DNSCrypt: a tool to encrypt all DNS traffic
DNS service provider OpenDNS has announced a preview release of a new open source tool to improve internet security: DNSCrypt encrypts all DNS traffic between a user's system and a DNS server. The tool is currently only available for the Mac, with a Windows version promised, and only works with OpenDNS's own DNS service. Normally, DNS information is exchanged between client and server as plain text which makes it vulnerable to snooping or modification and man-in-the-middle attacks. By encrypting the exchange, OpenDNS hopes to make the "last mile" of DNS requests more secure.
DNS Security Extensions (DNSSEC) makes the process more secure by adding authentication to DNS communications, but does not encrypt the actual exchanges. David Ulevitch, the CEO of OpenDNS, says that DNSCrypt is designed to address that shortcoming, noting that it's an implementation of the DNSCurve forwarder concept. Ulevitch says the tool is a "technology preview" and that it should be complementary to DNSSEC, adding that encrypting all DNS traffic is "not the only solution, and there’s still an important place for verification and validation of domains like DNSSEC provides, but it’s a very strong first step". He did not, though, outline any plans to present DNSCrypt to standards bodies.