DNS provider OpenDNS has developed a new open-source tool that will encrypt all of the traffic between customers and the OpenDNS servers. The tool is designed to address the slew of techniques that enable attackers to eavesdrop on plain-text DNS traffic.
The tool, called DNSCrypt, is in an early form right now, but the company said it will be making regular iterative changes to it as needed. DNSCrypt uses elliptic-curve cryptography to encrypt the traffic between customer servers and the OpenDNS system.
“DNS has, unfortunately, always had some inherent weaknesses because it’s transported in plain text. DNSSEC has never attempted to address that (crazy, I know). Encrypting all DNS traffic means a fundamental change to the security of the system on the whole and a strong improvement. It’s not the only solution, and there’s still an important place for verification and validation of domains like DNSSEC provides, but it’s a very strong first step,” OpenDNS CEO David Ulevitch said in a blog post.
DNSCrypt is only available for Mac OS X right now. The company said in the FAQ for the tool that it is meant to be complementary to DNSSEC, not a replacement for that technology.
“DNSSEC does a number of things. First, it provides authentication. (Is the DNS record I’m getting a response for coming from the owner of the domain name I’m asking about or has it been tampered with?) Second, DNSSEC provides a chain of trust to help establish confidence that the answers you’re getting are verifiable. But unfortunately, DNSSEC doesn’t actually provide encryption for DNS records, even those signed by DNSSEC. Even if everyone in the word used DNSSEC, the need to encrypt all DNS traffic would not go away. Moreover, DNSSEC today represents a near-zero percentage of overall domain names and an increasingly smaller percentage of DNS records each day as the Internet grows.
“That said, DNSSEC and DNSCrypt can work perfectly together. They aren’t conflicting in any way. Think of DNSCrypt as a wrapper around all DNS traffic and DNSSEC as a way of signing and providing validation for a subset of those records. There are benefits to DNSSEC that DNSCrypt isn’t trying to address, in fact, we hope DNSSEC adoption grows so that people can have more confidence in the entire DNS infrastructure, not just the link between our customers and OpenDNS.”
Users can download DNSCrypt here.