December 07, 2011, 3:01 PM — A new, free tool from OpenDNS promises to make domain name system (DNS) lookups--the conversion of a plain-English domain name into a numeric Internet address--more secure. DNSCrypt prevents third parties from intercepting your DNS requests and rewriting them to point your browser, email client, or other software to malicious or fake sites. That may sound like a tedious bit of Internet plumbing, but it profoundly improves your security.
The software addresses a significant flaw in the way that software clients decide which Internet servers to trust. As I explained recently, a client (like a Web browser) and server create an encrypted connection with one another by relying on third parties, known as certificate authorities (CAs), to assure the client of the server's identity.
These CAs provide digital documents to a site operator that are bound to a domain name (macworld.com) or a specific host-domain combination (www.macworld.com). A client can validate a server's documents by checking their digital signatures against a list of trusted CAs. Those lists are built into operating systems (Mac OS X's can be viewed via Keychain Access) and some browsers (Firefox being the primary example).
Unfortunately, there's a flaw in the system: One step in the validation process isn't protected cryptographically. The CAs hand out a certificate with just the text of the server or domain name. They do so to give site operators the flexibility to move servers to different domains or to have multiple IP addresses respond to the same domain name. Software clients that want to make Net connections must request those names in a plain text query that isn't protected against tampering. That creates a gap that can be exploited by substituting "poisoned" values for legitimate ones in DNS requests. So when your computer says it wants to go to www.example.com, for which the DNS server should return an IP address of 126.96.36.199, a poisoned value of 188.8.131.52 could come back instead.
How it works