Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

OpenDNS Releases DNS Encryption Tool

timothy posted more than 2 years ago | from the do-nothing-secret dept.

Encryption 94

wiredmikey writes "It's not news that some of the underlying foundations of the DNS protocol are inherently weak, especially what they call the "last mile" — or the part of the internet connection between the client and the ISP. To address this, OpenDNS has released a preview of DNSCrypt, a tool that enables encrypted DNS traffic, much in the same way SSL enables encrypted HTTP traffic. DNSCrypt will stop DNS replay, observation, and timing attacks, as well as Man-in-the-Middle attacks and resolver impersonation attacks. The tool, available already compiled for OS X, will also run on OpenBSD, NetBSD, Dragonfly BSD, FreeBSD, and Linux. There is no Windows client, which is odd considering a majority of the 30 million OpenDNS users run Microsoft's operating system."

Sorry! There are no comments related to the filter you selected.

Somebody is listening to DJB (0, Redundant)

Anonymous Coward | more than 2 years ago | (#38302692)

about time somebody implements some of the design and ideas in dnscurve - http://dnscurve.org/out-implement.html

What? No encrypted IPs? (1)

VortexCortex (1117377) | more than 2 years ago | (#38302720)

I mean... reverse domain name lookups exist. I guess you'll still need to use an encrypted proxy like TOR?
(Wait, doesn't TOR encrypt your DNS requests?)

Re:What? No encrypted IPs? (1)

sgt scrub (869860) | more than 2 years ago | (#38302982)

Wait, doesn't TOR encrypt your DNS requests?

No.

I mean... reverse domain name lookups exist.

Assuming the admin wasn't too lazy to set it up. :)

Re:What? No encrypted IPs? (3, Informative)

GameboyRMH (1153867) | more than 2 years ago | (#38303534)

Wait, doesn't TOR encrypt your DNS requests?

No.

Actually your DNS requests can be encrypted and tunneled through TOR (just point your DNS requests at the SOCKS5 server). However they'll be decrypted at the exit node just like plaintext HTTP traffic.

Re:What? No encrypted IPs? (1)

caluml (551744) | more than 2 years ago | (#38310024)

Assuming the admin wasn't too lazy to set it up. :)

Assuming that the DNS for the IP address range is delegated to the admin first of all.

It's all very well setting up rDNS, but sometimes, the bureaucratic nightmare to get the range pointed at your DNS server is just not worth it.

Not Odd (5, Insightful)

janeuner (815461) | more than 2 years ago | (#38302724)

Because the danger isn't poisoning the cache of an end user. The trouble comes when a site's DNS cache is poisoned, affecting hundreds or thousands of users.

Most of these DNS caches are run on a UNIX derivative.

Re:Not Odd - Well actually ... (3, Informative)

Anonymous Coward | more than 2 years ago | (#38302908)

The solution is for the 'last mile', ie. the connection between the end user and the ISP. As such, the encryption software will have to run on the user's machine.

Re:Not Odd - Well actually ... (4, Interesting)

Sloppy (14984) | more than 2 years ago | (#38304344)

They might be thinking that the "user's machine" could be something like a DSL router, which may already be servicing user's DNS requests with dnsmasq or something like that. There are all sorts of opportunities to improve the functionality of these spots, without really needing to impact the software and protocols run by the actual endpoints. It's not so much the "last mile" that is most vulnerable, but rather, the "last mile except for the last 30 feet." In your LAN itself is compromised, then the intruder is already in the house and you are totally screwed no matter what you do. ;-)

Re:Not Odd - Well actually ... (1)

datapharmer (1099455) | more than 2 years ago | (#38363112)

nah, if that were the case the government wouldn't be able to function. Agencies like the NSA work under the assumption that they have already been compromised. There is plenty that can be done to insure integrity of a network's components even when the network itself has been compromised. That said, it is preferable to avoid such a scenario.

Re:Not Odd - Well actually ... (1)

Machtyn (759119) | more than 2 years ago | (#38308630)

Could it be the user's router? That is, I'm running dd-wrt (Open-wrt, Tomato, or etc.). Could this tool be installed in the router firmware to provide the last mile protection? Then it is up to the user to provide the last 100 meters by ensuring their networks point to their router for DNS resolution.

Umm, yeah. What Sloppy said up there ^^

Re:Not Odd - Well actually ... (1)

EdIII (1114411) | more than 2 years ago | (#38310224)

That's the problem.

