Encrypt DNS traffic to stop man-in-the-middle attacks with DNSCrypt

DNSCrypt is an open source tool from OpenDNS to prevents man-in-the-middle attacks, like snooping by Internet Service Providers. For those not familiar with OpenDNS, the company provides free Domain Name Servers that can be used to increase your online privacy by not using your ISP DNS, filter and block content at DNS level or  stop DNS leakage when using a VPN, .

This new tool encrypts DNS look ups from your machine to the DNS server, anyone sniffing traffic will not be able to see what is being requested, just like SSL turns HTTP traffic into encrypted HTTPS, DNSCrypt does the same with DNS requests. It should make life more difficult for Governments using DNS to spy on citizens, countries like China for example, can block the pages you at DNS level, even if you use a VPN to circumvent Internet filtering it might be necessary to change the ISP DNS server for it to work. However, state sponsored Internet censorship normally employs more than one method to block websites, DNS is just one of them.

OpenDNS NetGear router settings

OpenDNS NetGear router settings

Changing your DNS settings to another provider will not cause any kind of overhead, it might be even quicker than your ISP DNS, I have been using Comodo DNS for well over 2 years with no problems at all, it will also work if you are using a VPN, you should take DNSCrypt as an extra layer of security to your web browsing experience. TCP traffic can be enabled over port 443 (used for HTTPS) in case an external firewall mangles Internet traffic, OpenDNS warns that encrypted DNS reliability is not as good as their insecure DNS servers, if you experience slow downs switch back.

DNSCrypt is complementary to DNSSec, which only provides authentication and chain of trust, but not encryption for DNS records, they both can work together and experience no conflicts, DNSCrypt claims to be using elliptical cryptography for DNS requests consisting in two public encryption keys communication.

Visit DNSCrypt homepage

Leave a Reply