Slashdot Mirror
OpenDNS Releases DNS Encryption Tool
wiredmikey writes "It's not news that some of the underlying foundations of the DNS protocol are inherently weak, especially what they call the "last mile" — or the part of the internet connection between the client and the ISP. To address this, OpenDNS has released a preview of DNSCrypt, a tool that enables encrypted DNS traffic, much in the same way SSL enables encrypted HTTP traffic. DNSCrypt will stop DNS replay, observation, and timing attacks, as well as Man-in-the-Middle attacks and resolver impersonation attacks. The tool, available already compiled for OS X, will also run on OpenBSD, NetBSD, Dragonfly BSD, FreeBSD, and Linux. There is no Windows client, which is odd considering a majority of the 30 million OpenDNS users run Microsoft's operating system."
I mean... reverse domain name lookups exist. I guess you'll still need to use an encrypted proxy like TOR?
(Wait, doesn't TOR encrypt your DNS requests?)
Because the danger isn't poisoning the cache of an end user. The trouble comes when a site's DNS cache is poisoned, affecting hundreds or thousands of users.
Most of these DNS caches are run on a UNIX derivative.
but isn't SSL protocall independent? wouldn't it make more sense just to do DNS with SSL?
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
The solution is for the 'last mile', ie. the connection between the end user and the ISP. As such, the encryption software will have to run on the user's machine.
It's a good idea but:
- It's the equivalent of every DNS server letting you wrap your queries inside SSL. Nothing really special of clever, and requires the co-operation of all your upstream DNS servers.
- It uses elliptic curve rather than some pluggable system to negotiate an encryption method. EC *hasn't* had anywhere near the deployment hours that conventional PKE has had. It's still, to me, a "unknown" in terms of how breakable it is compared to anything else. No doubt effort is put into it but PKE has decades of attacks in its favour and still holds. Why couldn't the encryption just be negotiable?
- The extra burden - hell, DNS responses can hang computers up as it is if upstream servers are slow. God knows what converting every one of their requests to use ECC would do to servers and clients.
That said, in principle, it's something I'd deploy. If it wasn't barely tested, using EC (and having that be non-negotiable) and having hardly any upstream providers support it.
But it's the equivalent of just SSH'ing into a machine that does your DNS lookups for you, really, just that that machine happens to be your upstream resolver. That then has to communicate to either a DNSCurve server again for the actual lookup (and that server to another, and that to another, etc. etc.) or talk to uncertified nameservers in plaintext as usual anyway.
Personally, I have bigger problems than someone with packet-level access to my traffic potentially seeing what DNS records I lookup.
I'm sure they're no worse than other DNS providers and at least they do appear to have options to opt-out of the above behaviour, but if your DNS provider is fooling with your encrypted DNS requests, what's the point?
Yes, because a desire to play games and security are mutually exclusive. /end sarcasm
For me the important point isn't to hide addresses that are being looked up, but to determine the credibility and integrity of the response I receive. Encryption is about more than just hiding data.
Regarding the name, I'm not sure what you're complaining about. Where is it written that any entity that prefixes their name with "Open" needs to be an open source project. They are free to use.. If you want to pick on a misleading name, try NetZero...
Windows users don't give a shit about security, thats why they're running Windows.
YAY GAMES DURR
Linux users don't give a shit about getting work done, that's why they're running Linux.
YAY SPENDING FIFTY HOURS TWEAKING MY WINDOWING ENVIRONMENT DURR
Oh, what, that's flamebait, but apparently your comment is "Interesting"? Grow the fuck up. Windows is a hell of a lot more secure than it used to be, Linux and BSD have had their share of vulns as well, and the big threat stopped being the OS a long time ago, it's now shit like Adobe Reader. Oh, wait, this is Slashdot... I should be expecting a BSOD joke, followed by a Clippy joke, followed by a Microsoft Bob joke, because those are all about as topical...
DNSCrypt will stop DNS replay, observation, and timing attacks, as well as Man-in-the-Middle attacks and resolver impersonation attacks.
This will be great for people that don't have ISPs actively redirecting DNS traffic to their specific servers so they can sniff it, Warner, Comcast et el.
Having to work for a living is the root of all evil.
This is correct, SSL induces significant overhead both bandwidth and CPU-wise. While most CPUs can handle an SSL website connection that is because the SSL handshake is done every so often (at the beginning of each resource download). However implementing it in a "fast acting" protocol like DNS is guaranteed to slow the protocol down, ergo clients will have to wait non-trivial time before they even connect to the resource in question.
This doesn't even account for the DNS resolver's resource usage, given an average resolver's query load, the additional stress needed to do SSL for each query would be operationally unacceptable and having persistant connections hanging open for an ISP-load of users would not be an option either as the servers' open file descriptors would get exhausted.
