-
Notifications
You must be signed in to change notification settings - Fork 992
Installation Windows
Note: these instructions are for users familiar with the command line.
An alternative to use dnscrypt-proxy on Windows is via Simple DNSCrypt or YogaDNS (not opensource) instead.
Launch PowerShell with elevated privileges. cmd is similar.
Download dnscrypt-proxy here: dnscrypt-proxy binaries.
There are quite a few files here, but dnscrypt-proxy-win64-*.zip is the one you want.
So, download this file and extract it wherever you want. In can be in your home directory, or wherever you want, really.
For example: D:\dnscrypt-proxy.
It is totally possible to have the executable file in one place, the configuration file in another place, the cache files elsewhere and the log files yet somewhere else. But if this is the first time you install the software, and you don't have any good reasons to makes things more complicated than they should be, just keep everything in the same directory. At least to start with, and to ensure that everything works as expected. Then, go crazy if you like. But please don't change everything before even starting the proxy once, and then complain that "it doesn't work". Start with something boring, and gradually tweak it. If you really need to.
Also, do not change your DNS settings at this point.
In the terminal, go to the directory you just extracted using the cd command, i.e. something like:
cd D:\dnscrypt-proxycd /d D:\dnscrypt-proxy for cmd.
The dir command should print a bunch of files, among which dnscrypt-proxy.exe and example-dnscrypt-proxy.toml.
Create a configuration file based on the example one:
copy example-dnscrypt-proxy.toml dnscrypt-proxy.tomlAnd now, for something intense, run:
.\dnscrypt-proxyDoes it look like it started properly? If not, try to find out why. Here are some hints:
-
dnscrypt-proxy.toml: no such file or directory: copy the example configuration file asdnscrypt-proxy.tomlas documented above. -
listen udp 127.0.0.1:53: bind: permission denied: you are not using an elevated PowerShell (see step 1). -
listen udp 127.0.0.1:53: bind: address already in use: something is already listening to the DNS port. Maybe something else, maybe a previous instance of dnscrypt-proxy that you didn't stop before starting a new one.
No errors? Amazing!
If dnscrypt-proxy is running, hit Control and C in the terminal window to stop it. And then to launch the server in an extra window, run:
start dnscrypt-proxySwitch to your previous terminal window. Let's check that everything works by sending a first query using dnscrypt-proxy:
.\dnscrypt-proxy -resolve example.comLooks like it was successfully able to resolve example.com? Sweet!
It's time to change your system DNS settings.
Open the network settings, and in the TCP/IP panel, if it's automatically, change it to manually, if it's manually, remove all existing DNS IP addresses (backup first), and then set it to 127.0.0.1.
Try a few more things: web browsing, file downloads, use your system normally and see if you can still connect without any DNS-related issues.
If anything ever goes wrong, you can revert the settings (with the backup).
The dnscrypt-proxy.toml file has plenty of options you can tweak. Tweak them if you like. But tweak them one by one, so that if you ever screw up, you will know what exact change made this happen.
The message bare keys cannot contain '\n' typically means that there is a syntax error in the configuration file.
Hit Control and C in the dnscrypt-proxy terminal window when you need to stop/restart it, type start dnscrypt-proxy to start the server, and test. Tweak, restart, test, tweak, restart, test until you are satisfied.
Are you satisfied? Good, let's jump to step 5!
Hit Control and C in the dnscrypt-proxy terminal window to stop the proxy.
Now, register this as a system service (still with elevated privileges):
.\dnscrypt-proxy -service installIf it doesn't spit out any errors, this is great! Your edition of Windows is compatible with the built-in installer.
Now that it's installed, it can be started:
.\dnscrypt-proxy -service startDone!
If it does spit out errors, additional steps for your edition of Windows are required. Stay calm, do not drink coffee but hit the gym instead, then look for specific instructions.
Want to stop the service?
.\dnscrypt-proxy -service stopWant to restart the currently running service after a configuration file change?
.\dnscrypt-proxy -service restartWant to uninstall the service?
.\dnscrypt-proxy -service uninstallWant to check that DNS resolution works?
.\dnscrypt-proxy -resolve example.comWant to completely delete that thing?
.\dnscrypt-proxy -service uninstall & Delete the directory. Done.
In the system preferences, the system can be configured with a secondary resolver (such as your ISP's or a public one like 9.9.9.9) in addition to the primary one (127.0.0.1, aka dnscrypt-proxy).
Windows applications will generally always try the primary server (thus, dnscrypt-proxy) first, and only retry with the secondary when the primary is not responsive.
Configuring a backup server can be useful to keep the DNS service up and running during temporary outages of servers configured in the proxy. The obvious downside is that queries sent to the backup server will not be encrypted/authenticated.
In order to install a new version, stop the service, replace the executable file (dnscrypt-proxy) with the new version, and start the service again.
Prior to this, taking a look at the release notes for possible breaking changes is a good idea. However, breaking changes are exceptional.
If you are having problems with Windows showing your network as offline while using dnscrypt-proxy, it may be due to a failing Windows Network Connectivity Status Indicator (NCSI) check. This can manifest as a yellow task bar icon or a tooltip indicating no or limited network connectivity.
On Windows 10 build 1709 or later, you can configure the check to do its DNS lookup on the interface where dns-proxy is running by enabling the Specify Global DNS policy inside Local Group Policy (Run gpedit.msc). The setting can be found under Computer Configuration > Administrative Templates > Network > Network Connectivity Status Indicator.
If you do not have the group policy editor available on your Windows version, you can also enable the policy in the registry by running the following command as administrator:
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\Windows\NetworkConnectivityStatusIndicator" /v UseGlobalDNS /t REG_DWORD /d 1 /fA reboot is required for the setting to take effect.
There are several other more detailed settings available to disable or modify the NCSI check. These can further increase your privacy and improve startup speed. Please read the Network Connectivity Status Indicator (NCSI) page for more information.
- Home
- Installation
- Configuration
- Checking that your DNS traffic is encrypted
- Automatic Updates
- Server sources
- Combining blocklists
- Public Blocklist and other configuration files
- Building from source
- Run your own DNSCrypt server in under 10 minutes
- DNS stamps specifications
- Windows Tips
- dnscrypt-proxy in the media
- Planned Features