The DNSCrypt tool encrypts DNS traffic from the client computer to OpenDNS servers to prevent attackers on insecure networks from eavesdropping what Websites are being accessed.
Domain Name System services
provider OpenDNS has released an open-source tool to encrypt DNS traffic to
protect network connections between the user's computer and the company's
The DNSCrypt tool is
designed to secure plain-text DNS traffic and protect users from
man-in-the-middle attacks, OpenDNS said Dec. 6. The DNS protocol acts as a
phone directory for the Web, translating domain names into the actual IP
addresses of the server the site is hosted on. With DNS, users don't have to
remember the numeric addresses.
Security experts have long
warned that the DNS infrastructure was vulnerable to attack and needed to be
secured. The "inherent weaknesses" in the architecture meant that
attackers could intercept and redirect users to malicious sites, or eavesdrop
on user activity through a man-in-the-middle attack, Melih Abdulhayoglu, CEO
and chief security architect of Comodo, told eWEEK
A recent F5 Networks report
found that DNS
were the most frequent type of attacks faced by organizations. They
are also the most difficult to defend against and have the highest impact on
enterprises, according to the report.
unfortunately, always had some inherent weaknesses because it's transported in
Ulevitch, OpenDNS CEO
, wrote in a blog post announcing the DNSCrypt tool.
While there has been some
effort to secure DNS, there hasn't been much work done on the "last
mile," of the connection between the client machine and the Internet
service provider or the DNS provider, according to Ulevitch. The "last
mile" is when "bad things," such as snooping, tampering and
hijacking traffic, are "most likely to happen," Ulevitch wrote. It's
also "ripe" for man-in-the-middle attacks, especially if the user is
on an insecure network at a coffee shop, for example.
Encrypting all DNS traffic
is a fundamental change that improves security because it prevents anyone eavesdropping
on Internet activity from seeing what Websites the user is visiting or
modifying traffic, Ulevitch said. DNSCrypt uses elliptic-curve cryptography to
encrypt traffic between customers' servers and the OpenDNS servers.
DNSCrypt would effectively
make most forms of DNS censorship obsolete and thwart surveillance systems trying
to impose censorship, said security researcher Jacob Appelbaum.
DNSCrypt is a "very
strong first step" and is not intended to replace DNSSEC, the security
protocol designed to verify and validate domain names, according to Ulevitch.
DNSSEC is being deployed by
many registrars to guard against DNS tampering. It uses public key cryptography
to digitally "sign" DNS records for Websites to prevent tampering and
cache poisoning. DNSSEC provides a way to verify that the server listed in the
DNS record is actually the one the domain owner specified.
"Even if everyone in
the world used DNSSEC, the need to encrypt all DNS traffic would not go
away," the company wrote on the FAQ page for DNSCrypt
The company suggested that
DNSCrypt is similar to Secure Sockets Layer in that it encrypts DNS traffic in
the same way SSL wraps HTTP traffic. DNSCrypt would wrap DNS traffic and DNSSEC
would sign and validate a subset of that traffic, according to the FAQ.
Currently available only for
Mac OS X, OpenDNS also released DNSCrypt's source code. It is still a
"technology preview" and the company will be updating the code as
needed, according to Ulevitch.