OpenDNS announced a technology preview today for Macs running their DNS services called DNSCrypt. Think of this as doing for the DNS protocol what HTTPS does for the Web protocols. Like its mainline service, it is freely available, and Windows and Linux versions are promised for next year. You can download the code here for the Mac OS. They will eventually post all of their code on GitHub for public scrutiny.
DNSCrypt solves one critical flaw in the DNS process: the ability to snoop as a “man in the middle” of a conversation between two computers, because it encrypts all DNS traffic between your computer and the Internet. This is a real concern, and there have been several exploits lately that took advantage of DNS requests, because the vast majority of them are issued in the clear. (Just like most emails.)
The version of DNSCrypt that is available is a “preview” meaning that it could have problems in daily use. We haven’t yet tried it.
DNSCrypt isn’t the only game in town, and for years an effort called DNSSEC has been trying to take hold for increased DNS security. DNSSEC solves a larger problem: not only does it provided an encrypted channel, but also adds authentication and a chain of trust to ensure that the expected DNS record hasn’t been tampered with. They can be used together. Sadly, few sites have implemented it to date.
“In theory, the user can just run their own DNS server on their own machine with DNSSEC enabled, and be protected,” says Paul Mockapetris, the inventor of DNS and now the chief scientist with Nominum, a DNS supplier. “But in practice, a variety of last mile, performance, and code readiness issues deter all but die-hard end users from doing so.” Mockapetris says that DNSCrypt “probably doesn’t add much for the enterprise user who is sitting at his desk, but could be huge for an enterprise user who is using an open hotspot in some random wine bar in a foreign country or an ancient WiFi system in some hotel that lets one guest see another guest’s traffic.” Given the number of hotels that I have stayed at that have open networks, I would say this is a real issue. (See my suggestion here for closing your file shares when you travel.)
“It would have been better to have the DNSSEC designers bite the bullet and insist on and design for end-to-end DNSSEC, but until then DNSCrypt is an idea whose time has come,” he says.