Earlier, I wrote up OpenDNS, a free service that provides a faster, more secure way to resolve domain names. Now, OpenDNS is rolling out a new piece of software designed to make your web browsing even more secure: DNSCrypt.
DNSCrypt is an additional service layered on top of OpenDNS that helps protect against vulnerabilities presented by “DNS leaks.” It does so by encrypting DNS traffic to ensure that it can’t be intercepted by a hacker or a man-in-the-middle. This is similar to, but not the same as, HTTPS encryption of web traffic (SSL/TLS).
In a nutshell, OpenDNS improves your web browsing security by giving you greater assurance that the website you are connecting to is the one you intended to connect to. It does so by providing a better DNS server than the one your ISP provides by default. Once your request reaches the OpenDNS servers, you can be reasonably assured that you’re making a legitimate connection to the website you’re trying to reach. But this still leaves one relatively weak link in the chain: the “last mile” or, the portion of your Internet connection between your ISP and your computer. That is, hackers could still snoop or divert your DNS traffic by intercepting it before it reaches your ISP. With DNSCrypt, hackers won’t be able to snoop on your DNS traffic anymore—nor will they be able to trick your computer into thinking that you’re communicating with a legit DNS server.
Checking for DNS Leaks
The risk of someone eavesdropping on or spoofing a DNS in the “last mile” is very low. Basically, for this vulnerability to be present, you’d have to have a “DNS leak” on your connection. That is, even though you’ve set up your computer or router to connect to OpenDNS (or a VPN or alternate DNS server, such as Google DNS), something on your computer is still making requests to the default DNS server (usually your ISP’s).
You can test to see if you have a DNS leak by visiting DNSleaktest.com while connected via OpenDNS. According to the folks at DNSleaktest.com, DNS leaks are most prevalent on Windows clients. However, I’m happy to report that my test for DNS leaks came up dry while connecting with OpenDNS on my Windows 8 computer.
DNSCrypt is available for free as a Preview Release. In fact, the software is open source (you can view the source on GitHub). You can download DNSCrypt here. It is available for both Mac and Windows and is a breeze to install—just launch the installer and follow the on-screen prompts.
After installation, you’ll see a green indicator in your system tray showing you that DNSCrypt is working.
Right-click the icon to open the Control Center for more info and options.
Note that once you install DNSCrypt, you won’t have to alter your DNS settings for your network adapter in order to use OpenDNS anymore. You can simply check Enable OpenDNS and your computer will begin using OpenDNS. This is handy if you haven’t set up your router to use OpenDNS.
The default settings (shown above) are optimized for speed and reliability. For example, if OpenDNS cannot be reached, your computer will fall back to your default DNS server. (Note: if OpenDNS is your default DNS resolver, then this option won’t make much of a difference).
For the highest security, check DNSCrypt Over TCP / 443 (slower) and uncheck Fall back to insecure DNS. The settings shown below are safer when using public Wi-Fi.
Most home users won’t need DNSCrypt to keep them safe. The exploitation of DNS leaks is rare, and most connections do not exhibit this vulnerability (Macs, for example, aren’t known to have DNS leaks). However, if a private, secure connection is of utmost importance to you—whether for personal or business reasons—DNSCrypt is a free and painless way to add one more layer of security to your PC’s connection,
Did you know about DNS leaks? Will you use DNSCrypt? Let us know in the comments.