Web Development optimize

DNSCrypt: Encrypting DNS communications, simply

Numerous are the ways DNS can be subverted -- one of which, OpenDNS is trying to fix. Michael Kassner investigates this solution.

DNS (Domain Name System), the "designated comptroller" of domain names and IP addresses is in trouble. And, the list of reasons is long. I'd like to focus on just one: the way Internet-connected computers talk to DNS servers -- the veritable DNS query.

What's wrong with DNS queries? For one, they're not encrypted. That opens the door to:

  • Spying: Attackers use DNS to spy on Internet users' online activity via DNS replay, observation, and timing attacks.
  • Man-in-the-middle attacks: When an attacker intercepts the communication stream and impersonates both the local and remote station.
  • Resolver impersonation: Intermediaries hijack DNS traffic destined for trusted naming servers, rerouting them to malicious name servers; which in turn, provide fraudulent query responses.

In plain-speak, when you type a name in the URL field of a web browser, you expect to go to the appropriate web site. But if something or someone is messing with the DNS query, that may not be the case. For example, instead of going to your bank's website, you may be sent to a very good copy of the actual website -- built by bad people specifically to steal your banking credentials.

A solution from OpenDNS

If you aren't familiar with OpenDNS, it's an independent DNS resolution service. OpenDNS also provides URL misspelling correction, phishing protection, and content filtering.

Why bring up OpenDNS? The company may have the answer to DNS-query hijacking. It's called DNSCrypt. From the OpenDNS press release:

"In the same way SSL turns HTTP Web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks.

It doesn't require any changes to domain names or how they work. It simply provides a method for securely encrypting communications between Internet users and DNS servers in the OpenDNS data centers."

I use OpenDNS and getting rid of the issues I described earlier would be a welcome improvement. I have concerns though, important ones, that were not addressed. So, I called OpenDNS and Allison Rhodes, VP of Communications, allayed my concerns:

Kassner: I am confused by the "last mile" comment:

"This insecure connection between the end user and their DNS resolver, which might be described as the "last mile," is ripe for abuse, and has been abused in the past. The insecure nature of that "last mile" connection enables an array or attacks and privacy violations.

In truth, Internet users have very little privacy when accessing the Internet on unsecured wireless networks and as a result, are left highly vulnerable."

To me the "last mile" is from my computer to the ISP. Wouldn't traffic from DNSCrypt be secure all the way to OpenDNS servers?

Rhodes: You are correct. DNS traffic is secure from the subscriber's computer to our name servers. Also, OpenDNS CEO David Ulevitch wanted to point out:

"DNSCrypt also insulates subscribers from their Internet Service Provider's uninhibited access to their DNS activity and domain lookup history."

Kassner: Is there a way to tell if DNSCrypt is working and if the packet stream is encrypted?

Rhodes: If DNSCrypt has been correctly installed and configured, the DNSCrypt icon in the menu bar will turn green. If the icon is yellow, it indicates OpenDNS is in use, but not DNSCrypt.

There are types of malware that are capable of altering DNS settings, so we added a third option. The icon will turn red if neither OpenDNS nor DNSCrypt are being used.

Kassner: I noticed that DNSCrypt uses elliptic-curve cryptography. I only recently heard of it. What are the advantages? Does it lend itself to this type of encrypting process? Rhodes: A major advantage of elliptic-curve cryptography is speed. It is considerably faster than other systems like RSA. Another advantage is that long keys are not required in order to be extremely secure. Kassner: I read the following on your website:

"The service is not configured to maintain state between reboots, it defaults to off when you reboot. This is only for early releases. Eventually we will have it maintain your preferences between reboots."

How are we supposed to restart DNSCrypt?

Rhodes: In order to turn DNSCrypt back on, just click the menu icon, open the DNSCrypt preferences pane and check the "Enable DNSCrypt" button.

Kassner: Next, I read:

"If you have a firewall or other middleware mangling your packets, you should try enabling DNSCrypt with TCP over port 443. This will make most firewalls think it's HTTPS traffic and leave it alone."

If this is a problem, is the fix you recommend available in the DNSCrypt app itself?

Rhodes: The workaround for firewalls mangling DNS packets is handled by the client. All it takes to enable is checking the "TCP/443" box in the preferences pane. However, use this workaround only when necessary -- it introduces latency. Kassner: I get almost through the press release and read this:

"At current, DNSCrypt is available for Mac. Downloads, code and more information can be found at http://www.opendns.com/technology/dnscrypt/"

I'm betting a vast majority of your subscribers use Windows machines. So why wasn't DNSCrypt ported to Windows first? When will a Windows version be available?

Rhodes: Well, most of our developers use Macs, so they built a Mac version first. We realize the need for a Windows version and are working on one. It looks like the Windows version will be ready sometime in February.

Final thoughts

DNS as a technology is essential to our digital existence. It also is past its prime and needs to be fixed -- better yet, replaced. For now, OpenDNS is providing another band-aid.

A special thanks to Allison Rhodes and OpenDNS.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

26 comments
JCitizen
JCitizen

using Comodo DNS until things get ironed out with this new OpenDNS, for Windows. Thanks for the article! I've been surprised by redirects several times, and Comodo caught them - hopefully all of them? I'll never know.

