New Means to Secure DNS Traffic Looks Promising


If I had to pick the most vulnerable part of the Internet, my choice would be DNS. It's far too easy to spoof, and the main stakeholders have been fairly resistant to making changes to it that would make it more reliable and less subject to shenanigans. Even workable proposals such as DNSSEC have failed to gain the requisite traction, in part because they require a solution that can scale as well as DNS, without providing an infrastructure to make that scaling possible.


Now OpenDNS has taken the wraps off of a tool that's aimed at handling the "last mile problem" of DNS, between the end user and the DNS provider. (Disclaimer: we use OpenDNS, but not exclusively, and that's all you need to know about that.) This tool encrypts DNS traffic; for now, it's only available for Mac OS X, but being open source, it should be relatively easy to port to other platforms. Instead of replacing DNSSEC, which provides a signature-based authentication path for DNS resolvers, DNSCrypt obfuscates the traffic in a fashion similar to SSL, using elliptical-curve cryptography to wrap packets.

For now, DNSCrypt is a technology preview, and it is locked to the servers; hopefully, future development plans for it include the ability to implement encryption on one's own DNS servers, in addition to the proposed extension of platform support.

Here's why the "last mile" of DNS matters: it's terribly insecure, given that until now, all DNS traffic has moved as clear text. That's an incredibly huge vulnerability, given the ease of executing man-in-the-middle attacks that can redirect traffic from a known-good site to an impostor. I tend to be fairly paranoid about encrypting traffic on networks I manage - just ask my brother-in-law, who at Thanksgiving became somewhat ticked off at me for setting up WPA2 on my mother's wireless network with a 63-character key - and this would fill a big gap in my security when I'm outside of my friendly confines.