Simple DNSCrypt is a free open source program for Microsoft's Windows operating system to configure dnscrypt-proxy on Windows-based PCs and devices.

DNS Crypt is a technology that encrypts DNS look ups so that third-parties cannot spy on those. While some programs or services, VPN Services for instance, protect your look-ups automatically, most DNS traffic is not encrypted.

OpenDNS introduced DNSCrypt support back in 2012 but DNSCrypt was pioneered by the OpenBSD operating system years before that. It uses encryption to protect against man-in-the-middle attacks.

SimpleDNSCrypt

Simple DNSCrypt is an easy to use program for Windows that brings the functionality to Microsoft's operating system. It is not the first program to do so, DNSCrypt Windows Service Manager was released in 2014, but it is a feature-rich solution that is in active development.

Simple DNSCrypt utilizes DNSCrypt Proxy which is also available for Windows and other operating systems.

The user interface is divided into several tabs.

  • Main Menu -- lists configuration options, e.g. use of servers and available network cards.
  • Resolvers -- lists the available DNS Resolvers and offers configuration options.
  • Advanced Settings -- additional settings that change core functionality.
  • Query Log -- A log that is disabled by default.

A click on the settings icon gives you options to add additional tabs to the program interface which you may use to blacklist and whitelist domains, and check the domain block log.

Activate the DNSCrypt Service after you have configured the options to your liking to get started with the application. Once you have done so, select the network cards that you want the service to run on.

This is the bare-minimum configuration to encrypt your DNS traffic. It is recommended that you go through the settings before you enable the server to make sure all is set up correctly.

Simple DNSCrypt lists IPv4 servers by default only and blocks IPv6-related queries. You enable IPv6 servers under main menu and unblock IPv6-related queries under Advanced Settings.

The program retries resolvers that support DNSSEC and don't log or filter traffic by default. You can uncheck these options as well if you want but it is recommended that you don't unless you run into issues.

Simple DNSCrypt runs in automatic mode by default. The service picks the fastest resolver from the list of available servers and uses it. You can switch that off under resolvers by selecting one or multiple resolvers from the list. This may take a bit of testing to make sure performance is fine.

The advanced settings give you more control over the service's functionality. You can disable DNS caching there for instance. Simply put, if caching is enabled, Simple DNSCrypt tries to find the information in the cache before resolvers are used to look-up the information.

There is also an option to Force TCP, and to uninstall the Windows service.

Uninstallation worked without issues on several test systems.

Closing Words

Simple DNSCrypt is an easy to use program for Windows to protect DNS queries against man-in-the-middle attacks. One downside of the project is that you don't have control over the resolvers. There is no option, at least none is in the UI, to add custom resolvers. This means, basically, that you have to trust at least one of the servers used.