Everything is a heavier protocol then DNS. By default DNS queries are plain UDP packets, that way you do not have any handshaking overhead.
I don't have any problem with their name. While they may not be an open source project, their goal is to provide an unbiased (I'd call that "open") DNS server, that anyone can use without registering or paying (also pretty "open" of them), with the intent of keeping the internet open for anyone (that one is self-explanatory). Doesn't sound like a misleading name at all to me.
NetZero launched as a free to use service that derived revenue from ads. Now when they dropped that, they definitely should have changed the misleading name.
So anyone know of a client that can be run from a DD-WRT or Tomato router? I'd be up for throwing it on my home router it there's a client that I can just add right into the router.
i believe this tool hides the dns query from being logged by the isp.
However I'm unsure if that helps the enduser that much.
If i was to ask for say piratebay.org it will send back the ip address without my ISP knowing i have the piratebay.org ip address from opendns but then the next step would be to request a page from that ip and wouldn't that be logged or blocked by the ISP?
Can someone with a clue clarify the matter?
Blarney Quality Restaurant, Plants
OpenDNS does have an appeal. However it is such a high target for malware writters. If you can poison it you get tons of bussiness andeCommerce bank logins who go out of there way to use openDNS for security. I am nervous switching to it. Especially after CA keeo getting hacked into
http://saveie6.com/
Wait.
Are you saying that you do not think that Clippy and Bob are funny?
Why is it so hard to only have politicians for a few years, then have them go away?
Not all uses of the word "Open" need to abide by your one definition of the word.
Why is it so hard to only have politicians for a few years, then have them go away?
There is no Windows client, which is odd considering a majority of the 30 million OpenDNS users run Microsoft's operating system.
I would assume they want a public test with less than 30 million users for now. :)
Apple built a platform for their ideas, Google built one for everyone's.
Not all uses of the word "Open" need to abide by your one definition of the word.
Yes they do. Just like how "pirate", "steal", and "take" each have exactly one definition that can never ever ever never ever ever ever be changed ever, and that definition is whatever is most convenient for my illegal movie downloading rationalization.
(now, watch as someone deliberately misinterprets that as "downloading illegal movies" just to distract from my point)
This is a bad idea, and it's being deceptively promoted. The OpenDNS site says "DNSCrypt is a piece of lightweight software that everyone should use to boost online privacy and security." This is willfully misleading.
This isn't a way to make the existing distributed DNS infrastructure more secure. It just establishes an encrypted connection between your machine and one central DNS server farm belonging to OpenDNS. One that makes its money by redirecting nonexistent domains to ad sites.
There have been slimy DNS providers before. Comcast is notorious for this. The Wikipedia article on OpenDNS summarizes the privacy issues, conflicts, and problems with OpenDNS. At one point, OpenDNS tried redirecting address bar searches to their own search page., which is apparently permitted by their terms of service.
OpenDNS isn't that bad. They're only a little evil. But they're also unnecessary.
Well to be fair a couple weeks ago one of my Windows machines did flash a BSOD before auto-rebooting.
Two of my imaginary friends reproduced once
While I haven't investigated it, I would suspect that Windows' DNS functionality isn't quite so pluggable as it is for the *nix OSs. It may well just be impractical to implement.
Two of my imaginary friends reproduced once
They might be thinking that the "user's machine" could be something like a DSL router, which may already be servicing user's DNS requests with dnsmasq or something like that. There are all sorts of opportunities to improve the functionality of these spots, without really needing to impact the software and protocols run by the actual endpoints. It's not so much the "last mile" that is most vulnerable, but rather, the "last mile except for the last 30 feet." In your LAN itself is compromised, then the intruder is already in the house and you are totally screwed no matter what you do. ;-)
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Sounds plausible enough too. Guess we can safely write off that "odd" remark. :P
Apple built a platform for their ideas, Google built one for everyone's.
Hiding the domain name may help protecting against censorship. There are places where DNS requests are censored. Even if the packets are integrity protected, it doesn't stop an ISP from just dropping every lookup or response for domain names they want to censor.
Do you care about the security of your wireless mouse?
FTA: "(mac only at the moment)"
I8-D
OpenDNS is called OpenDNS because they provide and open recursor service.
New things are always on the horizon
Could it be the user's router? That is, I'm running dd-wrt (Open-wrt, Tomato, or etc.). Could this tool be installed in the router firmware to provide the last mile protection? Then it is up to the user to provide the last 100 meters by ensuring their networks point to their router for DNS resolution.
