The Internet Domain Name System (DNS) is truly amazing technology – without it, you wouldn’t be able to type in google.com and reach your destination. DNS was created to assist humans in having an easy address to remember server IP addresses. Think of it as knowing a street address instead of remembering the longitudinal coordinates of someone’s house. DNS takes a friendly name, such as google.com, and translates that behind the scenes to an IP address, which thankfully, you don’t have to remember.
While the technology is great, it is also over 30 years old at this point, and is fundamentally insecure. It is insecure because it is rather easy for an attacker to hijack an address, such as google.com, and point it to a server of their choosing. As an attacker, I could create a replica of the Google homepage, that looks and feels exactly like the real thing, and collect information and credentials from you without your knowledge. Because of this, fixing DNS and implementing security extensible is a priority for governments and security professionals.
If your organization isn’t using some sort of DNS control or administration, such as OpenDNS (part of Cisco), you should consider implementing this post haste to secure your entire network. With OpenDNS, you can categorically block malicious websites from ever being accessed, even inadvertently. You can also control which websites are white-listed or black listed. Many of these features can be accomplished with their free tier. However, DNS by itself is not an encrypted protocol. As mentioned before, this means that an attacker can still perform a “man-in-the-middle” attack, which redirects your traffic to a malicious server. Additionally, since DNS traffic is unencrypted, it is susceptible to snooping or logging by your internet service provider. Basically, they could have a record of every address you’ve typed in – because it has to go through their DNS server to resolve the address to the IP address.
Enter DNSCrypt. This is a network protocol that authenticates traffic between the endpoint and the DNS server. It effectively makes DNS more secure by encrypting the DNS traffic and preventing DNS spoofing techniques. If you or your organization is a user of OpenDNS, they have a simple, albeit older, little client for Windows and Mac OS, which easily enables DNSCrypt for that device. According to OpenDNS/Cisco…”DNSCrypt has the potential to be the most impactful advancement in Internet security since SSL, significantly improving every single Internet user’s online security and privacy.”
For individual and small environments, deploying a individual clients should suffice. For larger scale applications, DNSCrypt can be deployed as a proxy onto a DNS server or a router for your organization, thereby protecting the entire network infrastructure.
Of course, if you prefer alternate DNS servers and wish to utilize other DNS servers with DNSCrypt capabilities, you may want to consider taking a look at Simple DNSCrypt which allows you to connect to a variety of DNS resolvers, and will tell you if they are utilizing DNSSEC (more on this in another post) and/or logging.
If you would like to know more about DNSCrypt, installing the OpenDNS client, or deploying a DNSCrypt network appliance, please contact us!