Most Netgear routers that ship, by default, employ a DNS proxy. Any user machine that uses DHCP will be told the DNS server is 192.168.1.1 and use whatever DNS is defined in the WAN configuration.

Deploying a standard-less DNS encryption is only going to happen in one of two places. The user's machine or a DNS proxy being run on a server.

Routers are out of the question, even high end ones, for the time being without a standard. Even then, it will be a long long long time before firmware updates are pushed out to address most home routers. Considering Linksys's super-laid-back-who-gives-a-shit-approach to firmware development (it takes years for features) that leaves only Tomato or DD-WRT to pick it up. You will see TCP/IP v6 before you see a deployed standard for DNS encryption on home routers.

So, the vast majority of OpenDNS users have defaulted routers and Windows OS, and no home servers in sight. How is this supposed to work? Apple does not represent everybody at the moment by far.

Furthermore..... what about corporate use of OpenDNS? I like using it in corporate settings. Normally, I find it more reliable than the ISP. Unless they release an intercepting, or transparent, DNS proxy service that can run on Linux/Windows Server it will be useless.

Corporate machines depend on the local DNS server to resolve everything from printer addresses to which domain controller to authenticate too. It is essential to any Windows network (read domain controller) setup. Installing this on a corporate machine would just fuck everything up in a hurry unless their software is smart enough to forward queries to the machine defined DNS server.

This is a non-starter. Come back when you have a Windows app designed for home users first. Then after you see how well that works, release a corporate level product like a transparent DNS proxy that we can install on our servers.

What is the whole point? OpenDNS is not vulnerable to DNS poisoning? So instead of the local ISP, or government monitoring and altering my traffic OpenDNS gets to do it? They already do it to me anyways and they would just roll over for the government no different than any other major company.

So what am I getting out of this? Making sure that OpenDNS has its profits protected and that I completely rely on OpenDNS for secured DNS queries? That's all it sounds like.

When I am paranoid about my DNS queries I can just route them through TOR on a special throwaway machine. Then it is logged coming from the exit node's IP address.

Re:Not Odd (1)

Smallpond (221300) | more than 2 years ago | (#38303536)

Because the danger isn't poisoning the cache of an end user. The trouble comes when a site's DNS cache is poisoned, affecting hundreds or thousands of users.

Most of these DNS caches are run on a UNIX derivative.

The problem with Windows clients is that they all believe they should be allowed to update DNS.

Will be secured by a Dutch CA (-1)

Anonymous Coward | more than 2 years ago | (#38302740)

Because THAT, just makes sense!

Re:Will be secured by a Dutch CA (-1)

Anonymous Coward | more than 2 years ago | (#38302980)

Kill yourself.

Not odd that theres no Windows client (-1, Troll)

Anonymous Coward | more than 2 years ago | (#38302784)

Windows users don't give a shit about security, thats why they're running Windows.

YAY GAMES DURR

Re:Not odd that theres no Windows client (2, Insightful)

Dexter Herbivore (1322345) | more than 2 years ago | (#38302984)

Yes, because a desire to play games and security are mutually exclusive. /end sarcasm

Re:Not odd that theres no Windows client (4, Insightful)

Anonymous Coward | more than 2 years ago | (#38303068)

Windows users don't give a shit about security, thats why they're running Windows.

YAY GAMES DURR

Linux users don't give a shit about getting work done, that's why they're running Linux.

YAY SPENDING FIFTY HOURS TWEAKING MY WINDOWING ENVIRONMENT DURR

Oh, what, that's flamebait, but apparently your comment is "Interesting"? Grow the fuck up. Windows is a hell of a lot more secure than it used to be, Linux and BSD have had their share of vulns as well, and the big threat stopped being the OS a long time ago, it's now shit like Adobe Reader. Oh, wait, this is Slashdot... I should be expecting a BSOD joke, followed by a Clippy joke, followed by a Microsoft Bob joke, because those are all about as topical...

Re:Not odd that theres no Windows client (1)

Dishevel (1105119) | more than 2 years ago | (#38303454)

Wait.
Are you saying that you do not think that Clippy and Bob are funny?

Re:Not odd that theres no Windows client (1)

Nethemas the Great (909900) | more than 2 years ago | (#38304152)

Well to be fair a couple weeks ago one of my Windows machines did flash a BSOD before auto-rebooting.

Re:Not odd that theres no Windows client (0)

Anonymous Coward | more than 2 years ago | (#38304920)

Yes, and a week before that my Linux machine kernel panic'd and just froze there forever.

