OpenDNS Releases DNS Encryption Tool - Slashdot

Slashdot

OpenDNS Releases DNS Encryption Tool 94

Posted by timothy on Thursday December 08, @10:34AM
from the do-nothing-secret dept.

wiredmikey writes "It's not news that some of the underlying foundations of the DNS protocol are inherently weak, especially what they call the "last mile" — or the part of the internet connection between the client and the ISP. To address this, OpenDNS has released a preview of DNSCrypt, a tool that enables encrypted DNS traffic, much in the same way SSL enables encrypted HTTP traffic. DNSCrypt will stop DNS replay, observation, and timing attacks, as well as Man-in-the-Middle attacks and resolver impersonation attacks. The tool, available already compiled for OS X, will also run on OpenBSD, NetBSD, Dragonfly BSD, FreeBSD, and Linux. There is no Windows client, which is odd considering a majority of the 30 million OpenDNS users run Microsoft's operating system."

This discussion has been archived. No new comments can be posted.

OpenDNS Releases DNS Encryption Tool

Search 94 Comments Log In/Create an Account

Comments Filter:

Encrypt the phonebook (Score:0, Interesting)

by Anonymous Coward writes: on Thursday December 08, @10:58AM (#38302840)

What's the point? Traffic analysis can easily reveal what you're looking up. DNS is a distributed database, remember? If you're looking everything up through an external recursive resolver and encrypt your communication with that resolver, then the operator of that resolver can still see everything. You could also just use existing VPN technology and achieve the same things.
Also, OpenDNS is not open and should be shunned for choosing that misleading name.

Share
twitter facebook
Good idea (Score:5, Interesting)

by ledow (319597) writes: on Thursday December 08, @11:04AM (#38302918) Homepage

It's a good idea but:
- It's the equivalent of every DNS server letting you wrap your queries inside SSL. Nothing really special of clever, and requires the co-operation of all your upstream DNS servers.
- It uses elliptic curve rather than some pluggable system to negotiate an encryption method. EC *hasn't* had anywhere near the deployment hours that conventional PKE has had. It's still, to me, a "unknown" in terms of how breakable it is compared to anything else. No doubt effort is put into it but PKE has decades of attacks in its favour and still holds. Why couldn't the encryption just be negotiable?
- The extra burden - hell, DNS responses can hang computers up as it is if upstream servers are slow. God knows what converting every one of their requests to use ECC would do to servers and clients.
That said, in principle, it's something I'd deploy. If it wasn't barely tested, using EC (and having that be non-negotiable) and having hardly any upstream providers support it.
But it's the equivalent of just SSH'ing into a machine that does your DNS lookups for you, really, just that that machine happens to be your upstream resolver. That then has to communicate to either a DNSCurve server again for the actual lookup (and that server to another, and that to another, etc. etc.) or talk to uncertified nameservers in plaintext as usual anyway.
Personally, I have bigger problems than someone with packet-level access to my traffic potentially seeing what DNS records I lookup.

Share
twitter facebook
DD-WRT / Tomato client? (Score:3, Interesting)

by aka_bigred (1366025) writes: on Thursday December 08, @11:36AM (#38303332)

So anyone know of a client that can be run from a DD-WRT or Tomato router? I'd be up for throwing it on my home router it there's a client that I can just add right into the router.

Share
twitter facebook
phishing (Score:4, Interesting)

by Billly Gates (198444) writes: on Thursday December 08, @11:40AM (#38303400) Homepage Journal

OpenDNS does have an appeal. However it is such a high target for malware writters. If you can poison it you get tons of bussiness andeCommerce bank logins who go out of there way to use openDNS for security. I am nervous switching to it. Especially after CA keeo getting hacked into

Share
twitter facebook
Re:so what will this achieve for the enduser? (Score:4, Interesting)

by Smallpond (221300) writes: on Thursday December 08, @12:12PM (#38303802) Homepage Journal

The purpose isn't to hide your DNS requests from your ISP, its to prevent some of the known attacks that spoof a DNS reply. That's easy to do if they are sent in the clear and have no signatures.

Parent Share
twitter facebook
Re:Not Odd - Well actually ... (Score:5, Interesting)

by Sloppy (14984) writes: on Thursday December 08, @12:51PM (#38304344) Homepage Journal

They might be thinking that the "user's machine" could be something like a DSL router, which may already be servicing user's DNS requests with dnsmasq or something like that. There are all sorts of opportunities to improve the functionality of these spots, without really needing to impact the software and protocols run by the actual endpoints. It's not so much the "last mile" that is most vulnerable, but rather, the "last mile except for the last 30 feet." In your LAN itself is compromised, then the intruder is already in the house and you are totally screwed no matter what you do. ;-)

Parent Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

477 commentsYour Passwords Don't Suck — It's Your Policies
418 commentsFBI Says American Universities Infiltrated by Spies
392 commentsAdobe Introduces the Paid Security Fix
343 commentsSymantec: Religious Sites "Riskier Than Porn For Viruses"
333 commentsOsama Bin Laden Didn't Encrypt His Files

Drive defensively. Buy a tank.