OpenDNS just released a Windows version of DNSCrypt, but does the implementation of the DNSSEC protocol make it obsolete? Patrick Lambert takes a look at what the critics are saying.
A few months back, the OpenDNS team released DNSCrypt, a small program that provides a very useful function for those who use their services. Initially, the Mac and Linux versions were available (see Michael Kassner's post, "DNSCrypt: Encrypting DNS communications, simply"), but now the Windows version has also been added to the mix.
Basically, DNSCrypt provides encryption for the crucial "last mile" of your Internet connection. DNS has always been the Achilles heel of Internet access. Even though many websites have moved to encrypted links, such as banks and financial institutions, by and large, the domain name system that is used to resolve most web addresses provides ample opportunity for mischief, such as man-in-the-middle attacks, or any type of intrusion that happens locally, between your Internet provider and your machine. There's basically no way for you as an individual or a company to encrypt these connections, because as soon as the query goes out to the net, all the servers expect things to be in the clear.
Now Windows users can take advantage of the additional security that DNSCrypt provides for OpenDNS users. Because they control their DNS servers, and as a member of OpenDNS you connect directly to them, bypassing your Internet provider, it gives you a way to encrypt everything from your system to the Internet. It also doesn't matter where you connect from, or through which network. If you have a laptop and you go between your own Wi-Fi, your office, or a cafe, it's always encrypted the same way.
The benefits of something like that are obvious. It prevents snooping, tampering, or even hijacking your traffic. Even if your web connection to a bank site is encrypted, there are tools out there that allow attackers, who sit between you and the Internet to intercept your DNS query and return the wrong result, redirecting you to a bogus site.
DNSSEC: A more fundamental reform of DNS
Of course, not everyone is as crazy about this new client. Critics claim that there's already a better system out there for securing DNS, called DNSSEC, and that it has capabilities that DNSCrypt doesn't offer. However, this system is still in the process of implementation, and there are so many DNS servers out there that it takes a long time to implement everywhere. The root servers, those very important DNS servers that resolve all the domain names, were signed recently, and in fact, all 13 authoritative root servers switched over to the DNSSEC protocol on May 5, 2012. So for now, DNSCrypt is an alternative — a temporary solution. OpenDNS says that the two can easily work together:
DNSSEC and DNSCrypt can work perfectly together. They aren't conflicting in any way. Think of DNSCrypt as a wrapper around all DNS traffic and DNSSEC as a way of signing and providing validation for a subset of those records. There are benefits to DNSSEC that DNSCrypt isn't trying to address. In fact, we hope DNSSEC adoption grows so that people can have more confidence in the entire DNS infrastructure, not just the link between our customers and OpenDNS.
So for now, if you don't have the ability to get DNSSEC implemented between your own systems and your Internet provider, and you already use OpenDNS or are willing to use their services, then DNSCrypt is a very good solution. It's an easy way to add encryption to your DNS queries, and while it's not a perfect solution, it prevents some types of attack. However, some of the complaints about DNSCrypt aren't so much about the technology, but simply the fact that to get encryption done, you're basically trusting all your DNS traffic to a third party company. So it's a trade off, and something you need to decide for yourself or your organization.