OpenDNS + DNSCrypt - Mini-Review -
HOME | Blog | Software | Reviews and Features | Forum | Help | Donate
Click here to
donate and join now!
Welcome Guest.   Make a donation to an author on the site April 27, 2015, 05:13:49 PM  *

Please login or register.
Or did you miss your validation email?

Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.

You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
Read the Practical Guide to Forum Search Features
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1]   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: OpenDNS + DNSCrypt - Mini-Review  (Read 8318 times)
Supporting Member
Posts: 5,167


see users location on a map View Profile Give some DonationCredits to this forum member
« on: June 08, 2013, 11:59:41 AM »

    Original post:2013-06-08
    Last updated:2014-06-08

    Basic Info
    App Name + DNSCrypt
    Thumbs-Up Rating Thmbsup Thmbsup Thmbsup Thmbsup Thmbsup
    App URLOpenDNS home page
    DNSCrypt download page
    Lifehacker overview of DNSCrypt
    App Version ReviewedDNSCrypt up to v0.0.6 (since May 2012)
    This is the current version as at the "Last updated" date at the top of this post.
    Test System SpecsWin7-64 Home Premium, Windows 8.1
    Supported OSesDNSCrypt runs on:
     - Windows - XP, Vista and 7 and 8.
     - Mac..
    Support Methods
    Upgrade PolicyDNSCrypt - FREE - as and when available.
    Trial Version Available?FREE - NO limitations.
    Pricing SchemeOpenDNS + DNSCrypt are both FREE.

    Screenshot of the main tabbed DNSCrypt GUI pane, showing the settings summary on the General tab:

    I had been meaning to pull together a mini-review of this for some time, but after (a) some recent events and (b)some discussion about DNSCrypt and VPNGate on the DC Forum, I figured the mini-review was probably now overdue.
    (a) The recent events were:
    • 1. Guardian report: the published details of a leaked secret court order, as first reported in the on 2013-06-06: NSA collecting phone records of millions of Verizon customers daily

    • 2. DemandProgress email: An email sent on 2013-06-08 to subscribers, from
      The revelations of spying on telephone customers are extraordinary -- but it gets even worse.  The government is spying, in real time, on all Internet users. From the Guardian:
      (Referring to: NSA Prism program taps in to user data of Apple, Google and others)
      The National Security Agency has obtained direct access to the systems of Google, Facebook, Apple and other US internet giants, according to a top secret document obtained by the Guardian.
      The NSA access is part of a previously undisclosed program called PRISM, which allows officials to collect material including search history, the content of emails, file transfers and live chats, the document says.

    (b) The DC Forum discussions were:

    What this is all about is personal privacy and security: we now know that different governments - for a variety of reasons - are spying on their citizens, tapping into their Internet, telephone and general communications traffic. As well as that, there may be criminal operations with sophisticated equipment, tapping into the same communications, for multifarious criminal purposes. I'll leave it up to you, the reader, to figure out which of these two is probably the greater threat, or which countries' governments are not spying on their citizens in this manner.

    Description of OpenDNS + DNSCrypt:
    • 1. DNS:
      DNS stands for "Domain Name Server". Here is a somewhat over-simplification of what this server does:
      • When you set your browser to go to a URL (Universal Resource Locator) address - e.g., (say) - your browser passes the request to your ISP (Internet Service Provider) connection node.
      • That node is usually the Primary DNS for you, and there will be a Secondary one also, as backup.
      • The IP (Internet Protocol) addresses - which are strings of numbers - of the 2 DNSes are set up in your broadband router.
      • The DNS takes the URL your browser sends it, and looks it up in a huge conversion table of all available IP addresses.
      • The DNS then finds the IP address for that URL, and sends off  a request to connect to that IP address.
      • This begins your Internet communication/transaction with (say)

    • 2. OpenDNS:
      This essentially is a FREE service that you access by setting two OpenDNS IP addresses as your Primary and Secondary DNSes in your broadband router, replacing those of your ISP's:
      • First you could set up (it's not mandatory) your OpenDNS Premium account here.
      • Then you set up these two IP addresses as your Primary and Secondary DNS in your broadband router:

      There is an OpenDNS server map at
      (Hover over the network nodes to see a description of each one.)

      Once you have set up the OpenDNS IP addresses in your broadband router, the ISP becomes a passive "pass-through" node, with the OpenDNSes taking over the role of serving your request to (say), and the handling of the communications between and you from that point on.

      The benefits of doing this are several, and include: (from the OpenDNS website)
      • Speed up your Internet experience.
        OpenDNS’s 12 global data centers are strategically located at the most well-connected intersections of the Internet. Unlike other providers, OpenDNS’s network uses sophisticated Anycast routing technology, which means no matter where you are in the world, your DNS requests are answered by the datacenter closest to you. Combined with the largest DNS caches in the industry, OpenDNS provides you with DNS responses faster than anyone else.