Re:Not odd that theres no Windows client (0)

Anonymous Coward | more than 2 years ago | (#38305030)

Already exchanging error messages. You will get along fine :-)

Re:Not odd that theres no Windows client (0)

Anonymous Coward | more than 2 years ago | (#38305314)

crap motherboard or memory will do that under any load. spend a little money and get a real machine, tight ass

Re:Not odd that theres no Windows client (0)

Anonymous Coward | more than 2 years ago | (#38305606)

same to be said about the windows crashing comment

Re:Not odd that theres no Windows client (0)

Anonymous Coward | more than 2 years ago | (#38309744)

GNU/Linux users don't use Adobe Reader. They use Evince or something similar. The same is true of .doc files. About the only thing that is potentially a real threat that the majority of GNU/Linux users use is adobe flash. That isn't so much out of choice though. It is a necessity of communicating. There are efforts to solve this though. Trisquel for instance uses an alternative flash application.

Re: making an observation, "it's shit" (not flame) (0)

Anonymous Coward | more than 2 years ago | (#38313866)

I don't reduce myself to any such comparisons anymore, i just say i think windows is shit - just hate using it, it's horrible to work with and i think anyone who switches to a less shit system is doing themselves a favour, but there are many circumstances that require it for legacy and support issues... why do i say that?

In my experience any comparison debates among windows zealots quickly become unobjective and emotional so why award them any kind of reasonable response, showing the approach of a numerologist (i.e. someone who has made their mind up before properly analysing the differences), i find those who use a linux, bsd, minux, solaris, os x etcetera are on the whole more objective in comparisons and dont feel so offended when someone points out a flaw or disadvantage in their OS of choice. I don't know why, just making an observation. So you have two choices, you can ether take this as flame bate and be offended thus becoming a statistic in my observations, or you can not make an emotional response and STFU

Re: making an observation, "it's shit" (not flame) (0)

Anonymous Coward | more than 2 years ago | (#38314046)

I don't reduce myself to any such comparisons anymore, i just say i think windows is shit - just hate using it, it's horrible to work with and i think anyone who switches to a less shit system is doing themselves a favour, but there are many circumstances that require it for legacy and support issues... why do i say that?

In my experience any comparison debates among windows zealots quickly become unobjective and emotional so why award them any kind of reasonable response, showing the approach of a numerologist (i.e. someone who has made their mind up before properly analysing the differences), i find those who use a linux, bsd, minux, solaris, os x etcetera are on the whole more objective in comparisons and dont feel so offended when someone points out a flaw or disadvantage in their OS of choice. I don't know why, just making an observation. So you have two choices, you can ether take this as flame bate and be offended thus becoming a statistic in my observations, or you can not make an emotional response and STFU

HAHAHAHA.... oh god. you realize that I have Linux machines at home? Plural? And you're accusing me of making an 'emotional response' defending Windows... who are apparently the only group who do that... (I notice you slipped OS X in there, troll boy)

Sweet Jesus, but that irony is fucking hilarious to me. My point was your choice of desktop is almost irrelevant in terms of 'security'. 'Attack probability' is a completely different metric, one which the most popular OS is pretty much bound to lose....

Re:Not odd that theres no Windows client (0)

Anonymous Coward | more than 2 years ago | (#38322358)

Think that when Microsoft removes a application and its data from your Windows 8 machine as they said they can and will do.
i bet you get that linux iso as fast as you can.

You can wait for the next big business run around if you want. Me I am not at work at home and I have a say and that say says Windows in the home environment is not worth one cent.

Windows free for years and years.
https://linuxcounter.net/user/230807.html

Re:Not odd that theres no Windows client (0)

Anonymous Coward | more than 2 years ago | (#38305806)

Linux users don't give a shit about a desktop, that's why they're running Linux

YAY HEADLESS SERVERS DURR

Re:Not odd that theres no Windows client (1)

EdIII (1114411) | more than 2 years ago | (#38310286)

Linux users don't give a shit about a desktop, that's why they're running Linux

YAY HEADLESS SERVERS DURR

You know..... I have to laugh.

Linux users apparently done't give a shit about a nice desktop and user friendliness. I say that..... because... it is neither good looking, highly functional, or user friendly.

I just plain *enjoy* a Windows 7 desktop experience more than any Linux GUI. Just the truth. I even enjoy Mac OS X more than Windows as far as visual aesthetics are concerned.

The funny part is the headless servers. I run a *ton* of headless CentOS servers. I can honestly say that for what needs to be done on them I am not missing the desktop at all. Give me a terminal and I am good to go.

