[Howto] DNSCrypt and Unbound as cache

Discussion in 'Scripting' started by CHEF-KOCH, Oct 13, 2015.


    CHEF-KOCH MDL Addicted

    Jan 7, 2008
    #1 CHEF-KOCH, Oct 13, 2015
    Last edited: Apr 26, 2017
    This small guidance is designed to secure your DNS Port (53) with encrypted traffic (secures the communication between Client and a DNS resolver).

    This guide is not to explain what DNSCrypt/Unbound is because just read the documents (see sources).

    This will work on the following Systems:
    * Windows 7 - 10
    * Linux (Ubuntu and others, you only may need to change some prefs)
    * DNSCrypt/Unbound is generally designed to work under all systems but this guide is docused on Windows / Linux.

    What does this change on your system:

    * soltysiak will be used as Primary DNS
    * An C:\Unbound.txt file will be created to track/debug problems in case something goes wrong (if you not need it -> comment it out via #)
    * Port 2053 (needs to be changed via registry) will be used for the resolver (it's the native port)
    * Unbound Service.conf tweaked to work together with DNSCrypt + it uses as alternative Googles Server (don't worry Google uses DNSSEC) to ensure it works with e.g. Android or other devices/OS which may need this to get proper DNS working (for e.g. tethering).
    * The Network config redirects everything to Be careful with a huge HOSTS file!
    * Advance users can use this to block ads/IP's/Domains + Change given config as per Needs (read every single document first before you touch anything!).

    Why both DNSCrypt and Unbound?
    * See here (ger. mirror) or on the DNSCrypt front page section: 'Using DNSCrypt in combination with a DNS cache'.
    * See also DNSSEC vs. DNSCrypt, here.

    Required Software:
    * Unbound
    * DNSCrypt + your resolver DNS Server you trust e.g. soltysiak (the avbl. list is in the .zip package or always updated avlb. over here.

    I recommed to use the Unbound Setup (because this gives an Option to start is as a Service [if you not very familar with shell]) and DNSCrypt only as the portable package (the .zip one). Alternative you can just extract it and start the unbound-service-install.exe (requires admin privileages).

    Now let's start:
    * Install unbound.exe and ensure it's started as Service (it will be installed to C:\Program File (x86)\Unbound (for x64 machines and C:\Program Files\Unbound on x86 machines.
    * Unpack the DNSCrypt package to C:\Program Filex (x86)\DNSCrypt or the part for x86 machines.
    * Now you're almost done, just open the Unbound install location and open/edit the Service.conf file (if not exist just copy the example.conf and rename it) and add the following into it (see inside spoiler).

    # Unbound configuration file on windows.
    # See example.conf for more settings and syntax
     # verbosity level 0-4 of logging
     verbosity: 0
     # if you want to log to a file use
     logfile: "C:\unbound.log"
     # on Windows, this setting makes reports go into the Application log
     # found in ControlPanels - System tasks - Logs
     use-syslog: yes
     log-time-ascii: yes
     num-threads: 1 # 1 is enough for not heavy loaded server
     cache-min-ttl: 60
     infra-host-ttl: 60
     #root-hints: "C:\Program Files (x86)\Unbound\named.root"
     # power of 2 close to num-threads
        msg-cache-slabs: 2
        rrset-cache-slabs: 2
        infra-cache-slabs: 2
        key-cache-slabs: 2
     # enable extended statistics.
        statistics-interval: 0
        extended-statistics: yes
     unwanted-reply-threshold: 10000000
     do-not-query-localhost: no # You need this as no for dnscrypt-proxy to work
     prefetch: yes
     prefetch-key: yes
     rrset-roundrobin: yes
     minimal-responses: no
     do-ip4: yes
     do-ip6: no
     do-udp: yes
     do-tcp: yes
     do-not-query-localhost: no
     hide-identity: yes
     hide-version: yes
     #harden-referral-path: yes
     use-caps-for-id: yes
     module-config: "validator iterator"
     #ACL + privacy 
        access-control: allow
        access-control: allow
        access-control: refuse
    # Adblocking
    #include: "C:\Program Files (x86)\Unbound\unbound_ad_servers"
    # Remote control config section.
     # Enable remote control with unbound-control(8) here.
     # set up the keys and certificates with unbound-control-setup.
     control-enable: no
     # what interfaces are listened to for remote control.
     # give and ::0 to listen to all interfaces.
     # control-interface: ::1
     # Optional Hardening knobs:
        #harden-glue: yes
        #harden-dnssec-stripped: yes
        #harden-short-bufsize: yes
        #harden-large-queries: yes
     # port number for remote control operations.
     #control-port: 8953
     # unbound server key file.
     #server-key-file: "C:\Program Files (x86)\Unbound\unbound_server.key"
     # unbound server certificate file.
     #server-cert-file: "C:\Program Files (x86)\Unbound\unbound_server.pem"
     # unbound-control key file.
     #control-key-file: "C:\Program Files (x86)\Unbound\unbound_control.key"
     # unbound-control certificate file.
     #control-cert-file: "C:\Program Files (x86)\Unbound\unbound_control.pem"
      name: "."
      forward-addr:  # dnscrypt-proxy
      #forward-addr:                   # google only for test reasons
    server: auto-trust-anchor-file: "C:\Program Files (x86)\Unbound\root.key"
    #server: dlv-anchor-file: "C:\Program Files (x86)\Unbound\dlv.isc.org.key"

