprint ;).

    ReplyDelete
  3. Users should note FireDaemon is NOT freeware, actually a bit expensive. There are freeware alternatives.

    ReplyDelete
  4. Sadly, it appears many may have suffered the fate of my old MakeService - abused by malware authors and so removed to deter false positives ;o. However, here is ServiceEx - http://serviceex.com/ . It is freeware, though not that intuitive to use maybe. It is command line only, and uses an INI configuration for the service.

    ReplyDelete
  5. I put MakeService back online, but it is command line only, so perhaps for experts only. The procedure would be simple though:

    1. Get and Extract MakeService, see http://bitsum.com/other.php#makeservice
    2. Extract dnscrypt-proxy.exe AND MakeService to a folder, e.g. c:\edns
    3. Run something like:
    cmd.exe
    cd\edns
    MakeService c:\edns\dnscrypt-proxy.exe /Name:dnscrypt-proxy /Displayname:dnscrypt-proxy
    4. Do NOT delete this folder, or any files in it, else the service will cease to function.

    The dnscrypt-proxy.exe service will then be created, started, and set to auto-start on boot.

    ReplyDelete
    Replies
    1. reply (having a reply fixes formatting of previous post)

      Delete
  6. downloading not working:
    We're sorry, this page could not be located. The page may have been moved or may simply be temporarily unavailable. Try again in a few minutes and/or try searching for it at Bitsum Technologies .

    Requested URL: /files/temp/_dyn_makeservice_64_326096346.zip
    Client IP: 91.51.128.92
    Referring URL: /files/temp/_dyn_makeservice_64_326096346.zip
    Server Name: pecompact.com
    Visitor Browser: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
    Redirect Status Code: 404

    ReplyDelete
  7. Fixed, sorry for the trouble. I made some domain changes the other day that broke this script. The download should now work fine.

    ReplyDelete