Skip to content


Using DNSCrypt or DoH (or both) on Windows

A long time ago in a galaxy far, far the same, I setup my previous laptop with whatever was needed to send DNS queries to a DNSCrypt resolver instead of using my ISP’s.
At the time, it was kind of complicated (or at least tedious): I had to install dnscrypt-proxy, and because it had no caching mechanism, I had to also install Unbound on top of it. Both had to be installed as a service, ran at startup, Unbound had to listen to port 53 so that I could tell Windows to use 127.0.0.1 as a DNS server, dnscrypt-proxy had to listen to some arbitrary port, and Unbound had to be configured to query that. Not very fun. And as I was short in time, I never bothered formalizing all this into something that looks like a proper-ish guide. Which discouraged my from doing the same setup on other computers. Until today.

I decided to give it another shot. First surprise, Unbound now has a quite better documentation, with a whole guide (on PDF) for Windows. Before downloading it, I checked out DNSCrypt / dnscrypt-proxy, fearing the worst: last time I check it, the project was abandoned, and it wasn’t very clear what would replace it. Nice surprise there, there are now a bunch of clients, with DNSCrypt-proxy at the top (probably a full rewrite since it’s version 2.x and written in Go). And yet another nice surprise: as I was checking the documentation, I was directed to Simple DNSCrypt, which seems to be the recommended way to install dnscrypt-proxy, if you want to avoid getting a headache.

I don’t have much to say about Simple DNSCrypt, it’s really easy to use indeed (as long as you have a vague idea about how DNS things work), and if I didn’t want an excuse to safe-keep the links above I could have just made a short “aToad” post about it. The default configuration is globally nice, I’ll just mention a few points/tweaks:

  • You’ll probably have to manually toggle on the DNSCrypt Service, and to configure your network card(s) to use it (no need to go dig into your Windows network settings, Simple DNSCrypt provides a one-click button for that and I don’t think you can miss it).
  • By default, DNSCrypt will be configured to automatically select any resolver with DNSSEC support + no logs + no filter. This includes a CloudFflare server, so you may want to disable this one. This also includes both servers that use DNSCrypt and servers that use DNS over HTTPS, which I find pretty neat.
  • The query log (default off) can be useful to check that your computer is actually using dnscrypt-proxy (but you may want to turn it off as soon as you’ve check, as I guess it will grow big pretty fast). It also show which DNS resolver the request is sent to, so you should notice that dnscrypt-proxy rotates between your chosen servers. Which is great for privacy… and makes it more harmless if you choose to keep CloudFlare in your list.
  • The advanced settings tab lets you enable/disable a DNS cache. It’s great because it means I don’t need Unbound on top of it. However, the default value for the cache (256 entries) isn’t appropriate for me (I run a web crawler, so a value of 2048, for instance, sounds better) and it cannot be edited from the UI. To change it, you need to shut down Simple DNSCrypt (and possible dnscrypt-proxy too, not sure about that), then modify the cache_size line in C:\[path to Simple DNSCrypt]\dnscrypt-proxy\dnscrypt-proxy.toml.

It also has more advanced features, like a domain blacklist, which might be more comfortable than using the good old HOSTS file (although beware it obviously won’t block anymore if your system somehow switches back to your ISP’s DNS), and a “cloak and forward” feature, which I haven’t looked into (and I’m not sure what this does ^^)

I’ve been using this for a few days. So far, no issue, no extra latency, no abnormal DNS error rate in my web crawler… Looking good! And since it’s so easy to set up, I’ll probably put it in all my other computers soon 🙂

Posted in Internet, software, Windows.


2 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. crc says

    Hi roach.

    Thank you for the informative post! I myself is on a win 10 pc. Looking to switch over to Fedora but it will take time as I only have exp with win :(.

    What would you recommend? Disabling my win dns service (which makes the HOSTS file useless?…from what I’ve read), and only using Simple DNSCrypt? I used Black Bird recently to try and stop MS spying on me and the pc is running very better and websites loads faster. Maybe using HostsMan for local DNS caching (otherwise I have to poll the DNSCrypt server list to visit old sites?).

    Also I have started moving away totally from Google and also their other packages / software. Using Tor (no add-ons) browser and Firefox (minimum / essential add-ons only).

    Also trying to move away from online password managers and I’m looking at KeePass for those needs.

    Have also started using more secure alternative email providers and clients.

    I would greatly appreciate any input from you 🙂

    • patheticcockroach says

      About the Windows DNS service, I didn’t disable it. As far as I remember, I simply configured Windows to call dnscrypt-proxy instead of my ISP’s DNS servers, but apart from that no change is required. My hosts file keeps working. Also, as mentioned in the post, dnscrypt-proxy now does the caching (but you may want to increase the size of the default cache).

      I heard about Blackbird before, but haven’t tried it yet. That’s the kind of thing I’d rather try right after installing my PC, not after using it (hence customizing it) for a few years already ^^ That will be for the next one I guess.

      When you use Tor Browser, it makes DNS queries via Tor.
      If you use Firefox, you can also use a SOCKS proxy and tell Firefox to send the DNS queries to said SOCKS proxy (not necessarily needed if you already use dnscrypt system-wise, but that’s still a possibility). Also about Firefox, you can create multiple independent profiles (with all different settings and add-ons) and run them simultaneously.

      As for password managers, KeePass is great indeed. I don’t know why all the hype around KeePassXC, it’s UX feels way worse IMO. But the nice thing is all those KeePass derivatives should use the same database format, so you can easily switch between them.



Some HTML is OK

or, reply to this post via trackback.

Sorry about the CAPTCHA that requires JS. If you really don't want to enable JS and still want to comment, you can send me your comment via e-mail and I'll post it for you.

Please solve the CAPTCHA below in order to fight spamWordPress CAPTCHA