Web Development

DNSCrypt for Windows released: Does DNSSEC make it obsolete?

OpenDNS just released a Windows version of DNSCrypt, but does the implementation of the DNSSEC protocol make it obsolete? Patrick Lambert takes a look at what the critics are saying.

A few months back, the OpenDNS team released DNSCrypt, a small program that provides a very useful function for those who use their services. Initially, the Mac and Linux versions were available (see Michael Kassner's post, "DNSCrypt: Encrypting DNS communications, simply"), but now the Windows version has also been added to the mix.

Basically, DNSCrypt provides encryption for the crucial "last mile" of your Internet connection. DNS has always been the Achilles heel of Internet access. Even though many websites have moved to encrypted links, such as banks and financial institutions, by and large, the domain name system that is used to resolve most web addresses provides ample opportunity for mischief, such as  man-in-the-middle attacks, or any type of intrusion that happens locally, between your Internet provider and your machine. There's basically no way for you as an individual or a company to encrypt these connections, because as soon as the query goes out to the net, all the servers expect things to be in the clear.

Now Windows users can take advantage of the additional security that DNSCrypt provides for OpenDNS users. Because they control their DNS servers, and as a member of OpenDNS you connect directly to them, bypassing your Internet provider, it gives you a way to encrypt everything from your system to the Internet. It also doesn't matter where you connect from, or through which network. If you have a laptop and you go between your own Wi-Fi, your office, or a cafe, it's always encrypted the same way.

The benefits of something like that are obvious. It prevents snooping, tampering, or even hijacking your traffic. Even if your web connection to a bank site is encrypted, there are tools out there that allow attackers, who sit between you and the Internet to intercept your DNS query and return the wrong result, redirecting you to a bogus site.

DNSSEC: A more fundamental reform of DNS

Of course, not everyone is as crazy about this new client. Critics claim that there's already a better system out there for securing DNS, called DNSSEC, and that it has capabilities that DNSCrypt doesn't offer. However, this system is still in the process of implementation, and there are so many DNS servers out there that it takes a long time to implement everywhere. The root servers, those very important DNS servers that resolve all the domain names, were signed recently, and in fact, all 13 authoritative root servers switched over to the DNSSEC protocol on May 5, 2012. So for now, DNSCrypt is an alternative -- a temporary solution. OpenDNS says that the two can easily work together:

DNSSEC and DNSCrypt can work perfectly together. They aren't conflicting in any way. Think of DNSCrypt as a wrapper around all DNS traffic and DNSSEC as a way of signing and providing validation for a subset of those records. There are benefits to DNSSEC that DNSCrypt isn't trying to address. In fact, we hope DNSSEC adoption grows so that people can have more confidence in the entire DNS infrastructure, not just the link between our customers and OpenDNS.

So for now, if you don't have the ability to get DNSSEC implemented between your own systems and your Internet provider, and you already use OpenDNS or are willing to use their services, then DNSCrypt is a very good solution. It's an easy way to add encryption to your DNS queries, and while it's not a perfect solution, it prevents some types of attack. However, some of the complaints about DNSCrypt aren't so much about the technology, but simply the fact that to get encryption done, you're basically trusting all your DNS traffic to a third party company. So it's a trade off, and something you need to decide for yourself or your organization.

About

Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news commun...

5 comments
seanferd
seanferd

[blockquote]you're basically trusting all your DNS traffic to a third party company. [/blockquote] You would trust your ISP [i]more[/i]? One of the reasons people use OpenDNS, if they aren't using filtering, is because they don't trust the ISP, or the ISP messes with DNS in ways the user does not appreciate. (Including not patching for the Kaminsky flaw even a year after the information was publicly released.) OpenDNS may not be for everyone, but at least they give you options, they are transparent and reachable, and they are dedicated to internet freedom. If they are bad at serving DNS the way users want, they will fail, unlike ISPs - the market actually does have a check against their business.

seanferd
seanferd

As in, when Patrick Lambert says "released", what this really means is "available". I wouldn't even call it beta testing at this point. That is, this is not a release in the software sense of "finished product". The only thing OpenDNS really charges for is the filtering if you are not a residential user, or if you are a residential user and want a few extras. DNSCrypt just uses plain old DNS. If you want filtering, you do the account signup thing.

Gisabun
Gisabun

I've been using OpenDNS for years now. I've also had others use it to secure their environment. Reduce the chances of malware and phishing scams. DNSCrypt could be interesting. Note that the website says the DNSCRypt is in a "preview release" mode.

TobiF
TobiF

DNSCrypt and DNSSEC do different things. And they can perfectly work together. DNSSEC: Communication in clear, but where the retrieved DNS records are signed by the source, allowing the end-user to ensure that the record hasn't been tampered with. Still, though, the DNS requests and responses are sent in clear, allowing ISP or fellow visitors at your wifi-spot to see what DNS-records you're asking for. DNSCrypt: Encrypted requests from your computer to your DNS resolver server. This hides your requests and their responses from your ISP and from fellow visitors at Starbucks, which stops them from tampering with your replies or even collect statistics about what sites you're dealing with. But, you won't get any proof that OpenDNS didn't change anything in the reply. (However, I think it's ok to trust them, although if they still make "guesses" on typos, then I don't like their services, anyway.) Personally, I use Google public DNS servers, so I can't enjoy DNSCrypt, yet. But it's a brilliant idea.

TobiF
TobiF

Interesting: Preview sounds as if they're thinking of including DNSCrypt in their paid package...