DNSCrypt: Encrypting DNS communications, simply

Numerous are the ways DNS can be subverted -- one of which, OpenDNS is trying to fix. Michael Kassner investigates this solution.

DNS (Domain Name System), the "designated comptroller" of domain names and IP addresses is in trouble. And, the list of reasons is long. I'd like to focus on just one: the way Internet-connected computers talk to DNS servers -- the veritable DNS query.

What's wrong with DNS queries? For one, they're not encrypted. That opens the door to:

  • Spying: Attackers use DNS to spy on Internet users' online activity via DNS replay, observation, and timing attacks.
  • Man-in-the-middle attacks: When an attacker intercepts the communication stream and impersonates both the local and remote station.
  • Resolver impersonation: Intermediaries hijack DNS traffic destined for trusted naming servers, rerouting them to malicious name servers; which in turn, provide fraudulent query responses.

In plain-speak, when you type a name in the URL field of a web browser, you expect to go to the appropriate web site. But if something or someone is messing with the DNS query, that may not be the case. For example, instead of going to your bank's website, you may be sent to a very good copy of the actual website -- built by bad people specifically to steal your banking credentials.

A solution from OpenDNS

If you aren't familiar with OpenDNS, it's an independent DNS resolution service. OpenDNS also provides URL misspelling correction, phishing protection, and content filtering.

Why bring up OpenDNS? The company may have the answer to DNS-query hijacking. It's called DNSCrypt. From the OpenDNS press release:

"In the same way SSL turns HTTP Web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks.

It doesn't require any changes to domain names or how they work. It simply provides a method for securely encrypting communications between Internet users and DNS servers in the OpenDNS data centers."

I use OpenDNS and getting rid of the issues I described earlier would be a welcome improvement. I have concerns though, important ones, that were not addressed. So, I called OpenDNS and Allison Rhodes, VP of Communications, allayed my concerns:

Kassner: I am confused by the "last mile" comment:

"This insecure connection between the end user and their DNS resolver, which might be described as the "last mile," is ripe for abuse, and has been abused in the past. The insecure nature of that "last mile" connection enables an array or attacks and privacy violations.

In truth, Internet users have very little privacy when accessing the Internet on unsecured wireless networks and as a result, are left highly vulnerable."

To me the "last mile" is from my computer to the ISP. Wouldn't traffic from DNSCrypt be secure all the way to OpenDNS servers?

Rhodes: You are correct. DNS traffic is secure from the subscriber's computer to our name servers. Also, OpenDNS CEO David Ulevitch wanted to point out:

"DNSCrypt also insulates subscribers from their Internet Service Provider's uninhibited access to their DNS activity and domain lookup history."

Kassner: Is there a way to tell if DNSCrypt is working and if the packet stream is encrypted?

Rhodes: If DNSCrypt has been correctly installed and configured, the DNSCrypt icon in the menu bar will turn green. If the icon is yellow, it indicates OpenDNS is in use, but not DNSCrypt.

There are types of malware that are capable of altering DNS settings, so we added a third option. The icon will turn red if neither OpenDNS nor DNSCrypt are being used.

Kassner: I noticed that DNSCrypt uses elliptic-curve cryptography. I only recently heard of it. What are the advantages? Does it lend itself to this type of encrypting process? Rhodes: A major advantage of elliptic-curve cryptography is speed. It is considerably faster than other systems like RSA. Another advantage is that long keys are not required in order to be extremely secure. Kassner: I read the following on your website:

"The service is not configured to maintain state between reboots, it defaults to off when you reboot. This is only for early releases. Eventually we will have it maintain your preferences between reboots."

How are we supposed to restart DNSCrypt?

Rhodes: In order to turn DNSCrypt back on, just click the menu icon, open the DNSCrypt preferences pane and check the "Enable DNSCrypt" button.

Kassner: Next, I read:

"If you have a firewall or other middleware mangling your packets, you should try enabling DNSCrypt with TCP over port 443. This will make most firewalls think it's HTTPS traffic and leave it alone."

If this is a problem, is the fix you recommend available in the DNSCrypt app itself?

Rhodes: The workaround for firewalls mangling DNS packets is handled by the client. All it takes to enable is checking the "TCP/443" box in the preferences pane. However, use this workaround only when necessary -- it introduces latency. Kassner: I get almost through the press release and read this:

"At current, DNSCrypt is available for Mac. Downloads, code and more information can be found at http://www.opendns.com/technology/dnscrypt/"

I'm betting a vast majority of your subscribers use Windows machines. So why wasn't DNSCrypt ported to Windows first? When will a Windows version be available?

Rhodes: Well, most of our developers use Macs, so they built a Mac version first. We realize the need for a Windows version and are working on one. It looks like the Windows version will be ready sometime in February.

Final thoughts

DNS as a technology is essential to our digital existence. It also is past its prime and needs to be fixed -- better yet, replaced. For now, OpenDNS is providing another band-aid.

A special thanks to Allison Rhodes and OpenDNS.