    save this and you're done with the UnBound part.

    * Now start the cmd aka shell and type the following:

    *cd C:\Program Files\DNSCrypt  [press enter now]
    * dnscrypt-proxy.exe -R <your-dns-resolver-you-like-to-use> -L "C:\Program Files (x86)\DNSCrypt\dnscrypt-resolvers.csv" --install  [pres enter now]
    * That's it, on Linux based Systems you Need to add --daemonize too, which ensures that the Service is running in the background.

    Now the last three important steps are:
    * Go into the Network Settings and choose your Internet Adapter (e.g. IPv4) and set your own DNS, this must be set to (and if you want to e.g. tether your devices it must be set to but only in this case). If you like to use IPv6 and the resolver support it, you must use ::1 (alias ::FFFF: instead of
    * Now go to the registry (regedit) and navigate to: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dnscrypt-proxy\Parameters] you will see your installed DNSCrypt Parameters but the important one is the ResolverAddress which needs to be changed to e.g. 5533 or your resolver port in my example it's 2053.
    * The very last step is to disable the Windows internal DNSClient (aka Cache), open Services.msc and search for dnsclient, stop it and ensure it will be disabled all the time.
    * Restart your machine or if you don't want to wait, open up your shell and type: net stop dnscrypt-proxy && net start dnscrypt-proxy. AND do the same with unbound (replace dnscrypt-proxy with unbound).
    * That's it ! I added an example registry thingy here, how it could looks like if all is done.
    Windows Registry Editor Version 5.00
    ; for x64 machines
    ; soltysiak is used as resolver + port 2053
    "ResolversList"="C:\\Program Files (x86)\\DNSCrypt\\dnscrypt-resolvers.csv"

    ALTERNATIVE! (for DNSCrypt only)

    If all the steps are still too much or difficult for you or confusing you can use an GUI program to do all this, you can just use Simple DNSCrypt (which is for Windows only). This is a small program which (only) configure the DNSCrypt package, YOU STILL NEED Unbound! Of Course DNSCrypt also works as standalone app, but the goal is to manage UNBOUND AND DNSCRypt!
    The only benefit using this is, that this is for beginners and that it updates the resolvers.csv file autmatically, normally you only Need to update the package or/and resolvers.scv manually.

    I like to update Unbound and/or DNSCrypt how can I do this?
    * Just replace the old packages with the new ones, ensure you not override the Service.conf (on Unbound), on DNSCrypt you can replace everything, the changes are stored within the registry.

    How can I quickly change back the adapter settings?
    On Windows:
    Run Shell as admin and execute the following (replace your stuff e.g. Ethernet with your Network Name and the resolver as per needs)
    ipconfig /flushdns
    netsh interface IPv4 set dnsserver "Ethernet" static both no
    netsh interface IPv4 set dnsserver "Wi-Fi" static both no
    ipconfig /flushdns

    On other Systems (for dhcp lease):
    ipconfig /flushdns
    netsh interface IPv4 set dnsserver "Ethernet" dhcp
    netsh interface IPv4 set dnsserver "Wi-Fi" dhcp
    ipconfig /flushdns

    DNSCrypt or Unbound seems to not start because wrong config, how can I check and solve it?
    On Unbound:
     * cd C:\Program Files (x86)\Unbound [press enter here]
     * unbound-checkconf.exe [press enter here]
     * if there are some Errors it Shows you the lines, also check that the Service was stopped before you edit stuff and restart if you're done.