So you are actually correct. As a Linux user I don't give two shits about the desktop. It's about other things.....

Re:Not odd that theres no Windows client (0)

Anonymous Coward | more than 2 years ago | (#38313234)

maybe you just suck at choosing themes, because my linux desktop looks fucking sexy as all fuck!

choose theme, click. INSTANT SEHKS!!!!!!1111oneoneonepony~~!!!111.

Encrypt the phonebook (0, Interesting)

Anonymous Coward | more than 2 years ago | (#38302840)

What's the point? Traffic analysis can easily reveal what you're looking up. DNS is a distributed database, remember? If you're looking everything up through an external recursive resolver and encrypt your communication with that resolver, then the operator of that resolver can still see everything. You could also just use existing VPN technology and achieve the same things.

Also, OpenDNS is not open and should be shunned for choosing that misleading name.

Re:Encrypt the phonebook (1, Insightful)

Anonymous Coward | more than 2 years ago | (#38303056)

For me the important point isn't to hide addresses that are being looked up, but to determine the credibility and integrity of the response I receive. Encryption is about more than just hiding data.

Regarding the name, I'm not sure what you're complaining about. Where is it written that any entity that prefixes their name with "Open" needs to be an open source project. They are free to use.. If you want to pick on a misleading name, try NetZero...

Re:Encrypt the phonebook (1)

JustSomeProgrammer (1881750) | more than 2 years ago | (#38303240)

NetZero launched as a free to use service that derived revenue from ads. Now when they dropped that, they definitely should have changed the misleading name.

Re:Encrypt the phonebook (0)

Anonymous Coward | more than 2 years ago | (#38303752)

Authentication isn't the same as encryption and can be achieved separately (DNSSEC).

Giving the name OpenSomething to something that isn't open is misleading marketing and betrays people, causing them to distrust projects that are actually open. OpenDNS is no more open than any other for-profit DNS operator and they use their name to generate trust that they don't deserve, especially considering their DNS manipulation practice.

Re:Encrypt the phonebook (0)

Anonymous Coward | more than 2 years ago | (#38305038)

I assume the term 'open' is used to describe their service - they offer open DNS servers - as in: free to use by anyone ('access is open'). I'm not seeing how that is not open, or improper or misleading use of the word.

There's also a lot of projects that do not have 'open' in their name, yet are famous examples of open source projects.

It's ignorant to think that just it has 'open' in the name, it must be open source. Maybe 'openoffice' was to blame for that, as an example where people actually realized something competative existed that was 'open source'. Those very same people being ignorant of the idea that for a lot of software OS alternatives exist.

It's also ignorant to think that 'open source' means the same in any situation. Actually, the term means nothing in itself. There's dozen of different licenses around, with all consequences. I could even craft a closed source application, then write my own source license, and give the source code under said license to my customers. Would that be open source? Not in the general meaning, but strictly spoken it would. Just not under an OSI approved licensed. As example: a well known redmond based firm distributes source code of its main product to certain parties, yet in general we do not call it 'open source' ,yet a lawyer might just do, because the words 'open source' has no legal meaning at all, in itself. A license has.

Really.. When it comes to open source awareness - there's a lot more to it than just the word 'open'. If a random user would understand the difference between GPL and BSD - i'd be a happy nerd. Until that day i have no illusions about average awareness, neither do i worry the word 'open' leading to confusion.

MOD parent informative (0)

Anonymous Coward | more than 2 years ago | (#38306162)

It is very true that the name OpenDNS is misleading. Why do so many people put more trust in OpenDNS than in Google DNS? OpenDNS that has a history of manipulating DNS responses to hijack websearches and proxy those searches through their own servers. OTOH there has never been a single case of Google DNS doing likewise.

Re:MOD parent informative (1)

Em Adespoton (792954) | more than 2 years ago | (#38309418)

Indeed... I switched to GoogleDNS from OpenDNS a while after it came out. I figure Google already knows everything about me they're likely to find out from DNS data.

Re:Encrypt the phonebook (1)

kasperd (592156) | more than 2 years ago | (#38306268)

For me the important point isn't to hide addresses that are being looked up, but to determine the credibility and integrity of the response I receive. Encryption is about more than just hiding data.

Hiding the domain name may help protecting against censorship. There are places where DNS requests are censored. Even if the packets are integrity protected, it doesn't stop an ISP from just dropping every lookup or response for domain names they want to censor.

