December 07, 2011, 12:42 PM — OpenDNS has released a preview of a tool that will encrypt DNS (Domain Name System) requests between a person's computer and the company's lookup service, potentially blocking malicious interceptions.
DNS requests are a fundamental part of how the Internet works. A DNS lookup translates a domain name into an IP address that can be called into a browser. ISPs provide DNS services to their customers, but OpenDNS runs its own lookup service that it says is speedier and provides better security protections.
As part of the design of the Internet, DNS requests are sent in clear text between a user and their DNS provider, wrote David Ulevitch, the founder and CEO of OpenDNS. That makes the DNS requests vulnerable to interception, such as a man-in-the-middle attack, he wrote.
If that occurred, an attacker could observe what domains are being resolved and in many cases what websites a person is visiting, he wrote.
"It happens all the time on insecure networks at coffee shops and even residences," Ulevitch wrote. "Some ISPs have even been accused of spying on their customers' activity."
The problem of plain-text DNS requests is not addressed by DNS Security Extensions (DNSSEC), a security protocol designed to protect the DNS (Domain Name System), Ulevitch wrote.
DNSSEC uses public key cryptography to digitally "sign" the DNS records for websites. The protocol is designed to stop attacks such as cache poisoning, where a DNS server is hacked, making it possible for a user to type in the correct website name but be directed to a fake website.
As indicated in its name, DNSCrypt encrypts those requests, which means if the traffic is intercepted, the hacker won't be able to see the content. The tool is free but is only for Mac OS X systems. The code is open source.