OpenDNS DNSCrypt: Encrypt DNS Traffic, Secure Yourself From Eavesdropping, Man-in-the-middle Attacks

OpenDNS DNSCrypt is an open-source DNS encryption tool. In layman terms, DNSCrypt is a tool for securing communications between a client and a DNS resolver (more on this later). Basically, it secures your connection from eavesdropping and man-in-the-middle attacks. Thus, hugely increasing your web browsing security. DNSCrypt is developed by the popular DNS service OpenDNS.

Let’s take an example to describe what exactly a DNS is. If you want to visit our website, you’ll type the human-readable domain name of our website, www.mytechguide.org. After you press Enter or click on the Go button of your browser, your browser will try to retrieve the IP address of our website, 67.222.31.35, before displaying our website. To know this IP address, your browser contacts a server called the Domain Name System (DNS) server. You can think of the DNS like a large phone book for the Internet, which translates the human-friendly domain names into an IP addresses.

DNS_in_the_real_world

DNS in the real world (Image Source: Wikipedia)

Now that you have an overview of DNS, you’ll, hopefully, be able to understand why you should use DNSCrypt. DNSCrypt encrypt all your DNS queries between your browser and OpenDNS. Encryption of the DNS queries prevents any spying, eavesdropping by third-parties (like your ISP), spoofing or man-in-the-middle attacks.

Why you should care?

One of the worst example of a DNS-based attack is cache poisoning attack. In a cache poisoning attack, an attacker can cause a name server’s clients to contact the incorrect, and possibly malicious, hosts for particular services. For example, if your network is in control of a DNS cache poison attacker and you wanted to visit the official PayPal website. The attacker may take you to an entirely fake site, without you even noticing anything fishy going on. The attacker can redirect web traffic, email, and other important network data to systems under the attacker’s control.

OpenDNS, during the announcement of DNSCrypt, explains,

In the same way the SSL turns HTTP web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks.

OpenDNS founder and CEO David Ulevitch clarifies on why you should use DNSCrypt.

Anyone who knows what they’re doing can eavesdrop on your Internet activity and see exactly which domains you are resolving, and in many cases, what websites you’re visiting. Worse, sophisticated attackers can modify responses and redirect you to malicious sites. We have always used various techniques to thwart this, but none as iron-clad as simply encrypting all the communication between you and OpenDNS.

Download DNSCrypt

DNS Crypt is available for Windows (Microsoft .Net Framework 3.5 required for using DNSCrypt) and Mac operating systems. You can download DNSCrypt for your operating system from the official website. You can view the source code of DNSCrypt, available at GitHub.

Configure and use DNSCrypt on Windows or Mac

Please keep in mind that DNSCrypt only works when you are using OpenDNS as your DNS. To first figure out, if you are using OpenDNS or not, see what the button says below.

Use OpenDNS

If the button says, “You’re using OpenDNS,” simply download DNSCrypt, install it and follow the instructions below. If the button says, “Use OpenDNS, Get Started,” click on the button to get instruction on how to configure your computer to use OpenDNS. After you have successfully configured OpenDNS, download DNSCrypt, install it and follow the instructions below.

After installing, Windows or Mac users, simply launch DNSCrypt application and select the Enable OpenDNS and Enable DNSCrypt check boxes.

OpenDNS DNSCrypt for Mac

OpenDNS DNSCrypt for Mac

OpenDNS DNSCrypt for Windows

OpenDNS DNSCrypt for Windows

If everything is working fine, you will see the green status icon which says “Protected.”

In case, your firewall or any security program causes trouble, you can try the “DNSCrypt over TCP 443″ option. If your problem still persist, you can try the “Fall back to insecure DNS” option. As a last resort, you can disable DNSCrypt by deselecting the “Enable DNSCrypt” check box.

DNSCrypt is also a great security option for users who uses a lot of commercial or public Wi-Fi hotspots at places like airports, cafe, hotels, etc.

Related

Comments

  1. says

    Mezanul – I love how you used the smart button in your post. Thanks for helping us spread the word about DNSCrypt and make the Internet a bit safer.

    -Allison
    OpenDNS

    • says

      You are welcome Allison. Thank you for stopping by. I am using OpenDNS Crypt myself and I am very happy with it. Glad OpenDNS came up with such a good and useful software. :)

  2. says

    dnscrypt itself works on a variety of operating systems: BSD, Solaris, iOS, Android, Linux…

    What only exists for OSX and Windows is optional user interfaces for starting the service and changing DNS settings.

    Also, the “DNSCrypt over TCP 443″ checkbox doesn’t exist any more, since the current versions of these UIs automatically figure out what the best settings are.

    Already using OpenDNS is not required. dnscrypt will forward queries to OpenDNS (by default) when enabled no matter what.

    Current versions can be downloaded from Github:

    - dnscrypt: https://github.com/opendns/dnscrypt-proxy/downloads (instructions for Windows: https://github.com/opendns/dnscrypt-proxy/blob/master/README-WINDOWS.markdown – generic instructions: https://github.com/opendns/dnscrypt-proxy/blob/master/README.markdown )

    - GUI for OSX: https://github.com/opendns/dnscrypt-osx-client/downloads

    - Official GUI for Windows: https://github.com/opendns/dnscrypt-win-client/tree/master/DNSCryptUpgrade (the source code for the current version is not available yet)

    - Alternative GUI for Windows: https://github.com/Noxwizard/dnscrypt-winclient

    - GUI for iPhone/iPad/iPod Touch: http://modmyi.com/cydia/com.guizmo.dns

  3. John Hallquist says

    Can it run silently in the background (or minimize to the system tray)? It looks like this is mostly for clients, would it be a good idea to put this on a server?

Leave a Reply

Your email address will not be published. Required fields are marked *