Blog Post

Hide DNS requests from friends, foes and the feds

TOpenDNS, which provides a domain name system resolution service that aims to be faster and more secure than those provided by your ISP, on Tuesday launched a new product it hopes will make DNS look up more secure. The company launched DNSCrypt, software that users can run which helps prevent man-in-the-middle attacks on domain names and can also help anonymize your web site requests from prying eyes.

Domain name servers are a crucial part of the Internet, containing the IP address of domain names you type into a browser. When a user types in a URL, the computer sends the request to a DNS server that then tells your computer the site’s IP address. But DNS queries are vulnerable to both spying and attacks. From the DNSCrypt release:

Despite DNSSEC, and the global improvements resulting from Dan Kaminsky’s discovery of a critical flaw in the DNS, there remains an inherent insecurity in the DNS protocol itself: it is transported in plaintext, unencrypted and in the open. This insecure connection between the end user and their DNS resolver, which might be described as the “last mile,” is ripe for abuse, and has been abused in the past. The insecure nature of that “last mile” connection enables an array or attacks and privacy violations. In truth, Internet users have very little privacy when accessing the Internet on unsecured wireless networks and as a result, are left highly vulnerable.

OpenDNS CEO David Ulevitch compares the software to secure socket layer encryption for HTTP traffic (it’s what puts the “s” in https), except he notes that it doesn’t require users to route their traffic through a different port. Technical details aside, the software aims to prevent hackers from intercepting your requests for a domain name and taking the opportunity to insert a malicious site. If they succeed, hackers could send a user off to a web site that masquerades as a bank’s portal or a user’s email home page, in hopes of snagging some passwords or financial information.

It also prevents your Internet service provider or your government from seeing what sites you visit, which may become important not just in repressive countries, but even in the U.S., especially if the Stop Online Piracy Act (SOPA) passes. It does this by adding a layer of encryption between the user and OpenDNS. You have to be running OpenDNS for it to work, but Ulevitch says he hopes it won’t remain that way.

Ulevitch says the company will release the source code for DNSCrypt on Github, so developers can build interfaces for other operating systems and create new applications for people who desire a bit more privacy on the web. DNSCrypt is only available for the Mac. Downloads, code and more information can be found here. This is just the latest in efforts from OpenDNS aimed at keeping the web running smoothly, not just for big players, but for everyone.

5 Responses to “Hide DNS requests from friends, foes and the feds”