Sunday, December 28, 2014

Encrypting and Viewing DNS Connections Using DNSCrypt for Windows

For a while now, I’ve been using DNSCrypt – A local DNS resolver that encrypts and forwards requests to an upstream DNS server. This is both a strong defense against man-in-the-middle attacks and a decent privacy guard on insecure networks.

I just wanted to quickly share with you how I configure it as both a DNS forwarder and logger.
You can download DNSCrypt for Windows here and either compile from source or use the pre-built dnscrypt-proxy.exe within the bin directory. I renamed the bin directory to DNSCrypt and copied it to Program Files. dnscrypt-proxy.exe is pretty straightforward and well documented.

You can either run it as a standalone executable or install it as a service. When running it in standalone mode, I execute the following:

dnscrypt-proxy.exe -R "opendns" -L "C:\PROGRA~2\DNSCrypt\dnscrypt-resolvers.csv" --plugin=C:\PROGRA~2\DNSCrypt\plugins\dnscrypt-logger.dll,C:\PROGRA~2\DNSCrypt\dns.csv

I selected the "opendns" resolver and I’m running a modified version of the logger plugin (libdcplugin_example_logging.dll) included in the plugins directory. I modified it to output a CSV file consisting of the domain name resolved, the resolution type (A, AAAA, etc.), and the UTC datetime when the resolution occurred. This allows me to easily consume the log and automate analysis of my DNS queries. You can download the modified logger plugin from my GitHub repo. Finally, you need to set your DNS IP address to

For easily toggling the DNS IP addresses of my network adapters from localhost to being automatically assigned, I wrote this PowerShell v3 script that I keep in my profile.ps1:
Personally, I run DNSCrypt as a service. Installation is pretty simple. Just append --install to the command-line invocation from an elevated prompt:

dnscrypt-proxy.exe -R "opendns" -L "C:\PROGRA~2\DNSCrypt\dnscrypt-resolvers.csv" --plugin=C:\PROGRA~2\DNSCrypt\plugins\dnscrypt-logger.dll,C:\PROGRA~2\DNSCrypt\dns.csv --install

It will tell you that you may need to modify some registry settings. The only one I needed to add was the Plugins value to indicate the path to the desired plugin and any optional arguments. When you’re done modifying registry settings, restart the service, and you’re good to go.

Configured service settings

Once everything is up and running with my logger plugin, I can easily view every DNS resolution made. I wrote a simple PowerShell function to make viewing the DNS log mindless:
Parsed DNS log