Re:Encrypt the phonebook (1)

Anonymous Coward | more than 2 years ago | (#38303214)

I don't have any problem with their name. While they may not be an open source project, their goal is to provide an unbiased (I'd call that "open") DNS server, that anyone can use without registering or paying (also pretty "open" of them), with the intent of keeping the internet open for anyone (that one is self-explanatory). Doesn't sound like a misleading name at all to me.

Re:Encrypt the phonebook (2)

Dishevel (1105119) | more than 2 years ago | (#38303482)

Not all uses of the word "Open" need to abide by your one definition of the word.

Re:Encrypt the phonebook (1)

Anonymous Coward | more than 2 years ago | (#38304114)

Not all uses of the word "Open" need to abide by your one definition of the word.

Yes they do. Just like how "pirate", "steal", and "take" each have exactly one definition that can never ever ever never ever ever ever be changed ever, and that definition is whatever is most convenient for my illegal movie downloading rationalization.

(now, watch as someone deliberately misinterprets that as "downloading illegal movies" just to distract from my point)

Challenge accepted. (0)

Anonymous Coward | more than 2 years ago | (#38304872)

I, for one, have never downloaded an illegal movie.

The people who produce such awful things (e.g. child porn flicks) should be ashamed of themselves.

(how's that?)

Re:Encrypt the phonebook (1)

Lennie (16154) | more than 2 years ago | (#38308378)

OpenDNS is called OpenDNS because they provide and open recursor service.

Maybe I'm dense (1)

AvitarX (172628) | more than 2 years ago | (#38302868)

but isn't SSL protocall independent? wouldn't it make more sense just to do DNS with SSL?

SSL is heavy (0)

tepples (727027) | more than 2 years ago | (#38302896)

SSL is also a much heavier protocol than DNS, as I understand it.

Re:SSL is heavy (4, Informative)

KXeron (2391788) | more than 2 years ago | (#38303092)

This is correct, SSL induces significant overhead both bandwidth and CPU-wise. While most CPUs can handle an SSL website connection that is because the SSL handshake is done every so often (at the beginning of each resource download). However implementing it in a "fast acting" protocol like DNS is guaranteed to slow the protocol down, ergo clients will have to wait non-trivial time before they even connect to the resource in question.

This doesn't even account for the DNS resolver's resource usage, given an average resolver's query load, the additional stress needed to do SSL for each query would be operationally unacceptable and having persistant connections hanging open for an ISP-load of users would not be an option either as the servers' open file descriptors would get exhausted.

Re:SSL is heavy (1)

Em Adespoton (792954) | more than 2 years ago | (#38309448)

How many unique DNS requests leave your network in a 1 hour period? My guess is: fewer than 60, unless you're a search engine or security firm. Even running torrents with DNS resolution won't go much beyond this. How many SSL handshakes are performed in that period? I'd guess hundreds.

Think about it this way: web browsers these days tend to proactively resolve domains. Since most network activity uses a web browser or a fixed domain (email, etc.), the usage should be minimal (except for p2p, where it'll still be reasonable).

Re:SSL is heavy (1)

akanouras (1431981) | more than 2 years ago | (#38310874)

This is correct, SSL induces significant overhead both bandwidth and CPU-wise. While most CPUs can handle an SSL website connection that is because the SSL handshake is done every so often (at the beginning of each resource download). However implementing it in a "fast acting" protocol like DNS is guaranteed to slow the protocol down, ergo clients will have to wait non-trivial time before they even connect to the resource in question.

SSL's overhead is in the handshake: in this scenario, the client would only handshake once, on its first DNS request to its upstream resolver.
Your other concerns could be taken care of by DTLS [wikipedia.org] .

This doesn't even account for the DNS resolver's resource usage, given an average resolver's query load, the additional stress needed to do SSL for each query would be operationally unacceptable and having persistant connections hanging open for an ISP-load of users would not be an option either as the servers' open file descriptors would get exhausted.

First of all, under no circumstances do you throw AOL's user base at a single server, no matter the service.
Apart from that, Linux can handle millions of open file descriptors (up to 1million/process by default) nowadays, the bottleneck is elsewhere.
In any case though, DNS is mostly stateless and uses UDP by default, why would your protocol be any different?

Re:SSL is heavy (3, Informative)

Zironic (1112127) | more than 2 years ago | (#38303206)

Everything is a heavier protocol then DNS. By default DNS queries are plain UDP packets, that way you do not have any handshaking overhead.