      • Make your Internet more reliable.
        With our extensive data center footprint and use of Anycast technology, the OpenDNS network has built-in redundancy ensuring zero downtime. SmartCache technology, an OpenDNS innovation, enables you to access sites that may otherwise be inaccessible due to authoritative DNS outages, providing you with the most reliable Internet possible.

      • Phishing protection.
        OpenDNS blocks phishing websites that try to steal your identity and login information by pretending to be a legitimate website. Surf the Web with confidence.

      • Gain visibility into your network usage.
        OpenDNS’s reports provide you with visibility on your networks' Internet activity, giving you needed insight into how your Internet resources are being used.

      • Easy to set up and it’s free.
        Getting started on OpenDNS Premium DNS takes minutes; there are no downloads or additional software required and it’s completely FREE

    • 3. DNSCrypt:
      Here is the About tab on the DNSCrypt GUI:

      DNSCrypt is a tool for securing communications between a client and a DNS resolver.
      dnscrypt-proxy provides local service which can be used directly as your local resolver or as a DNS forwarder, encrypting and authenticating requests using the DNSCrypt protocol and passing them to an upstream server - by default OpenDNS, who run this on their resolvers.
      The DNSCrypt protocol uses high-speed high-security elliptic-curve cryptography and is very similar to DNSCurve, but focuses on securing communications between a client and its first-level resolver.
      While not providing end-to-end security, it protects the local network, which is often the weakest point of the chain, against man-in-the-middle attacks. It also provides some confidentiality to DNS queries.
      You can download and install the DNSCrypt application from the link given in the table at the top of this review.

    Who this app is designed for:
    The combination of OpenDNS + DNSCrypt will appeal to those who wish to improve their personal privacy and security on the Internet.

    The Good:
    The combination of OpenDNS + DNSCrypt works in this regard - i.e., the improvement of your personal privacy and security on the Internet.
    The privacy/security could be further improved with the use of VPN (Virtual Private Network) services.

    The needs improvement section:
    Not so much needs improvement, but caveats to bear in mind:
    • Though you can set your OpenDNS Premium account to not maintain your traffic logs, a government authority could oblige the OpenDNS operator to maintain logs, regardless of users' wishes, and these logs could be used for surveillance (spying).
    • DNSCrypt only encrypts traffic between your PC and your OpenDNS server(s). The traffic between those DNSes and the Cloud is unencrypted, and compulsory government access and surveillance could still monitor that traffic at some point.
    However, on balance, it would seem that the chances of improved personal privacy and security would be better with using the combination of OpenDNS + DNSCrypt than without it.
    Further privacy/security and also anonymity could be gained through the use of a VPN (Virtual Private Network), in addition to OpenDNS + DNSCrypt.

    Why I think you should use this product:
    • Because your personal privacy and security would likely be improved with using the combination of OpenDNS + DNSCrypt.
    • Because if you are using a VPN, then DNSCrypt could help avoid the risk of "DNS leak" (refer the Lifehacker review for explanation of this).

    How does it compare to similar apps.:
    I am not aware of any closely similar current services/applications.
    Some paid-for (not FREE) VPN service providers might offer some form of PC-to-DNS encryption, but I do not know.

    • 1. Objective achieved: Using OpenDNS should improve on the Internet service experience that you might normally expect to receive from your ISP.
    • 2. Objective achieved: Combining that with the use of DNSCrypt should improve your levels of personal privacy and security on the Internet, even if you are already using a VPN.
    • 3. Experience indicates that OpenDNSCrypt is very stable: I started using OpenDNSCrypt in May 2012 on a laptop running Win7-64 Home Premium, and in May 2015 migrated with it to Win8.1. OpenDNSCrypt has run flawlessly at all times, but it will always be dependent on the underlying network infrastructure being in a robust state.
    Links to other reviews of this application: (the first two are all you really need to get started)
    « Last Edit: June 07, 2014, 10:58:31 PM by IainB; Reason: Updated. » Logged
    First Author
    Posts: 34,503

    see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
    « Reply #1 on: July 06, 2013, 12:33:06 PM »

    I overlooked this post originally -- just wanted to say thanks for taking the time to post it.  Much appreciated  thumbs up
    Supporting Member
    Posts: 5,167


    see users location on a map View Profile Give some DonationCredits to this forum member
    « Reply #2 on: July 07, 2013, 07:57:27 AM »

    @mouser: Thanks for your appreciation. Always nice to have.
    I am no expert on TCP/IP telecommunications, but I like to know how things work and why I should probably be using them, so using OpenDNS and later DNSCrypt was an educational voyage of discovery for me. Hopefully, posting the mini-review will help others take a shorter learning curve for DIY in this. The Lifehacker post I linked to was especially informative.

