OpenDNS DNSCrypt: Encrypt DNS Traffic, Secure Yourself From Eavesdropping, Man-in-the-middle Attacks

OpenDNS DNSCrypt is an open-source DNS encryption tool. In layman terms, DNSCrypt is a tool for securing communications between a client and a DNS resolver (more on this later). Basically, it secures your connection from eavesdropping and man-in-the-middle attacks. Thus, hugely increasing your web browsing security. DNSCrypt is developed by the popular DNS service OpenDNS.

Let’s take an example to describe what exactly a DNS is. If you want to visit our website, you’ll type the human-readable domain name of our website, After you press Enter or click on the Go button of your browser, your browser will try to retrieve the IP address of our website,, before displaying our website. To know this IP address, your browser contacts a server called the Domain Name System (DNS) server. You can think of the DNS like a large phone book for the Internet, which translates the human-friendly domain names into an IP addresses.


DNS in the real world (Image Source: Wikipedia)

Now that you have an overview of DNS, you’ll, hopefully, be able to understand why you should use DNSCrypt. DNSCrypt encrypt all your DNS queries between your browser and OpenDNS. Encryption of the DNS queries prevents any spying, eavesdropping by third-parties (like your ISP), spoofing or man-in-the-middle attacks.

Why you should care?

One of the worst example of a DNS-based attack is cache poisoning attack. In a cache poisoning attack, an attacker can cause a name server’s clients to contact the incorrect, and possibly malicious, hosts for particular services. For example, if your network is in control of a DNS cache poison attacker and you wanted to visit the official PayPal website. The attacker may take you to an entirely fake site, without you even noticing anything fishy going on. The attacker can redirect web traffic, email, and other important network data to systems under the attacker’s control.

OpenDNS, during the announcement of DNSCrypt, explains,

In the same way the SSL turns HTTP web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks.

OpenDNS founder and CEO David Ulevitch clarifies on why you should use DNSCrypt.

Anyone who knows what they’re doing can eavesdrop on your Internet activity and see exactly which domains you are resolving, and in many cases, what websites you’re visiting. Worse, sophisticated attackers can modify responses and redirect you to malicious sites. We have always used various techniques to thwart this, but none as iron-clad as simply encrypting all the communication between you and OpenDNS.

Download DNSCrypt

DNS Crypt is available for Windows (Microsoft .Net Framework 3.5 required for using DNSCrypt) and Mac operating systems. You can download DNSCrypt for your operating system from the official website. You can view the source code of DNSCrypt, available at GitHub.

Configure and use DNSCrypt on Windows or Mac

Please keep in mind that DNSCrypt only works when you are using OpenDNS as your DNS. To first figure out, if you are using OpenDNS or not, see what the button says below.

Use OpenDNS

If the button says, “You’re using OpenDNS,” simply download DNSCrypt, install it and follow the instructions below. If the button says, “Use OpenDNS, Get Started,” click on the button to get instruction on how to configure your computer to use OpenDNS. After you have successfully configured OpenDNS, download DNSCrypt, install it and follow the instructions below.

After installing, Windows or Mac users, simply launch DNSCrypt application and select the Enable OpenDNS and Enable DNSCrypt check boxes.

OpenDNS DNSCrypt for Mac

OpenDNS DNSCrypt for Mac

OpenDNS DNSCrypt for Windows

OpenDNS DNSCrypt for Windows

If everything is working fine, you will see the green status icon which says “Protected.”

In case, your firewall or any security program causes trouble, you can try the “DNSCrypt over TCP 443” option. If your problem still persist, you can try the “Fall back to insecure DNS” option. As a last resort, you can disable DNSCrypt by deselecting the “Enable DNSCrypt” check box.

DNSCrypt is also a great security option for users who uses a lot of commercial or public Wi-Fi hotspots at places like airports, cafe, hotels, etc.

You may also like...