Umm, yeah. What Sloppy said up there ^^
Indeed... I switched to GoogleDNS from OpenDNS a while after it came out. I figure Google already knows everything about me they're likely to find out from DNS data.
How many unique DNS requests leave your network in a 1 hour period? My guess is: fewer than 60, unless you're a search engine or security firm. Even running torrents with DNS resolution won't go much beyond this. How many SSL handshakes are performed in that period? I'd guess hundreds.
Think about it this way: web browsers these days tend to proactively resolve domains. Since most network activity uses a web browser or a fixed domain (email, etc.), the usage should be minimal (except for p2p, where it'll still be reasonable).
That's the problem.
Most Netgear routers that ship, by default, employ a DNS proxy. Any user machine that uses DHCP will be told the DNS server is 192.168.1.1 and use whatever DNS is defined in the WAN configuration.
Deploying a standard-less DNS encryption is only going to happen in one of two places. The user's machine or a DNS proxy being run on a server.
Routers are out of the question, even high end ones, for the time being without a standard. Even then, it will be a long long long time before firmware updates are pushed out to address most home routers. Considering Linksys's super-laid-back-who-gives-a-shit-approach to firmware development (it takes years for features) that leaves only Tomato or DD-WRT to pick it up. You will see TCP/IP v6 before you see a deployed standard for DNS encryption on home routers.
So, the vast majority of OpenDNS users have defaulted routers and Windows OS, and no home servers in sight. How is this supposed to work? Apple does not represent everybody at the moment by far.
Furthermore..... what about corporate use of OpenDNS? I like using it in corporate settings. Normally, I find it more reliable than the ISP. Unless they release an intercepting, or transparent, DNS proxy service that can run on Linux/Windows Server it will be useless.
Corporate machines depend on the local DNS server to resolve everything from printer addresses to which domain controller to authenticate too. It is essential to any Windows network (read domain controller) setup. Installing this on a corporate machine would just fuck everything up in a hurry unless their software is smart enough to forward queries to the machine defined DNS server.
This is a non-starter. Come back when you have a Windows app designed for home users first. Then after you see how well that works, release a corporate level product like a transparent DNS proxy that we can install on our servers.
What is the whole point? OpenDNS is not vulnerable to DNS poisoning? So instead of the local ISP, or government monitoring and altering my traffic OpenDNS gets to do it? They already do it to me anyways and they would just roll over for the government no different than any other major company.
So what am I getting out of this? Making sure that OpenDNS has its profits protected and that I completely rely on OpenDNS for secured DNS queries? That's all it sounds like.
When I am paranoid about my DNS queries I can just route them through TOR on a special throwaway machine. Then it is logged coming from the exit node's IP address.
Linux users don't give a shit about a desktop, that's why they're running Linux
YAY HEADLESS SERVERS DURR
You know..... I have to laugh.
Linux users apparently done't give a shit about a nice desktop and user friendliness. I say that..... because... it is neither good looking, highly functional, or user friendly.
I just plain *enjoy* a Windows 7 desktop experience more than any Linux GUI. Just the truth. I even enjoy Mac OS X more than Windows as far as visual aesthetics are concerned.
The funny part is the headless servers. I run a *ton* of headless CentOS servers. I can honestly say that for what needs to be done on them I am not missing the desktop at all. Give me a terminal and I am good to go.
So you are actually correct. As a Linux user I don't give two shits about the desktop. It's about other things.....
This is correct, SSL induces significant overhead both bandwidth and CPU-wise. While most CPUs can handle an SSL website connection that is because the SSL handshake is done every so often (at the beginning of each resource download). However implementing it in a "fast acting" protocol like DNS is guaranteed to slow the protocol down, ergo clients will have to wait non-trivial time before they even connect to the resource in question.
SSL's overhead is in the handshake: in this scenario, the client would only handshake once, on its first DNS request to its upstream resolver.
Your other concerns could be taken care of by DTLS.
This doesn't even account for the DNS resolver's resource usage, given an average resolver's query load, the additional stress needed to do SSL for each query would be operationally unacceptable and having persistant connections hanging open for an ISP-load of users would not be an option either as the servers' open file descriptors would get exhausted.
First of all, under no circumstances do you throw AOL's user base at a single server, no matter the service.
Apart from that, Linux can handle millions of open file descriptors (up to 1million/process by default) nowadays, the bottleneck is elsewhere.
In any case though, DNS is mostly stateless and uses UDP by default, why would your protocol be any different?
nah, if that were the case the government wouldn't be able to function. Agencies like the NSA work under the assumption that they have already been compromised. There is plenty that can be done to insure integrity of a network's components even when the network itself has been compromised. That said, it is preferable to avoid such a scenario.
Get a web developer