    Having used OpenDNS + DNSCrypt for a while now with no issues, I have been trialling VPN gate for greater security/privacy, and have found it pretty good.

    Coincidentally, I read this rather relevant post in today: Want to Defend Your Privacy?

    In the post, he discusses using VPN (Virtual Private Network) services, refers to various links (some offshore to the US) for improved security/privacy, and recommends consideration be given to the use of the likes of:
    Posts: 3


    see users location on a map View Profile WWW Give some DonationCredits to this forum member
    « Reply #3 on: July 15, 2013, 03:28:04 PM »

    I recently started using DNSCrypt after seeing it listed in the latest SnapFiles freeware updates. I've been using OpenDNS (and the OpenDNS Updater) for years and when I saw how long DNSCrypt has been available I had to wonder how I'd missed it (although with my leaky memory I might find it on an old 'To Do' list that's been buried by others..).

    One thing I've noticed (in System Explorer's 'Connections' tab) are continuous UDP connections by OpenDNSInterface.exe that are constantly varying in number. There's always at least one, then two, three, four and sometimes five entries, then it will drop back to one, then the process repeats, 24/7. Any idea what is going on with that?
    It's not using a huge amount of memory and the "dnscryptproxy.exe" uses even less.

    - Other observations:
    I don't know if it's related to DNSCrypt, but since I've been running it the OpenDNS Updater message window (and the on & off again "Using OpenDNS?" "No" alerts) has stopped popping up.
    Supporting Member
    Posts: 5,167


    see users location on a map View Profile Give some DonationCredits to this forum member
    « Reply #4 on: July 16, 2013, 03:34:41 AM »

    You may have missed the advent of DNSCrypt because, almost immediately after it was announced/released, OpenDNS seemed to stop talking about it. It was kinda buried away. I suspect that they may have been asked to do that, as the implications of using DNSCrypt are that government snooping (NSA) is frustrated to some extent...

    I can't answer "What is going on with that?", but here is a screenshot capture of the relevant OpenDNSCrypt connections on a laptop, as viewed in Process Hacker:

    It rather looks as though DNSCrypt may be automatically dynamically making as many connections - and polling the relevant ports - as it needs at any given point.

    I was not sure what the OpenDNS Updater was as I don't use it and I don't get any messages from anything by that name.
    I looked it up and found it referred to at
    Windows IP Updater
    This is the officially supported OpenDNS Windows client, which sends your network's new IP Address to OpenDNS whenever it should change.
    I have the Primary and Secondary DNS nodes (IP addresses) set in my router as being the OpenDNS addresses, so when I restart the router or my ISP assigns a new dynamically allocated IP address, it doesn't stop the connection going to the OpenDNS nodes.
    Supporting Member
    Posts: 5,167


    see users location on a map View Profile Give some DonationCredits to this forum member
    « Reply #5 on: June 07, 2014, 11:58:08 PM »

    2014-06-08 1605hrs: I have just updated the opening post with some more information.
    The OpenDNSCrypt version has not been incremented/changed, and it still runs flawlessly after my having migrated it from a laptop using Win7-64 to Win8.1.

    Some people (not me, you understand) might say that, In light of revelations regarding snooping - e.g., including US-driven **AA (music licencing Mafia) snooping, US/UK+Others NSA/SnowdenGate snooping, Australian and NZ Government authorised censorship snooping - installing OpenDNSCrypt could be a no-brainer for users wishing to protect their rights to privacy and security of personal information, but I couldn't possibly comment.
    Supporting Member
    Posts: 5,167


    see users location on a map View Profile Give some DonationCredits to this forum member
    « Reply #6 on: June 08, 2014, 03:53:57 AM »

    An announcement from OpenDNS.

    Link via Lifehacker:
    A new reason to love OpenDNS: no more ads or redirections.
    The OpenDNS Guide is going away.

