Slashdot Mirror
OpenDNS Releases DNS Encryption Tool
wiredmikey writes "It's not news that some of the underlying foundations of the DNS protocol are inherently weak, especially what they call the "last mile" — or the part of the internet connection between the client and the ISP. To address this, OpenDNS has released a preview of DNSCrypt, a tool that enables encrypted DNS traffic, much in the same way SSL enables encrypted HTTP traffic. DNSCrypt will stop DNS replay, observation, and timing attacks, as well as Man-in-the-Middle attacks and resolver impersonation attacks. The tool, available already compiled for OS X, will also run on OpenBSD, NetBSD, Dragonfly BSD, FreeBSD, and Linux. There is no Windows client, which is odd considering a majority of the 30 million OpenDNS users run Microsoft's operating system."
Because the danger isn't poisoning the cache of an end user. The trouble comes when a site's DNS cache is poisoned, affecting hundreds or thousands of users.
Most of these DNS caches are run on a UNIX derivative.
One word: Diginotar.
.sig: No such file or directory
The solution is for the 'last mile', ie. the connection between the end user and the ISP. As such, the encryption software will have to run on the user's machine.
It's a good idea but:
- It's the equivalent of every DNS server letting you wrap your queries inside SSL. Nothing really special of clever, and requires the co-operation of all your upstream DNS servers.
- It uses elliptic curve rather than some pluggable system to negotiate an encryption method. EC *hasn't* had anywhere near the deployment hours that conventional PKE has had. It's still, to me, a "unknown" in terms of how breakable it is compared to anything else. No doubt effort is put into it but PKE has decades of attacks in its favour and still holds. Why couldn't the encryption just be negotiable?
- The extra burden - hell, DNS responses can hang computers up as it is if upstream servers are slow. God knows what converting every one of their requests to use ECC would do to servers and clients.
That said, in principle, it's something I'd deploy. If it wasn't barely tested, using EC (and having that be non-negotiable) and having hardly any upstream providers support it.
But it's the equivalent of just SSH'ing into a machine that does your DNS lookups for you, really, just that that machine happens to be your upstream resolver. That then has to communicate to either a DNSCurve server again for the actual lookup (and that server to another, and that to another, etc. etc.) or talk to uncertified nameservers in plaintext as usual anyway.
Personally, I have bigger problems than someone with packet-level access to my traffic potentially seeing what DNS records I lookup.
I'm sure they're no worse than other DNS providers and at least they do appear to have options to opt-out of the above behaviour, but if your DNS provider is fooling with your encrypted DNS requests, what's the point?
Yes, because a desire to play games and security are mutually exclusive. /end sarcasm
Windows users don't give a shit about security, thats why they're running Windows.
YAY GAMES DURR
Linux users don't give a shit about getting work done, that's why they're running Linux.
YAY SPENDING FIFTY HOURS TWEAKING MY WINDOWING ENVIRONMENT DURR
Oh, what, that's flamebait, but apparently your comment is "Interesting"? Grow the fuck up. Windows is a hell of a lot more secure than it used to be, Linux and BSD have had their share of vulns as well, and the big threat stopped being the OS a long time ago, it's now shit like Adobe Reader. Oh, wait, this is Slashdot... I should be expecting a BSOD joke, followed by a Clippy joke, followed by a Microsoft Bob joke, because those are all about as topical...
DNSCrypt will stop DNS replay, observation, and timing attacks, as well as Man-in-the-Middle attacks and resolver impersonation attacks.
This will be great for people that don't have ISPs actively redirecting DNS traffic to their specific servers so they can sniff it, Warner, Comcast et el.
Having to work for a living is the root of all evil.
This is correct, SSL induces significant overhead both bandwidth and CPU-wise. While most CPUs can handle an SSL website connection that is because the SSL handshake is done every so often (at the beginning of each resource download). However implementing it in a "fast acting" protocol like DNS is guaranteed to slow the protocol down, ergo clients will have to wait non-trivial time before they even connect to the resource in question.
This doesn't even account for the DNS resolver's resource usage, given an average resolver's query load, the additional stress needed to do SSL for each query would be operationally unacceptable and having persistant connections hanging open for an ISP-load of users would not be an option either as the servers' open file descriptors would get exhausted.
Everything is a heavier protocol then DNS. By default DNS queries are plain UDP packets, that way you do not have any handshaking overhead.
So anyone know of a client that can be run from a DD-WRT or Tomato router? I'd be up for throwing it on my home router it there's a client that I can just add right into the router.
OpenDNS does have an appeal. However it is such a high target for malware writters. If you can poison it you get tons of bussiness andeCommerce bank logins who go out of there way to use openDNS for security. I am nervous switching to it. Especially after CA keeo getting hacked into
http://saveie6.com/
Not all uses of the word "Open" need to abide by your one definition of the word.
Why is it so hard to only have politicians for a few years, then have them go away?
Wait, doesn't TOR encrypt your DNS requests?
No.
Actually your DNS requests can be encrypted and tunneled through TOR (just point your DNS requests at the SOCKS5 server). However they'll be decrypted at the exit node just like plaintext HTTP traffic.
"When information is power, privacy is freedom" - Jah-Wren Ryel
The purpose isn't to hide your DNS requests from your ISP, its to prevent some of the known attacks that spoof a DNS reply. That's easy to do if they are sent in the clear and have no signatures.
This is a bad idea, and it's being deceptively promoted. The OpenDNS site says "DNSCrypt is a piece of lightweight software that everyone should use to boost online privacy and security." This is willfully misleading.
This isn't a way to make the existing distributed DNS infrastructure more secure. It just establishes an encrypted connection between your machine and one central DNS server farm belonging to OpenDNS. One that makes its money by redirecting nonexistent domains to ad sites.
There have been slimy DNS providers before. Comcast is notorious for this. The Wikipedia article on OpenDNS summarizes the privacy issues, conflicts, and problems with OpenDNS. At one point, OpenDNS tried redirecting address bar searches to their own search page., which is apparently permitted by their terms of service.
OpenDNS isn't that bad. They're only a little evil. But they're also unnecessary.
They might be thinking that the "user's machine" could be something like a DSL router, which may already be servicing user's DNS requests with dnsmasq or something like that. There are all sorts of opportunities to improve the functionality of these spots, without really needing to impact the software and protocols run by the actual endpoints. It's not so much the "last mile" that is most vulnerable, but rather, the "last mile except for the last 30 feet." In your LAN itself is compromised, then the intruder is already in the house and you are totally screwed no matter what you do. ;-)
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.