    On DNSCrypt:
     * Just use the --uninstall option + ensure that all registry entries are deleted !
     * Now, again use --install with your prefered resolver.
     * From my experience DNSCrypt not starts because the user 'manipulated' the registry with wrong information, eg. the 'Plugins' are wrong named or such things. Just use --install and not touch the registry, besides that you Need to configure the port you not Need to touch anything if you beginner (read the man what options you have in registry).

    How can I verify sign/signatures?
    See here.

    What is important to know:
    * Besides the part that your DNS is now fully secured some apps may not work anymore or have negative side-effects e.g. the Windows own Firewall or the ones which are depending on the internal DNSClient, like WFC, showing the resolver or DNS adress instead of the real ones, or they log a lot of Port 53 stuff (even if it's not blocked). You can just ignore it or use another Firewall which are not Windows own related eg. Windows 10 Firewall Control.
    * Advanced users can manipulate add/change the config files as per needs, ensure you read the man pages/documents.
    * For each changes on Unbound or DNSCrypt (config/files) you must restart the Services! (via Shell or Services.msc) to ensure that the new changes gets applied.
    * Tests like DNSLeaks or other sites might using the internal browser cache, ensure you disabled Firefox/Chrome internal Cache (and clear the cache) before/after you test it, if not you might see wrong results. There are also better addons to do so, because this can controlled per-each site (e.g. uBlock/uMatrix or Random Agent Spoofer).
    * Unbound doesn't come with the root.key, if there is a permission error while it can't access then check if the key is present in the unbound dir. Otherwise you need to manually execute it
    C:\Program Files (x86)\Unbound>unbound-anchor -a "root.key"

    Before you start to cry/flame that it's not working for you, ensure that:
    * Temp. disable your Firewall (if you use Software based ones) ensure that port 53 + resolver port (in this case 2053) and 443 isn't blocked!
    * The paths are correct if you unzipped and installed dnscrypt/unbound correctly.
    * The DNSCrypt resolver.csv was updated and you choosed an resolver which works.
    * Ensure you restarted your machine or started the Service manually (if e.g. dnscrypt not starts this 100% means that the configuration not works).
    * You read all documents and all links here before you ask any stupid question e.g. what DNSCrypt is or why you need it ..., also please no DNSCrypt/Unbound vs. talks.
    * You not manipulated the registry (because if you not know what you're doing).
    * Ensure that the Service.conf has the correct file ending [EOL] (on Linux -> Unix and on Windows .. well, Windows) or you possible get 'Service.conf not found' errors even if it's present.

    * Maybe add screenshots or YouTube (but in given links there are enough shell screenshots).

    * https://dnscrypt.org/
    * https://wiki.archlinux.org/index.php/DNSCrypt
    * https://github.com/jedisct1/dnscrypt-proxy/blob/master/README-WINDOWS.markdown
    * https://www.unbound.net
    * https://unbound.net/documentation/unbound-windows-manual-01.pdf
    * https://unix.stackexchange.com/questions/97391/dnscrypt-unbound-and-dnssec
    * http://npr.me.uk/unbound.html
    * https://dominustemporis.com/2014/05/dnscrypt-on-windows-update/
    * http://yvoinov.blogspot.de/2014/05/windows-7-unbound-dnscrypt.htm
    * http://ubuntuforums.org/showthread.php?t=2183265
    * https://github.com/alterstep/dnscrypt-unbound
    * https://dnsleaktest.com/
    * Plain .txt version of this guide
    * DNS Leakage fix

    CHEF-KOCH MDL Addicted

    Jan 7, 2008
    #2 CHEF-KOCH, Oct 14, 2015
    Last edited: Oct 14, 2015
    Yes, this is due Windows 10, Simple DNSCrypt needs some compiler changes to support it, to include the missing libs, see also the dicussion about Windows 10 problems over here.

    * Please ensure .NET Framework 4.5 is proper installed and linked, it also needs Microsoft Visual C++ Redistributable Package.
    * Use the .msi because it should already contain 'the fix'.
    * If that somehow not works, try to place the msvcp100.dll and msvcr100.dll into the same dir as the .exe file.
    * If there are still problems, please report it to the mentioned thread.
    * SimpleDNSCryt will possible get Unbound support aswell. (I will update the guide if it's maybe done).