    Starting on June 6, 50 million plus users of OpenDNS’s free DNS around the world will no longer see ads in our service. We put a great deal of thought into this decision. Here’s why we made the call to eliminate it:

        We always want to do what’s best for you.
        The Internet has evolved and it’s simply no longer in the best interest of Internet users to redirect to search results. The OpenDNS Guide was, until recently, a helpful tool. If the website you wanted to visit wasn’t loading, we took you to search results instead of an error page. But times have changed. Browsers work differently. Internet users have become accustomed to their browser address bar behaving like a search box. We want to give you the behavior you expect. As of June 6th, all of OpenDNS’s users will get NXDOMAIN and SERVFAIL messages to get truly RFC compliant DNS.
        Ads are annoying.
        Let’s be honest, few of us like to see them. So we’re making them go away, at least within OpenDNS. We provide the safest, fastest and most reliable DNS service in the world free of charge. The revenue from the ads on the Guide has historically enabled us to do that. But we’re excited to report that in the past few years we’ve built a thriving enterprise security business and now have more than 10,000 happy, paying customers. So, while that revenue from ads is nice, it’s more important to us to provide you with a delightful user experience.
        Ads and security don’t mix.
        OpenDNS is a security company above all else, and ads can often be a vector for security infections and intrusions. Malware might surface through third-party ad networks, or be hidden inside the ad creative itself in the form of flash exploits or javascript tricks. Removing the ads makes our service more secure and that’s a good thing for both users of our free DNS service and of our enterprise security service. Finally, pretty much every major ad network out there participates in pervasive user tracking through cookies. Those cookies can compromise your privacy, and in the wrong hands, your security. Less of that is better for you.

    Charter Member
    Posts: 6,756

    see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
    « Reply #7 on: June 08, 2014, 04:33:15 AM »

    Is DNSCrypt abandonware? The Windows client hasn't been updated in two years. . .

    Supporting Member
    Posts: 5,167


    see users location on a map View Profile Give some DonationCredits to this forum member
    « Reply #8 on: June 08, 2014, 12:02:07 PM »

    Is DNSCrypt abandonware? The Windows client hasn't been updated in two years. . .

    I wondered the same, but came to the conclusion that it would not be correct to call it abandonware, as it has not been abandoned - it just doesn't require any further development at this stage. Quickly putting it into the Public Domain after it had achieved final version was probably a calculated move done by OpenDNS before anyone could stop them. They deliberately opened a sort of Pandora's box. It's all about transparency and trust.
    That was why, in my update to "version" in the opening post I changed it to read "DNSCrypt up to v0.0.6 (since May 2012)".

    The thing is, OpenDNSCrypt apparently does exactly what it was designed to do - i.e., simply provide PC<-->OpenDNS node encryption - so no further development would be needed unless (say) the encryption protocol, or something, needs to be changed for some reason.
    My observation would be that it was a quite legitimate additional security service, effectively frustrating/preventing classic criminal "man-in-the middle" attacks, which would be an extremely inconvenient service for any establishment-approved agencies undertaking surveillance/censorship at the user's ISP node. Those agencies are effectively conducting "man-in-the middle" attacks and are also probably gathering "DNS leakage" data - both of which would be effectively blocked by OpenDNSCrypt.

    The traffic that used to flow between the user's PC and that ISP node was in clear and could be inspected anywhere between the User's PC and that ISP node, whereas, if the user has now enabled OpenDNSCrypt, then now that traffic is encrypted between the user's PC and the OpenDNS node.
    Thus, it is now unintelligible encrypted traffic that flows through the ISP node, and even if (say) one's Cisco ADSL modem/router had been compromised by these agencies, the now unintelligible encrypted traffic that flows through it to/from the PC would be of no use.

    This would seem to force the point of surveillance/censorship to be moved to either inside the OpenDNS node or on to the Cloud-side of the communication links from that node. So it "...would be an extremely inconvenient service" for criminal organisations and/or establishment-approved agencies undertaking surveillance/censorship.
    Bit of a bugger, that.    cheesy
    Charter Member
    Posts: 6,756

    see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
    « Reply #9 on: June 08, 2014, 06:00:04 PM »

    All I know is that I have frequent connectivity issues that are almost always traced back to DNSCrypt. I.e., my problems go away when I disable DNSCrypt. And that's even with the "Fall back to insecure DNS" enabled.

    Supporting Member
    Posts: 5,167


    see users location on a map View Profile Give some DonationCredits to this forum member
    « Reply #10 on: June 09, 2014, 10:03:40 AM »

    That is odd.
    I have used OpenDNSCrypt for a couple of years now, on several laptops and from 3 different locations, and it always works a treat.
    From experience, if the installation is correctly set up, then it should/will run like clockwork.
    I was getting a spotty connection (the OpenDNSCrypt bulb in the Systray kept going red) on this laptop I am using at present. I put it down to the fact that there was so much change going on (upgrading from Win8-64 to Win8.1-64 and lost of migration and program installs happening) that I should do a clean reinstall of OpenDNSCrypt. So I uninstalled it and reinstalled it and the problems immediately went away.
    Pages: [1]   Go Up
      Reply  |  New Topic  |  Print  
    Jump to:  
       Forum Home   Thread Marks Chat! Downloads Search Login Register | About Us Forum | Powered by SMF
    [ Page time: 0.071s | Server load: 0.1 ]

    Share on Facebook
    submit to reddit