New Means to Secure DNS Traffic Looks Promising

P. J. Connolly began writing for IT publications in 1997 and has a lengthy track record in both news and reviews. Since then, he's built two test labs from scratch and earned a reputation as the nicest skeptic you'll ever meet. Before taking up journalism, P. J. was an IT manager and consultant in San Francisco with a knack for networking the Apple Macintosh, and his love for technology is exceeded only by his contempt for the flavor of the month. Speaking of which, you can follow P. J. on Twitter at pjc415, or drop him an email at
By P. J. Connolly  |  Posted 2011-12-08 Email Print this article Print

If I had to pick the most vulnerable part of the Internet, my choice would be DNS. It's far too easy to spoof, and the main stakeholders have been fairly resistant to making changes to it that would make it more reliable and less subject to shenanigans. Even workable proposals such as DNSSEC have failed to gain the requisite traction, in part because they require a solution that can scale as well as DNS, without providing an infrastructure to make that scaling possible.


OpenDNS supremo David Ulevitch unveiled the DNSCrypt tool in a blog post on December 6; today, it's Mac-only, but other platforms are expected to be supported in the near future.

Now OpenDNS has taken the wraps off of a tool that's aimed at handling the "last mile problem" of DNS, between the end user and the DNS provider. (Disclaimer: we use OpenDNS, but not exclusively, and that's all you need to know about that.) This tool encrypts DNS traffic; for now, it's only available for Mac OS X, but being open source, it should be relatively easy to port to other platforms. Instead of replacing DNSSEC, which provides a signature-based authentication path for DNS resolvers, DNSCrypt obfuscates the traffic in a fashion similar to SSL, using elliptical-curve cryptography to wrap packets.

For now, DNSCrypt is a technology preview, and it is locked to the servers; hopefully, future development plans for it include the ability to implement encryption on one's own DNS servers, in addition to the proposed extension of platform support.

Here's why the "last mile" of DNS matters: it's terribly insecure, given that until now, all DNS traffic has moved as clear text. That's an incredibly huge vulnerability, given the ease of executing man-in-the-middle attacks that can redirect traffic from a known-good site to an impostor. I tend to be fairly paranoid about encrypting traffic on networks I manage - just ask my brother-in-law, who at Thanksgiving became somewhat ticked off at me for setting up WPA2 on my mother's wireless network with a 63-character key - and this would fill a big gap in my security when I'm outside of my friendly confines. |

Submit a Comment

Loading Comments...

Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel