Today we unveil DNSCrypt, a new security tool we’ve developed that has been on our minds for a long time. It has a simple but important function: encrypt all DNS traffic between you and OpenDNS. Nothing else like it exists, and we have very high expectations for the positive impact it can have on the Internet security and privacy of millions of people around the world.
DNS is a critical part of the Internet’s infrastructure, and though a good deal of attention has been paid to improving its security in recent years with DNSSEC, an important part has been overlooked. It’s what’s often referred to as the “last mile,” or the connection between you and your ISP or your DNS provider, if you use a DNS service like OpenDNS. It’s in this “last mile” that bad things are most likely to happen — snooping, tampering, or even hijacking traffic. Anyone who knows what they’re doing can eavesdrop on your Internet activity and see exactly which domains you are resolving, and in many cases, what websites you’re visiting.
It happens all the time on insecure networks at coffee shops, and even residences. Some ISPs have even been accused of spying on their customers’ activity. What’s worse, the “last mile” is ripe for man-in-the-middle attacks, where an intermediary injects themselves into your traffic path masquerading as your intended destination, but all the while, being able to see and modify your traffic. This leaves little confidence for the Internet user.
DNSCrypt changes this and has the potential to completely revolutionize Internet security. DNS has, unfortunately, always had some inherent weaknesses because it’s transported in plain text. DNSSEC has never attempted to address that (crazy, I know). Encrypting all DNS traffic means a fundamental change to the security of the system on the whole and a strong improvement. It’s not the only solution, and there’s still an important place for verification and validation of domains like DNSSEC provides, but it’s a very strong first step.
We’ve been sharing DNSCrypt with security experts over the past several weeks and the feedback has been phenomenal. A tool like DNSCrypt is critically necessary to ensure the security of DNS going forward. DNSCrypt is a “technology preview” today, and the code is being open-sourced. For the über-nerds, our implementation is the first (known) implementation of the forwarder ideas expressed in the DNSCurve community, which many will recall, we were one of the first to implement.
Download DNSCrypt today and try it for yourself.