Today we unveil DNSCrypt, a new security tool we’ve developed that has been on our minds for a long time. It has a simple but important function: encrypt all DNS traffic between you and OpenDNS. Nothing else like it exists, and we have very high expectations for the positive impact it can have on the Internet security and privacy of millions of people around the world.
DNS is a critical part of the Internet’s infrastructure, and though a good deal of attention has been paid to improving its security in recent years with DNSSEC, an important part has been overlooked. It’s what’s often referred to as the “last mile,” or the connection between you and your ISP or your DNS provider, if you use a DNS service like OpenDNS. It’s in this “last mile” that bad things are most likely to happen — snooping, tampering, or even hijacking traffic. Anyone who knows what they’re doing can eavesdrop on your Internet activity and see exactly which domains you are resolving, and in many cases, what websites you’re visiting.
It happens all the time on insecure networks at coffee shops, and even residences. Some ISPs have even been accused of spying on their customers’ activity. What’s worse, the “last mile” is ripe for man-in-the-middle attacks, where an intermediary injects themselves into your traffic path masquerading as your intended destination, but all the while, being able to see and modify your traffic. This leaves little confidence for the Internet user.
DNSCrypt changes this and has the potential to completely revolutionize Internet security. DNS has, unfortunately, always had some inherent weaknesses because it’s transported in plain text. DNSSEC has never attempted to address that (crazy, I know). Encrypting all DNS traffic means a fundamental change to the security of the system on the whole and a strong improvement. It’s not the only solution, and there’s still an important place for verification and validation of domains like DNSSEC provides, but it’s a very strong first step.
We’ve been sharing DNSCrypt with security experts over the past several weeks and the feedback has been phenomenal. A tool like DNSCrypt is critically necessary to ensure the security of DNS going forward. DNSCrypt is a “technology preview” today, and the code is being open-sourced. For the über-nerds, our implementation is the first (known) implementation of the forwarder ideas expressed in the DNSCurve community, which many will recall, we were one of the first to implement.
Download DNSCrypt today and try it for yourself.
Hemo_jr
This looks like a very useful utility. I look forward to using the Windows version.
posted on December 6th, 2011 at 9:17 am
DNSCrypt, un’applicazione per crittografare la connessione a OpenDNS | PowerBlog.it
[...] Via | OpenDNS Blog [...]
posted on December 6th, 2011 at 11:01 am
Man in the Middle
I’m guessing you don’t have a version that would work on an Apple Airport Extreme router that hosts a home wired/wireless network yet. Correct?
posted on December 6th, 2011 at 11:04 am
Mxx
Is there a timeline/roadmap for Windows version?
posted on December 6th, 2011 at 12:44 pm
Erin Symons
We expect a Windows version in the near future. The code is now available on GitHub.com: https://github.com/opendns/dnscrypt-proxy
posted on December 6th, 2011 at 12:45 pm
Geop
What about Linux?
posted on December 6th, 2011 at 1:23 pm
Erin Symons
The code available at the link above works with Linux and BSD systems.
posted on December 6th, 2011 at 1:29 pm
Jon
Any plans to integrate caching functionality?
posted on December 6th, 2011 at 4:43 pm
anon2
With OpenDNS running on a router, will DNSCrypt run on any Mac OSX device tied into such network?
posted on December 6th, 2011 at 10:01 pm
Luke
Have you considered partnering with smartphone makers/providers like Apple, Google, Microsoft, etc to see if they would incorporate an implementation in their OSs? That would be perfect for public wifi.
posted on December 6th, 2011 at 11:37 pm
TopHostingProviders
Thank you for DNSCrypt…very useful tool!
posted on December 7th, 2011 at 1:54 am
Will
I still dont understand, if I am running DNS crypt do I also still have to run OPENDNS updater?
posted on December 7th, 2011 at 4:15 am
foo
How about working to integrate with dd-wrt? I would be much more likely to use this if that was the case.
posted on December 7th, 2011 at 5:04 pm
DT
I downloaded and installed DNSCrypt on my Mac, but it says it won’t run on intel macs when I access it in the preferences panel. Is that correct? This will only run on ancient PowerPC macs? I am running MacBook Pro with latest OSX, what am I missing?
