LIST OF OPENDNS DNSCRYPT FOR MAC OS
DNSCrypt would wrap DNS traffic and DNSSEC would sign and validate a subset of that traffic, according to the FAQ.Ĭurrently available only for Mac OS X, OpenDNS also released DNSCrypt’s source code. The company suggested that DNSCrypt is similar to Secure Sockets Layer in that it encrypts DNS traffic in the same way SSL wraps HTTP traffic. “Even if everyone in the world used DNSSEC, the need to encrypt all DNS traffic would not go away,” the company wrote on the FAQ page for DNSCrypt. DNSSEC provides a way to verify that the server listed in the DNS record is actually the one the domain owner specified. It uses public key cryptography to digitally “sign” DNS records for Websites to prevent tampering and cache poisoning. DNSCrypt uses elliptic-curve cryptography to encrypt traffic between customers’ servers and the OpenDNS servers.ĭNSCrypt would effectively make most forms of DNS censorship obsolete and thwart surveillance systems trying to impose censorship, said security researcher Jacob Appelbaum.ĭNSCrypt is a “very strong first step” and is not intended to replace DNSSEC, the security protocol designed to verify and validate domain names, according to Ulevitch.ĭNSSEC is being deployed by many registrars to guard against DNS tampering. It’s also “ripe” for man-in-the-middle attacks, especially if the user is on an insecure network at a coffee shop, for example.Įncrypting all DNS traffic is a fundamental change that improves security because it prevents anyone eavesdropping on Internet activity from seeing what Websites the user is visiting or modifying traffic, Ulevitch said. The “last mile” is when “bad things,” such as snooping, tampering and hijacking traffic, are “most likely to happen,” Ulevitch wrote. While there has been some effort to secure DNS, there hasn’t been much work done on the “last mile,” of the connection between the client machine and the Internet service provider or the DNS provider, according to Ulevitch. “DNS has, unfortunately, always had some inherent weaknesses because it’s transported in plain-text,” David Ulevitch, OpenDNS CEO, wrote in a blog post announcing the DNSCrypt tool. They are also the most difficult to defend against and have the highest impact on enterprises, according to the report. The “inherent weaknesses” in the architecture meant that attackers could intercept and redirect users to malicious sites, or eavesdrop on user activity through a man-in-the-middle attack, Melih Abdulhayoglu, CEO and chief security architect of Comodo, told eWEEK recently.Ī recent F5 Networks report found that DNS attacks were the most frequent type of attacks faced by organizations. Security experts have long warned that the DNS infrastructure was vulnerable to attack and needed to be secured. With DNS, users don’t have to remember the numeric addresses. The DNS protocol acts as a phone directory for the Web, translating domain names into the actual IP addresses of the server the site is hosted on. The DNSCrypt tool is designed to secure plain-text DNS traffic and protect users from man-in-the-middle attacks, OpenDNS said Dec. Domain Name System services provider OpenDNS has released an open-source tool to encrypt DNS traffic to protect network connections between the user’s computer and the company’s servers.