New tool patches security hole in DNS

By Glenn Fleishman, Macworld |  Security, DNS, OpenDNS

As you might guess from the name, DNSCrypt encrypts this stage of the DNS client-server negotiation, so it's impervious to that sort of chicanery. This protects you from spoofing of servers that are protected by SSL as well as servers that aren't so well protected. If client software is connecting to a normal website, unprotected email server, or other Internet service, DNSCrypt keeps that lookup accurate as well, defeating efforts by so-called evil twins and other hotspot and networking spoofing techniques.

When a software client makes a DNS request, your computer consults a DNS resolver in the operating system, which then passes that query on to one of the DNS servers listed in its TCP/IP settings. (In OS X, they're found in the Network preference pane for each adapter.) That DNS server in turn passes the request up a chain of higher-level servers (to the .com root, for instance), which then finally hands off to the DNS server that manages information for a given domain. The results are sent back to the resolver. (Whew.) DNSCrypt forces DNS look-ups to go through OpenDNS instead of DNS servers operated by your own or a coffeeshop's Internet service provider (ISP). (You can set your system to always point to OpenDNS or another service, like Wi-Fi, but otherwise the server addresses are provided when the network router assigns a local address to your computer or device.)

OpenDNS came into being because the DNS servers at so many ISPs were slow and unreliable; it was (and is) a free and more efficient alternative to other DNS servers. But over the last few years those ISPs have improved their operations; in response, OpenDNS added more services to entice users, some free (like anti-phishing filtering), and some paid (like filtering and usage reporting). It automatically fixes common typos, changing .cmo to .com, for example. (Some security experts are critical of the company's policy of redirecting invalid domain-name entries to a Google search page from which it derives advertising revenue; curiously, Google, which also offers a free alternative DNS service, does not.)

While DNSCrypt works with OpenDNS's service alone, the company has released the specification and software as open source. That means the system could be adopted elsewhere, turned into plug-ins (like a Firefox add-on), or built directly into client software. (DNSCrypt works with OpenDNS's free and paid services, and is free to use.)

How to use it

Originally published on Macworld |  Click here to read the original story.
Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question