Broadband Tech > Security > Security > OpenDNS unveils DNSCrypt for Windows

OpenDNS unveils DNSCrypt for Windows

quote:

---

In December we delivered a preview of one of the most critical and innovative technologies DNS security has seen. DNSCrypt, available initially only for Mac, works by encrypting all DNS traffic between you and your DNS provider, OpenDNS. That critical path between you and your DNS servers is often referred to as the “last mile.” It’s in this “last mile” that bad things are most likely to happen — snooping, tampering, or even hijacking traffic. Anyone who knows what they’re doing can eavesdrop on your Internet activity and see exactly which domains you are resolving, and in many cases, what websites you’re visiting. Worse, sophisticated attackers can modify responses and redirect you to malicious sites. We have always used various techniques to thwart this, but none as iron-clad as simply encrypting all the communication between you and OpenDNS.

The effect of DNSCrypt is immediate and adds significant privacy and security to your Internet connection, particularly when you’re accessing the Internet on a public WiFi network at a place like a coffee shop or airport. Today DNSCrypt is used by more than 10,000 people.

Today we proudly reveal DNSCrypt for Windows

While we’re mostly a Mac and unix shop here at OpenDNS, we care about protecting all users. Since Windows has more than 80% market share around the world we knew we could not ignore the need for DNSCrypt on Windows.

There are a number of reasons why the World needs DNSCrypt, but here are just a few:

• Today’s Internet users no longer access the Internet only at home or at work.
• Users connect to several different networks throughout the day.
• As the DNS and security service powering the most Internet users around the world, we’re focused on inventing solutions that enable security for all the ways that people connect.
• DNSCrypt is a foundation for something much, much greater. We have disrupted the world with our technology and ideas... [cont'd]

---

reply to chachazz
What are the chances DNSCrypt could be incorporated into routers?

--edit--

Looks like the TomatoUSB "Shibby" Builds have DNSCrypt support built in.

reply to chachazz
DNSCrypt is a joke, this is not how domain hijacks or exploits happen... The idea that a hacker would somehow intercept or create bad records at your ISPs DNS servers to direct you to their fake site instead or the real/legit site is fear mongering, thus creating the "need" for this software. I suspect, that like OpenDNS's other products, it won't be free for long.

The real hijack/exploit happens when a website owner is negligent or incompetent in their security and patching process and a malicious iframe or adserver is used to install badware on your machine.

Use reliable DNS servers as provided by a major ISP, Google DNS, or Norton DNS. There is no real "need" for this software other than to write another press release.

reply to chachazz
I had to enable using TCP port 443 for it to work. Unfortunately, I also have an old router that can't use DDWRT or Tomato firmware, if either have this built in. As advertised, the use of TCP/443 does seem to be slower than without DNSCrypt. Then again, I would expect any additional software to add some overhead. It's good that I could uninstall this if I get tired of it.
--
It is easier for a camel to put on a bikini than an old man to thread a needle.

reply to whybother
uhhh DNSCrypt just encrypts the connection between the computer and the DNS server. i don't think it does any DNSSEC style verification of the records.

The more likely scenario where this is helpful is in preventing man-in-the-middle attacks where MITMs spoof the default DNS server a user receives through DHCP.

I'm glad for this but wonder if it's helpful in any other way. I mean your ISP can still see the IP addresses you visit and a reverse DNS is simple enough to do. Eh w/e, paranoia at work.

reply to chachazz
They say they want to protect from snooping, tampering, or even hijacking traffic? I'd say they rather want to reserve all of that to themselves. OpenDNS is making money on snooping and gothering data about how users use the Internet, which sites they visit and when (how often). And they tamper and even hijack traffic by replacing standard-required NXDOMAIN responses. We remember, that at some point of time they even hijacked Google site, replacing www.google.com with their own MITM host google.navigation.opendns.com. Read my old post for some details.

For that exact reason OpenDNS doesn't want to implement standard secure solution - DNSSEC, where name resolutions are signed and therefore can't be tampered. Instead they offer their own proprietary solution, that works only with them (of course).

My advise - stay away from OpenDNS or they will sell your Internet browsing habits and will tamper with your DNS requests. They try to scare you with a kiddie-hacker that could snoop on your Internet traffic and lure you to get all that info only to them, to OpenDNS...
--
Keep it simple, it'll become complex by itself...