Latest news
OpenDNS tool secures DNS traffic
Posted on 08 December 2011.
OpenDNS unveiled a preview of DNSCrypt, a new technology that improves both the security and privacy of Internet users, particularly those on unsecured wireless hotspots and residential ISP networks. The technology is being open-sourced.
DNS has historically been one of the many insecure parts of the Internet’s critical infrastructure – even considering decade-plus attempts to improve it with technologies like DNSSEC. Despite DNSSEC, and the global improvements resulting from Dan Kaminsky’s discovery of a critical flaw in the DNS, there remains an inherent insecurity in the DNS protocol itself: it is transported in plaintext, unencrypted and in the open.
This insecure connection between the end user and their DNS resolver, which might be described as the “last mile,” is ripe for abuse, and has been abused in the past. The insecure nature of that “last mile” connection enables an array or attacks and privacy violations. In truth, Internet users have very little privacy when accessing the Internet on unsecured wireless networks and as a result, are left highly vulnerable.
DNSCrypt is significant because it encrypts all DNS traffic between Internet users and OpenDNS. This technological advancement thwarts efforts by attackers, or even Internet Service Providers (ISPs), from spying on DNS activity, or worse, maliciously redirecting DNS traffic.
In the same way the SSL turns HTTP Web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks. It doesn't require any changes to domain names or how they work, it simply provides a method for securely encrypting communication between Internet users and OpenDNS servers in the OpenDNS data centers.
DNSCrypt protects Internet users and prevents three primary threats and privacy violations:
Spying: Attackers, ISPs and governments regularly use DNS to spy on Internet users’ online activity. OpenDNS security experts see this principal privacy violation occur frequently around the world, including in the United States. DNSCrypt prevents this spying, and attempts to thwart known DNS replay, observation, and timing attacks.
Man-in-the-middle attacks: The term describes when an attacker intercepts communication and impersonates both the Internet user and the website he or she is visiting. DNSCrypt prevents man-in-the-middle attacks by preventing insertion of unauthenticated and unencrypted DNS packets, giving Internet users greater confidence in the authenticity of the websites they’re visiting.
Resolver impersonation: It’s possible that ISPs or other intermediaries could hijack DNS traffic destined for sites like OpenDNS, Google, and others transparently. It’s important that users who choose to use a third-party DNS service have the confidence in knowing their packets are being answered by their designated third-party and are not being re-routed and answered fraudulently.
“DNSCrypt is a critical advancement for the DNS, for global Internet security efforts and for the Internet at large,” said OpenDNS CEO David Ulevitch. “The technology empowers Internet users to secure their own Internet and DNS use and protect themselves from nefarious activity that happens through their DNS connection, but also to insulate themselves from their Internet Service Provider’s uninhibited access to their DNS activity and domain lookup history. All Internet users have a right to privacy and DNSCrypt gives them both that and a heightened level of security.”
DNS has historically been one of the many insecure parts of the Internet’s critical infrastructure – even considering decade-plus attempts to improve it with technologies like DNSSEC. Despite DNSSEC, and the global improvements resulting from Dan Kaminsky’s discovery of a critical flaw in the DNS, there remains an inherent insecurity in the DNS protocol itself: it is transported in plaintext, unencrypted and in the open.
This insecure connection between the end user and their DNS resolver, which might be described as the “last mile,” is ripe for abuse, and has been abused in the past. The insecure nature of that “last mile” connection enables an array or attacks and privacy violations. In truth, Internet users have very little privacy when accessing the Internet on unsecured wireless networks and as a result, are left highly vulnerable.
DNSCrypt is significant because it encrypts all DNS traffic between Internet users and OpenDNS. This technological advancement thwarts efforts by attackers, or even Internet Service Providers (ISPs), from spying on DNS activity, or worse, maliciously redirecting DNS traffic.
In the same way the SSL turns HTTP Web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks. It doesn't require any changes to domain names or how they work, it simply provides a method for securely encrypting communication between Internet users and OpenDNS servers in the OpenDNS data centers.
DNSCrypt protects Internet users and prevents three primary threats and privacy violations:
Spying: Attackers, ISPs and governments regularly use DNS to spy on Internet users’ online activity. OpenDNS security experts see this principal privacy violation occur frequently around the world, including in the United States. DNSCrypt prevents this spying, and attempts to thwart known DNS replay, observation, and timing attacks.
Man-in-the-middle attacks: The term describes when an attacker intercepts communication and impersonates both the Internet user and the website he or she is visiting. DNSCrypt prevents man-in-the-middle attacks by preventing insertion of unauthenticated and unencrypted DNS packets, giving Internet users greater confidence in the authenticity of the websites they’re visiting.
Resolver impersonation: It’s possible that ISPs or other intermediaries could hijack DNS traffic destined for sites like OpenDNS, Google, and others transparently. It’s important that users who choose to use a third-party DNS service have the confidence in knowing their packets are being answered by their designated third-party and are not being re-routed and answered fraudulently.
“DNSCrypt is a critical advancement for the DNS, for global Internet security efforts and for the Internet at large,” said OpenDNS CEO David Ulevitch. “The technology empowers Internet users to secure their own Internet and DNS use and protect themselves from nefarious activity that happens through their DNS connection, but also to insulate themselves from their Internet Service Provider’s uninhibited access to their DNS activity and domain lookup history. All Internet users have a right to privacy and DNSCrypt gives them both that and a heightened level of security.”
Spotlight
Review: Logging and Log Management
Posted on 22 May 2013. | Every security practitioner should be aware of the overwhelming advantages of logging and perusing logs for discovering system intrusions. But logging and log management comes with its own set of difficulties.
Experts highlight top data breach vulnerabilities
Posted on 22 May 2013. | Hidden vulnerabilities lie in everyday activities that can expose personal information and lead to data breach, including buying gas with a credit card or wearing a pacemaker.
A closer look at Mega cloud storage
Posted on 21 May 2013. | Once a novelty, nowadays many cloud storage services are fighting for their piece of the market in the virtual world. Mega offers 50GB of free space with great pricing on Pro accounts.
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
