Windows 10: Encrypted DNS (DoH) now on Win 10 - but better than dnscrypt-proxy?

Per this article from a very good IT tech website -
Enabling DNS over HTTPS (DoH) on Windows 10 | Windows OS Hub
Win 10 (version 2004 and up) now has encrypted DNS lookups via DNS over HTTPS, also known as "DoH". The article describes a registry hack and a Network property setting to get it running.

But is it better than other techniques out there? For three years I have been doing encrypted DNS lookups via DoH on my dual-boot Win 7 + 10 PC by running the service dnscrypt-proxy, which I set up on my PC using the app Simple DNSCrypt. I did the same on my iPhone by using the apps DNSCloak or Cloudflare's "WARP".

DoH, Simple DNSCrypt, DNSCloak and the service dnscrypt-proxy are described on this great article at arstechnica:
How to keep your ISPs nose out of your browser history with encrypted DNS | Ars Technica

I think (not sure) that the advantage of the service dnscrypt-proxy over the new Win 10 native DoH is that dnscrypt-proxy stores a cache of DNS lookups on my PC at 127.0.0.1, making those connections even faster. dnscrypt-proxy doesn't go to a DNS server like 1.1.1.1 (even if the connection is now encrypted and checked) unless it needs to. I don't think Win 10's version of DoH does that.

What do you think?

:)

 

Dnscrypt-proxy starts then terminates on boot - no internet - Win 7 Pro 64-bit

Our PC is Win 7 Pro 64-bit with 16GB RAM. We have Verizon FIOS 1Gbps at home, so the setup is all pretty good.

Five months ago, we installed Simple DNSCrypt 64-bit on our Win 7 machine, which in turn installed the dnscrypt-proxy process and service on the machine. This encrypts all DNS lookups so our ISP cannot see where we go on the web, and we set it to connect to
Cloudflare's new 1.1.1.1 DNS resolver, which is fast, highly secure and doesn't keep logs. It's a great combination of services - see the very helpful article How
to keep your ISP’s nose out of your browser history with encrypted DNS | Ars Technica .

Starting just two weeks ago ±, on reboots, our internet connection got spotty on this machine and then started to die. Not all reboots, but maybe half. I figured out today that the dnscrypt-proxy process and service
are starting on reboots but then
something is terminating them pretty quickly as booting continues. When they terminate, the PC cannot connect to the internet.

I tried a number of things today, but the only solution I found was to change the dnscrypt-proxy service's start to "Automatic (Delayed Start)", which works but causes every reboot to take longer.

Here's a link that will take you to an xls with the entire Autoruns list of startup items: || THIS
LINK || (Rows with strikeout text are DISABLED and do not start.)
Do you see anything in this startup list that would cause the dnscrypt-proxy process and service to terminate?

Thanks.

 

DNS Name resolution for “_ldap._tcp.dc._msdcs.fios-router.home” & “wpad” BLOCKED by dnscrypt-proxy! How to fix? And GOOD STUFF here

This first post is a bit long because I've added some updates, but it also has some good stuff for you, so please bear with me. HOWEVER, please DO NOT post any stock answer. This query will NOT be fixed by any kind of automatic answer. PLEASE ABSORB THE
DETAILS.

On every reboot of my Win 10 Pro 64-bit (version 1803) PC, I get two Warnings in Event Viewer:

"Name resolution for the name _ldap._tcp.dc._msdcs.fios-router.home. timed out after none of the configured DNS servers responded."

and

"Name resolution for the name wpad timed out after none of the configured DNS servers responded."

Both are Event 1014, DNS Client Events.

The first Warning's reference to "fios-router.home" must be to my Quantum G1100 modem-router that was supplied by Verizon for my FIOS 1Gbps service. Also, the DNS name resolution is probably needed for proper functioning of the Quantum G1100's "Active Directory".
See item #4 at this link:
-THIS LINK ON MSDN-

But I'm not a tech and don't know how to start fixing this.

EDIT - More info:

By experimenting, I have determined that these Warnings occur when I have the service dnscrypt-proxy running at startup. It's a great service that encrypts DNS lookup requests so that nobody - not Verizon and not Google and not man-in-the-middle
bad guys - can see where I am trying to go. My only "resolver" is cloudflare's newish 1.1.1.1 service. The dnscrypt-proxy service running on my PC sends needed DNS name lookups only to that resolver, and encrypted.

First, there's a superb article on ars techinca that explains everything about dnscrypt-proxy and cloudflare's secure 1.1.1.1 DNS lookup service in great detail:

How to keep your ISP’s nose out of your browser history with encrypted DNS

Second, you can download and get technical info about Simple DNSCrypt - which helps you install and configure dnscrypt-proxy on a Win machine - from github at

github-bitbeans-SimpleDnsCrypt

Third, apparently (because dnscrypt-proxy is working) the DNS name lookup requests for
_ldap._tcp.dc._msdcs.fios-router.home. and wpad
are going to cloudflare's 1.1.1.1 resolver but these two can only be resolved INSIDE my LAN network.
What should I do to continue using dnscrypt-proxy but let "_ldap._tcp.dc._msdcs.fios-router.home" and "wpad" get the needed DNS/name resolution and so not generate the Warnings I describe above? ◄ This is the important
question.

UPDATE -

As to the Event 1014 Warning that "Name resolution for the name _ldap._tcp.dc._msdcs.fios-router.home. timed out after none of the configured DNS servers responded.":

I've done some more digging, and the dnscrypt-proxy service I am using to encrypt my DNS lookups and send them only to cloudflare's new 1.1.1.1 has a Forwarding feature, maybe especially for cases like this.

See
< THIS PAGE ON GITHUB >



MORE Update - trying to follow the wiki link about Forwarding -

1. I put forwarding-rules.txt into the same folder as dnscrypt-proxy.toml.
2. I added the line forwarding_rules =
   "forwarding-rules.txt"
   (using double-quotes not single quotes) to dnscrypt-proxy.toml right after the line cache_neg_ttl = 60
3. The only line I put in forwarding-rules.txt is
   fios-router.home 192.168.1.1
   

Is that correct?

RESULTS - The above didn't work, and on reboots I continue to get the Event 1014 Warning "Name resolution for the name _ldap._tcp.dc._msdcs.fios-router.home. timed out after none of the
configured DNS servers responded."

What next?

 

DNS-over-HTTPS (or DoH) Question

DoH is mainly for companies and ISPs, who block DNS requests made by users, but they can not block https.
It is preferable to use DNS over TCP. I prefer dnscrypt, because UDP can not be as easily abused as TCP.
To sum it up: dnscrypt > DoT > DoH > DNS. Then again DoH is definitely better than classic DNS.
When you use VPN, DNS can leak your real IP and your DNS requests, just like IPv6.