DNS has historically been one of the many insecure parts of the Internet’s critical infrastructure – even considering decade-plus attempts to improve it with technologies like DNSSEC. Despite DNSSEC, and the global improvements resulting from Dan Kaminsky’s discovery of a critical flaw in the DNS, there remains an inherent insecurity in the DNS protocol itself: it is transported in plaintext, unencrypted and in the open.
This insecure connection between the end user and their DNS resolver, which might be described as the “last mile,” is ripe for abuse, and has been abused in the past. The insecure nature of that “last mile” connection enables an array or attacks and privacy violations. In truth, Internet users have very little privacy when accessing the Internet on unsecured wireless networks and as a result, are left highly vulnerable.
DNSCrypt is significant because it encrypts all DNS traffic between Internet users and OpenDNS. This technological advancement thwarts efforts by attackers, or even Internet Service Providers (ISPs), from spying on DNS activity, or worse, maliciously redirecting DNS traffic.
In the same way the SSL turns HTTP Web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks. It doesn't require any changes to domain names or how they work, it simply provides a method for securely encrypting communication between Internet users and OpenDNS servers in the OpenDNS data centers.
DNSCrypt protects Internet users and prevents three primary threats and privacy violations:
Spying: Attackers, ISPs and governments regularly use DNS to spy on Internet users’ online activity. OpenDNS security experts see this principal privacy violation occur frequently around the world, including in the United States. DNSCrypt prevents this spying, and attempts to thwart known DNS replay, observation, and timing attacks.
Man-in-the-middle attacks: The term describes when an attacker intercepts communication and impersonates both the Internet user and the website he or she is visiting. DNSCrypt prevents man-in-the-middle attacks by preventing insertion of unauthenticated and unencrypted DNS packets, giving Internet users greater confidence in the authenticity of the websites they’re visiting.
Resolver impersonation: It’s possible that ISPs or other intermediaries could hijack DNS traffic destined for sites like OpenDNS, Google, and others transparently. It’s important that users who choose to use a third-party DNS service have the confidence in knowing their packets are being answered by their designated third-party and are not being re-routed and answered fraudulently.
“DNSCrypt is a critical advancement for the DNS, for global Internet security efforts and for the Internet at large,” said OpenDNS CEO David Ulevitch. “The technology empowers Internet users to secure their own Internet and DNS use and protect themselves from nefarious activity that happens through their DNS connection, but also to insulate themselves from their Internet Service Provider’s uninhibited access to their DNS activity and domain lookup history. All Internet users have a right to privacy and DNSCrypt gives them both that and a heightened level of security.”