DNS Encryption
Dec. 9th, 2011 02:52 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
thewayneDNS, the Domain Name System, is a database lookup that translates a domain name entered into a browser or other program into an IP address. You type www.google.com, DNS does a lookup and finds that Google's IP address is 74.125.227.83. Simplifies things all around.
Usually your default DNS provider is configured by your ISP which looks upstream to heftier DNS servers for their information. You can configure your computer to use any DNS server that you like, but you could be potentially violating terms of service of your ISP or the other server.
The problem is that the DNS lookup process happens in plain text, meaning that you are potentially vulnerable to man-in-the-middle snooping and possible alteration. There have been a lot of effort over the last couple of years to make DNS more secure, including encryption. And now an encrypted DNS system is available!
The DNS service provider OpenDNS is providing encrypted lookups to its DNS servers for Mac clients. A Windows version is promised, and since the source code is available on GitHub, I'm sure a *nix version will be available soon.
http://www.h-online.com/security/news/item/DNSCrypt-a-tool-to-encrypt-all-DNS-traffic-1392283.html
Usually your default DNS provider is configured by your ISP which looks upstream to heftier DNS servers for their information. You can configure your computer to use any DNS server that you like, but you could be potentially violating terms of service of your ISP or the other server.
The problem is that the DNS lookup process happens in plain text, meaning that you are potentially vulnerable to man-in-the-middle snooping and possible alteration. There have been a lot of effort over the last couple of years to make DNS more secure, including encryption. And now an encrypted DNS system is available!
The DNS service provider OpenDNS is providing encrypted lookups to its DNS servers for Mac clients. A Windows version is promised, and since the source code is available on GitHub, I'm sure a *nix version will be available soon.
http://www.h-online.com/security/news/item/DNSCrypt-a-tool-to-encrypt-all-DNS-traffic-1392283.html
no subject
Date: 2011-12-10 07:36 pm (UTC)no subject
Date: 2011-12-10 10:37 pm (UTC)The issue was the original design of Unix and the internet was focused on openness to make it spread further and faster. Security wasn't a huge concern initially, but when the internet came along and DNS was needed, again, openness was preferred over locking it down. Then a couple of years ago there were some DNS failures mainly due to bad configuration, one such case routed something like 70% of the world's web traffic through China. So they started making DNSSEC to validate DNS servers to each other. But this method, actually encrypting DNS traffic, is definitely a better way to go as it pretty much eliminates man-in-the-middle and spoofing/substitution.
I should check in to the reviews of OpenDNS's service as I'm a Mac person and this appeals to me.
I like the fact that Google is now encrypting most of its HTTP traffic, that's definitely a good thing. I wonder how long until all web/internet traffic is encrypted.
no subject
Date: 2011-12-11 01:37 am (UTC)