OpenDNS Releases DNSCrypt to Encrypt All DNS Traffic | eWeek

OpenDNS Releases DNSCrypt to Encrypt All DNS Traffic

Dec 7, 2011
3 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Domain Name System services provider OpenDNS has released an open-source tool to encrypt DNS traffic to protect network connections between the user’s computer and the company’s servers.

The DNSCrypt tool is designed to secure plain-text DNS traffic and protect users from man-in-the-middle attacks, OpenDNS said Dec. 6. The DNS protocol acts as a phone directory for the Web, translating domain names into the actual IP addresses of the server the site is hosted on. With DNS, users don’t have to remember the numeric addresses.

Security experts have long warned that the DNS infrastructure was vulnerable to attack and needed to be secured. The “inherent weaknesses” in the architecture meant that attackers could intercept and redirect users to malicious sites, or eavesdrop on user activity through a man-in-the-middle attack, Melih Abdulhayoglu, CEO and chief security architect of Comodo, told eWEEK recently.

A recent F5 Networks report found that DNS attacks were the most frequent type of attacks faced by organizations. They are also the most difficult to defend against and have the highest impact on enterprises, according to the report.

“DNS has, unfortunately, always had some inherent weaknesses because it’s transported in plain-text,” David Ulevitch, OpenDNS CEO, wrote in a blog post announcing the DNSCrypt tool.

While there has been some effort to secure DNS, there hasn’t been much work done on the “last mile,” of the connection between the client machine and the Internet service provider or the DNS provider, according to Ulevitch. The “last mile” is when “bad things,” such as snooping, tampering and hijacking traffic, are “most likely to happen,” Ulevitch wrote. It’s also “ripe” for man-in-the-middle attacks, especially if the user is on an insecure network at a coffee shop, for example.

Encrypting all DNS traffic is a fundamental change that improves security because it prevents anyone eavesdropping on Internet activity from seeing what Websites the user is visiting or modifying traffic, Ulevitch said. DNSCrypt uses elliptic-curve cryptography to encrypt traffic between customers’ servers and the OpenDNS servers.

DNSCrypt would effectively make most forms of DNS censorship obsolete and thwart surveillance systems trying to impose censorship, said security researcher Jacob Appelbaum.

DNSCrypt is a “very strong first step” and is not intended to replace DNSSEC, the security protocol designed to verify and validate domain names, according to Ulevitch.

DNSSEC is being deployed by many registrars to guard against DNS tampering. It uses public key cryptography to digitally “sign” DNS records for Websites to prevent tampering and cache poisoning. DNSSEC provides a way to verify that the server listed in the DNS record is actually the one the domain owner specified.

“Even if everyone in the world used DNSSEC, the need to encrypt all DNS traffic would not go away,” the company wrote on the FAQ page for DNSCrypt.

The company suggested that DNSCrypt is similar to Secure Sockets Layer in that it encrypts DNS traffic in the same way SSL wraps HTTP traffic. DNSCrypt would wrap DNS traffic and DNSSEC would sign and validate a subset of that traffic, according to the FAQ.

Currently available only for Mac OS X, OpenDNS also released DNSCrypt’s source code. It is still a “technology preview” and the company will be updating the code as needed, according to Ulevitch.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.