DNSSEC has been making the headlines lately as a possible defense against nasty DNS redirection schemes on the server end. Combined with anti-malware efforts at thwarting DNS changing via malicious registry/host file modification, it’s making a dent. Now OpenDNS is proposing a last mile approach called DNSCrypt which intends to secure the problematic link between users’ devices and the Internet itself. By releasing a security add-on using encrypted communication to get your requests to and from the DNS server, the effort aims to protect the traffic from intermediary prying eyes and man-in-the-middle DNS redirection attacks, which may spirit you off to potentially malicious sites.
DNS traffic is a traditional, well-known, unencrypted communication that directs users to websites using their text names rather than having to remember the IP of each site you visit. It touches almost every aspect of communication, from browsing the web, to email, IM, and a host of other technologies. When DNS breaks (for whatever reason), the whole Internet fabric starts to fall apart, which is why there’s such a level of concern. Break it for malicious reasons, and scammers can redirect traffic wherever they please instead of your original intended destination.
This has been a boon for setting up fake (but convincing) websites which encourage users to input personal/sensitive information. If a scammer set up a fake banking site and you were a victim of a DNS scam, when you went to visit your bank’s website to access your bank account information online, you would be redirected to the very real looking fake site. Many users wouldn’t notice the difference, until later when they get their bank statement and notice fraudulent use of their funds. A call to the bank might also be an exercise in futility, adding to the pain. Also, once data is stolen like this, it may become a victim of further underworld data sales and similar schemes.
Will DNSCrypt fix DNS scams? Not entirely, but it will fix one aspect certainly subject to nastiness. After all, the DNS ecosystem is a pretty miraculous construct, linking together many untrusted pieces to form a cohesive (largely) trusted platform, which it has done remarkably well. But if scammers can redirect large pieces of internet traffic by scamming DNS, the impact can be huge. DNSSEC will increase levels of trust among DNS servers, but if the last mile goes unprotected, the whole exercise may be sidestepped and scams may persist. Certainly, last mile is an area that has needed bolstering for some time. Can the approach proposed by OpenDNS contribute a missing piece toward making the whole experience more secure? We hope so.
Another interesting side note is the potential ability for encrypted DNS clients to sidestep censorship activities, since they don't use standard unencrypted protocols, and could presumably routed around such whitelist/blacklist/monitoring efforts. This is outside the scope of the current OpenDNS effort, but must be rattling around in the minds of the some folks concerned with greater degrees of privacy.
Right now the OpenDNS client is only available for Mac and Linux/BSD variants, but Windows variations may be forthcoming.
Author Cameron Camp, ESET