Domain Name System services provider OpenDNS has released an open-source tool to encrypt DNS traffic to protect network connections between the user’s computer and the company’s servers.
The DNSCrypt tool is designed to secure plain-text DNS traffic and protect users from man-in-the-middle attacks, OpenDNS said Dec. 6. The DNS protocol acts as a phone directory for the Web, translating domain names into the actual IP addresses of the server the site is hosted on. With DNS, users don’t have to remember the numeric addresses.
Security experts have long warned that the DNS infrastructure was vulnerable to attack and needed to be secured. The “inherent weaknesses” in the architecture meant that attackers could intercept and redirect users to malicious sites, or eavesdrop on user activity through a man-in-the-middle attack, Melih Abdulhayoglu, CEO and chief security architect of Comodo, told eWEEK recently.
A recent F5 Networks report found that DNS attacks were the most frequent type of attacks faced by organizations. They are also the most difficult to defend against and have the highest impact on enterprises, according to the report.
“DNS has, unfortunately, always had some inherent weaknesses because it’s transported in plain-text,” David Ulevitch, OpenDNS CEO, wrote in a blog post announcing the DNSCrypt tool.
While there has been some effort to secure DNS, there hasn’t been much work done on the “last mile,” of the connection between the client machine and the Internet service provider or the DNS provider, according to Ulevitch. The “last mile” is when “bad things,” such as snooping, tampering and hijacking traffic, are “most likely to happen,” Ulevitch wrote. It’s also “ripe” for man-in-the-middle attacks, especially if the user is on an insecure network at a coffee shop, for example.
Encrypting all DNS traffic is a fundamental change that improves security because it prevents anyone eavesdropping on Internet activity from seeing what Websites the user is visiting or modifying traffic, Ulevitch said. DNSCrypt uses elliptic-curve cryptography to encrypt traffic between customers’ servers and the OpenDNS servers.
DNSCrypt would effectively make most forms of DNS censorship obsolete and thwart surveillance systems trying to impose censorship, said security researcher Jacob Appelbaum.
DNSCrypt is a “very strong first step” and is not intended to replace DNSSEC, the security protocol designed to verify and validate domain names, according to Ulevitch.
DNSSEC is being deployed by many registrars to guard against DNS tampering. It uses public key cryptography to digitally “sign” DNS records for Websites to prevent tampering and cache poisoning. DNSSEC provides a way to verify that the server listed in the DNS record is actually the one the domain owner specified.
“Even if everyone in the world used DNSSEC, the need to encrypt all DNS traffic would not go away,” the company wrote on the FAQ page for DNSCrypt.
The company suggested that DNSCrypt is similar to Secure Sockets Layer in that it encrypts DNS traffic in the same way SSL wraps HTTP traffic. DNSCrypt would wrap DNS traffic and DNSSEC would sign and validate a subset of that traffic, according to the FAQ.
Currently available only for Mac OS X, OpenDNS also released DNSCrypt’s source code. It is still a “technology preview” and the company will be updating the code as needed, according to Ulevitch.