    CHEF-KOCH MDL Addicted

    Jan 7, 2008
    #3 CHEF-KOCH, Oct 14, 2015
    Last edited: Oct 14, 2015
    Please do me a fav. do not report anything back, just hit the thanks button if it worked. I want to keep my threads as clean as possible. I think everything, each single error, each setup is already linked, explained or stands in the documents. I know it's easier to ask for help, but I don't want to support such things. SimpleDNS is in his current form just an program that is to get DNSCrypt to work for people which do not want or can handle shell/cmd. As I already wrote, Unbound currently is not integrated into the SimpleDNSCrypt.msi and if you want it as cache, you must use the Unbound.exe setup or the package (.zip, but I recommed to use the .exe) and don't forget to disable the internal Windows/Linux cache and open the nessary the ports. Unbound isn't normally the problem, but DNSCrypt won't start on misconfiguration or if it uses the wrong port. The hostip.exe is to show if all is working (similar to unbounds own unbound-hosts.exe).

    To clarify I'm not:
    * The author of DNSCrypt, Unbound or SimpleDNSCrypt, every non documented crash, error or stuff like that belongs to the GitHub issue tracker and not here. I not want to give such support for stuff I not wrote myself.
    * This isn't against anyone in person, but I already checked that the guide is as simple as possible. If something is unclear I'm mostly hanging in the chatbox here on mdl.
  4. Soulfate

    Soulfate MDL Member

    Feb 14, 2011
    Thanks but I don't really understand why you recommend to use Unbound + DNSCrypt.
    I've installed DNSCrypt and created an automatic task ("users" with max privileges, starts when logged in) and my DNS resolver is OpenDNS with encrypted traffic on Windows 10 and everything else is automatic. No need to install Unbound for that. The link that explains why is broken :(

    CHEF-KOCH MDL Addicted

    Jan 7, 2008
    #5 CHEF-KOCH, Oct 15, 2015
    Last edited: Oct 15, 2015
    I've updated the links.

    But to explain your legit question, DNSCrypt itself acts like a forwarder for a local DNS Cache (if it was proper configurated), otherwise every single query will make a round-trip to our upstream resolver. Generally any local caching System should work like e.g. for Android/Linux dnsmasq or his alternative Unbound, or the old pdnsd and others. In your case you now encrypted the dns queries but the internal OS Caching System is still in usage (which suffers from several problems, see the official Unbound page).
  6. Soulfate

    Soulfate MDL Member

    Feb 14, 2011
    #6 Soulfate, Oct 15, 2015
    Last edited: Oct 16, 2015

    CHEF-KOCH MDL Addicted

    Jan 7, 2008
    #7 CHEF-KOCH, Oct 17, 2015
    Last edited: Oct 21, 2015
    I not recommed to use your linked .msi file, this is from another project which is outdated in his current form (it's from 2012) and not respect all the commands from the original DNSCrypt Project or the SimpleDNSCrypt project, that's the reason I not mentioned it. However the 'best' is still to use --install from shell, this never gave me any problems and it isn't that hard to replace my given resolver with the one you like. Such things are also for Windows only, on Linux you only need to apt get Unbound/DNSCrypt and you are mostly done with the installing process. The GUI is much overhyped, it's so easy, I mean really, just one look at my thread or the docs. Each command is explained, this is one of the best free documented project I've ever saw, give it a try.

    CHEF-KOCH MDL Addicted

    Jan 7, 2008
    #9 CHEF-KOCH, Apr 25, 2017
    Last edited: Apr 26, 2017
    With today's update of Unbound 1.6.2 it officially supports DNSCrypt via
    argument line. I will update the guide when DNSCrypt also gets an update to fully support this. There is also an (now officially) adblocker .cmd included which requires wget installed and you need to create an unbound_ad_servers file within the same dir as unbound (or another one optionally) to add your findings.

    As time has passed since I wrote this guide (which still works btw) there were a lot of changes on the SimpleDNSCrypt project. One goal would be to get an working all-in-one setup some day, but Unbound isn't included yet. If there are problems with the guide you should use this tool instead it also has a lot of useful features like auto updating the resolver list, an included adblocking mechanism (optional) and many more.

    I try to contact every developer to bring this together. And I will update the thread silently when there are more news or changes.