Michael Kassner
Michael Kassner

That I didn't spell something wrong. I go over the draft so many times, I have it memorized. Yet, I still manage to miss stuff.

ltjackal
ltjackal

``box in the preferences pane.'' there is an 'l' missing in the end of the word 'panel'. Otherwise interesting Q&A. Question about GNU/Linux version would be interesting one as well. Thanks

david.hunt
david.hunt

Sorry, Michael... It is a very common error but really grates... The word "and" is a connecting word. By definition, therefore, starting a sentence with "and" is syntactically as well as grammatically incorrect. It would be like having an equation similar to "+ 7 = 10". Secondly, the use of adjacent, redundant synonyms is also rife. You may have a reason for starting a sentence with "and", or perhaps you could explain "why" people frequently make this mistake. To have a "reason why" is just the same as saying "the reason reason..." or "I'm telling you why why I'm writing this way". All stations can now resume their normal programmes ;-)

kdpawson
kdpawson

I use OpenDNS at home on my small network with VM server running both AD and Linux servers (Work from home) and it's great together with a proxy server. However I'm very disappointed in OpenDNS for releasing this MAC only version right now, I don't use any MACs so can't even test it. I understand it's MAC because the devs use MAC but I think they should have released a platform agnostic version first and then look at releasing a corporate version for say Windows DNS servers and BIND DNS servers. What would be even better is to release a version that could be used in firewall/routers or build API's so that it could be used in firmware such as OpenWRT,DD-WRTand my favourite firewall of all pfSense.

Bo Tym
Bo Tym

Do you see this as something that could be intergrated with router firmware in the future?

pgit
pgit

I take it this is an app that runs in user space? Will there be a Linux version? Better yet, and this would help with mobile devices, is it possible this could be a browser plug in? If it could be run by the browser the underlying platform might be rendered irrelevant.

seanferd
seanferd

It seems that some people don't realize this, or just want to go ahead and use it anyway with the, er, wherewithal to deal with testing software in some fashion. Note that the source is available, so you can compile it. Packages also available for BSDs.

Michael Kassner
Michael Kassner

New Post OpenDNS is encrypting DNS traffic between the client and naming servers. That eliminates several exploit avenues. One thing, it's only for Macs until February.

Michael Kassner
Michael Kassner

Some people prefer to call them panes rather than panels or windows.

bboyd
bboyd

Caution francophile spellings of words, like programmes, may annoy users of standard American english. Secondly and the extra "," usage could be criticized. As an aside arguing about grammar on the internet is just one of the "Special Olympic" events and just not very productive. +1 Vote, to counter, a perfectly valid criticism. /smirk Arguing on the Internet is like running in the Special Olympics - Even if you win...

Michael Kassner
Michael Kassner

Using "and" at the beginning of a sentence is controversial. I have asked all of my writing mentors and anyone else that cares about such. A vast majority tell me there is nothing wrong with using it as I did. As for "reason why", you have me. My only excuse is that my dear friend and the person who would call me out on that type of error recently died. I am an avid student of grammar, but the operative is "student".

seanferd
seanferd

"What would be even better is to release a version that could be used in firewall/routers " That's called source code, and is available. Roll it into DDWRT source and build it.

Michael Kassner
Michael Kassner

I think there is some concern about all the variants in MS operating systems that need tending to. I will pass your suggestions along, to be sure.

Michael Kassner
Michael Kassner

I will pass the question along to the people at OpenDNS.

Michael Kassner
Michael Kassner

The app needs to be available for other software that phones home. Doesn't it?

Michael Kassner
Michael Kassner

Did something make you nervous? I'm not able to do much with the code. For what it's worth, I only saw traffic to and from OpenDNS servers.

seanferd
seanferd

Especially when preceded by the word "preferences". "Panel" does come up a bit more often in Linux desktop environments and Mac usage (the Panel), although I still don't know if it would apply here.

seanferd
seanferd

But as usual, people who don't understand what they are working with want to use it [i]now[/i], which leads immediately to repetitive and obvious "support" questions, and feature requests, complaints that something doesn't work right, questions as to when what will be available for some OS or another, etc. If you can't troubleshoot the code (or your internet connection) yourself (some people can't even figure out how to install/uninstall the precompiled binaries for Mac) and add your discoveries/bug reports to github or anywhere OpenDNS provides for bug reports, don't bother.

Michael Kassner
Michael Kassner

I wore him out on that. "Reason why", he would have crucified me.

seanferd
seanferd

:) You know, OpenDNS hasn't done such a hot job of making this obvious, either. There was the blog post, and the Technologies page article, and apparently press releases to a lot of news outlets. They don't cover the "beta" fact anywhere. Here's a head-up, though: For the precompiled OS X binaries, you must be using a 64-bit OS. Even if you compile it yourself on a 32-bit system, the GUI will not work, although the application is accessible via the CLI.

seanferd
seanferd

as to what they are doing. It's those who want to get something first out of the gate who are being difficult. You've seen the alpha/beta users who shouldn't be playing with testing software, haven't you? The same sort who raged on about Window 8 Metro, even after being told that the desktop was still there, then complained they should be able to access it without a registry edit. This is where we've gotten to at this point: [quote]I was anxious to try DNSCrypt but it DOES NOT WORK on my MacBook Pro Intel Laptop!!!! Does ANY programmer at OpenDNS have a MacBook Pro ???????????? [/quote] Complete with all-caps and ridiculous punctuation, and no mention of what the issue actually is. Others haven't been that bad so far, but an "alpha-testing: unsupported" warning would be a good idea for all the people writing articles about this to include. (Not that this will stop half of them from installing it.)

Michael Kassner
Michael Kassner

The people that I have talked to are not having any indication of problems or slow downs. Hope it stays that way.