OpenDNS Releases DNS Encryption Tool 94
wiredmikey writes "It's not news that some of the underlying foundations of the DNS protocol are inherently weak, especially what they call the "last mile" — or the part of the internet connection between the client and the ISP. To address this, OpenDNS has released a preview of DNSCrypt, a tool that enables encrypted DNS traffic, much in the same way SSL enables encrypted HTTP traffic. DNSCrypt will stop DNS replay, observation, and timing attacks, as well as Man-in-the-Middle attacks and resolver impersonation attacks. The tool, available already compiled for OS X, will also run on OpenBSD, NetBSD, Dragonfly BSD, FreeBSD, and Linux. There is no Windows client, which is odd considering a majority of the 30 million OpenDNS users run Microsoft's operating system."
Re:Not Odd - Well actually ... (Score:3, Informative)
The solution is for the 'last mile', ie. the connection between the end user and the ISP. As such, the encryption software will have to run on the user's machine.
Re:SSL is heavy (Score:4, Informative)
This is correct, SSL induces significant overhead both bandwidth and CPU-wise. While most CPUs can handle an SSL website connection that is because the SSL handshake is done every so often (at the beginning of each resource download). However implementing it in a "fast acting" protocol like DNS is guaranteed to slow the protocol down, ergo clients will have to wait non-trivial time before they even connect to the resource in question.
This doesn't even account for the DNS resolver's resource usage, given an average resolver's query load, the additional stress needed to do SSL for each query would be operationally unacceptable and having persistant connections hanging open for an ISP-load of users would not be an option either as the servers' open file descriptors would get exhausted.
Re:SSL is heavy (Score:4, Informative)
Everything is a heavier protocol then DNS. By default DNS queries are plain UDP packets, that way you do not have any handshaking overhead.
Re:What? No encrypted IPs? (Score:4, Informative)
Wait, doesn't TOR encrypt your DNS requests?
No.
Actually your DNS requests can be encrypted and tunneled through TOR (just point your DNS requests at the SOCKS5 server). However they'll be decrypted at the exit node just like plaintext HTTP traffic.
All your DNS are belong to us (Score:5, Informative)
This is a bad idea, and it's being deceptively promoted. The OpenDNS site says [opendns.com] "DNSCrypt is a piece of lightweight software that everyone should use to boost online privacy and security." This is willfully misleading.
This isn't a way to make the existing distributed DNS infrastructure more secure. It just establishes an encrypted connection between your machine and one central DNS server farm belonging to OpenDNS. One that makes its money by redirecting nonexistent domains to ad sites.
There have been slimy DNS providers before. Comcast is notorious [dslreports.com] for this. The Wikipedia article on OpenDNS [wikipedia.org] summarizes the privacy issues, conflicts, and problems with OpenDNS. At one point, OpenDNS tried redirecting address bar searches to their own search page. [labnol.org], which is apparently permitted by their terms of service.
OpenDNS isn't that bad. They're only a little evil. But they're also unnecessary.