posted on December 7th, 2011 at 6:37 pm
Mike Grace
Seriously awesome!!! Great work! This is a great step forward for the internet and our future.
posted on December 7th, 2011 at 9:25 pm
Rudy
I’m not quite understanding how it is all implemented yet, but it would be interesting to see if it would run on a DD-WRT-enabled router.
posted on December 7th, 2011 at 10:35 pm
Robert
All Im looking for is a forwarding service running under any Linux variant. (not just BSD) I’d have my whole enterprise paying for opendns if thats what it took, and everyone I know as well.
posted on December 8th, 2011 at 10:32 am
Terry
Any plans for an iPad version?
posted on December 9th, 2011 at 6:13 am
Greg Raven
I can’t get DNSCrypt to stay on. I turn it on, but as soon as I click a link in a browser, it turns itself off.
posted on December 9th, 2011 at 7:32 am
bp1
What a great idea. Like others i really look forward to this being available for the windows version. Hopefully further development will take it to the router level.
Great work again by OpenDNS
posted on December 9th, 2011 at 10:04 am
SomeDude
@Robert
Maybe I’m misreading what you said, but I was able to build/run dnscrypt-proxy from opendns’s git page on Ubuntu Maverick.
posted on December 10th, 2011 at 7:13 am
Carl Hammel
I have been an OpenDNS user for years. I just downloaded and installed DNSCrypt on my two-year old iMac running Lion 10.7.2 and Safari 5.1.2 and it the loading of web pages stopped cold.
The Address bar goes blue but no site loads and I am faced with a blank white page.
Uncheck the Enable DNSCrypt box and pages load in a flash.
I quit and restarted Safari; no difference.
Not yet ready for prime time or have I missed something?
Gunni
posted on December 11th, 2011 at 9:40 am
Gustavo Carreno
Just “git clone;./configure;make;make install” on my Slackware 13.37 that acts as my firewall with 2 NICS.
Seams to work and play nice with dnsmasq.
Thanks for the good work on such an important tool!!
Just one question: Will we have some kind of indication on stats, about the crypt and non-crypt queries?
Thanks!!
posted on December 11th, 2011 at 8:33 pm
Nick Barnard
Very nice, although one pain point is when I do get onto that public WiFi network (AT&T Hotspot) I have to disable it so the hotspot can hijack my connection so I can click their terms, then turn it back on to secure my WiFi. It works technically, but its a pain. Perhaps there is a simpler way that DNSCrypt can recognize it can’t reach OpenDNS, sees that its hijacked, allow a whitelist of hijacked domain destinations? Sure not as secure, but with the proper notifications this’d be nice and smooth.
posted on December 11th, 2011 at 9:51 pm
Dju
Really nice tool you made there
I’ve been using Opendns for years now, and it avoided me lots of problems. but today, with more & more growing question of “net neutrality”, i can only agree with it.
So, I installed it on my router, runnning bind & debian, wrote a simple init script to start it easily at boot.
it works fine
posted on December 15th, 2011 at 4:55 pm
Dan
DNSCrypt is simply – SPECTACULAR !
Only the best folks, only the best … way to go OpenDNS !
posted on December 16th, 2011 at 9:03 am
Security Update | Your source for downloading popular benchmarks
[...] a compliment to DNSSEC, OpenDNS, a leader in DNS security measures, has released its new DNSCrypt service as a "technology preview." Currently only available for Macs, this software will [...]
posted on December 16th, 2011 at 9:09 am
fruttini
i can’t wait for open dns crypted on windows please doing it as fast as possible hip hip hurra to open dns mkay
posted on January 30th, 2012 at 9:43 am
OpenDNS Community > Blog
[...] first announced DNSCrypt in December. And the response to the new service, which is a first-of-its-kind way to easily secure [...]
posted on February 7th, 2012 at 8:52 am
OpenDNS Community > Blog > DNSCrypt for Windows has arrived.
[...] a preview of one of the most critical and innovative technologies DNS security has seen. DNSCrypt, available initially only for Mac, works by encrypting all DNS traffic between you and your DNS provider, OpenDNS. That critical path [...]
posted on May 9th, 2012 at 8:59 am