Re:SSL is heavy (0)

Anonymous Coward | more than 2 years ago | (#38313644)

Incorrect, DNS is both UDP and TCP. If you ever run your own mail server, you will find this out very quickly. Large SPF or DKIM records are too big to fit in a UDP packet (add in DNSSEC and its even more likely) and you get pushed over to TCP

Re:Maybe I'm dense (2)

fearlezz (594718) | more than 2 years ago | (#38302904)

One word: Diginotar.

Re:Maybe I'm dense (1)

Smallpond (221300) | more than 2 years ago | (#38303626)

SSL requires a connection. DNS is (normally) connectionless.

Re:Maybe I'm dense (1)

CAPSLOCK2000 (27149) | more than 2 years ago | (#38303688)

DNSSEC is probably going to change that anyway.

Re:Maybe I'm dense (1)

Lennie (16154) | more than 2 years ago | (#38308946)

Have you checked ? it really isn't that bad. Yes, it happends slightly more frequently.

I wouldn't be surprised if the use of tunnels because of IPv6 has a bigger impact.

Here is a plot for the DNSSEC signing of the root:

https://www.dns-oarc.net/files/blog-2009/plot1.png [dns-oarc.net]
https://www.dns-oarc.net/node/199 [dns-oarc.net]

Most of it is misconfigured servers.

Don't bother writing the client (0)

Anonymous Coward | more than 2 years ago | (#38302876)

Maybe those hippie open source developers will write a client for their weird 'windows' operating system!

Good idea (4, Interesting)

ledow (319597) | more than 2 years ago | (#38302918)

It's a good idea but:

- It's the equivalent of every DNS server letting you wrap your queries inside SSL. Nothing really special of clever, and requires the co-operation of all your upstream DNS servers.

- It uses elliptic curve rather than some pluggable system to negotiate an encryption method. EC *hasn't* had anywhere near the deployment hours that conventional PKE has had. It's still, to me, a "unknown" in terms of how breakable it is compared to anything else. No doubt effort is put into it but PKE has decades of attacks in its favour and still holds. Why couldn't the encryption just be negotiable?

- The extra burden - hell, DNS responses can hang computers up as it is if upstream servers are slow. God knows what converting every one of their requests to use ECC would do to servers and clients.

That said, in principle, it's something I'd deploy. If it wasn't barely tested, using EC (and having that be non-negotiable) and having hardly any upstream providers support it.

But it's the equivalent of just SSH'ing into a machine that does your DNS lookups for you, really, just that that machine happens to be your upstream resolver. That then has to communicate to either a DNSCurve server again for the actual lookup (and that server to another, and that to another, etc. etc.) or talk to uncertified nameservers in plaintext as usual anyway.

Personally, I have bigger problems than someone with packet-level access to my traffic potentially seeing what DNS records I lookup.

Re:Good idea (2)

PerfectionLost (1004287) | more than 2 years ago | (#38303394)

Elliptic Curve encryption is what the NSA uses and pushes. PKE is definitely breakable--its really a question of when. That is to say, if it has not already been broken by a government or inteligence agency. No one is going to announce that they have cracked factoring large numbers into prime numbers quickly when they do.

Re:Good idea (0)

Anonymous Coward | more than 2 years ago | (#38303616)

- It's the equivalent of every DNS server letting you wrap your queries inside SSL. Nothing really special of clever, and requires the co-operation of all your upstream DNS servers.

Someone didn't read the article:

That said, the class of problems that the Kaminsky Vulnerability related to were a result of some of the underlying foundations of the DNS protocol that are inherently weak -- particularly in the "last mile." The "last mile" is the portion of your Internet connection between your computer and your ISP. DNSCrypt is our way of securing the "last mile" of DNS traffic and resolving (no pun intended) an entire class of serious security concerns with the DNS protocol.

Re:Good idea (1)

Em Adespoton (792954) | more than 2 years ago | (#38309496)

To clarify: This is designed to secure your connection between your laptop over wifi to your DNS server -- that server being an OpenDNS server, which just happens to support this already. If you have your laptop hardwired to use an OpenDNS IP for DNS resolution and enter a Starbucks, someone else on the public network can't mess with the results of your queries, as they're already encrypted all the way to the first DNS hop. After that, it's not as much of an issue (assuming you actually TRUST the person hosting the OpenDNS server -- and ANYONE can host an OpenDNS server).

Re:Good idea (0)

Anonymous Coward | more than 2 years ago | (#38360696)

Um, no. OpenDNS is a business, only they can host OpenDNS servers.

Re:Good idea (1)

DarkOx (621550) | more than 2 years ago | (#38303720)

Why couldn't the encryption just be negotiable?

You ask whey encryption can't be negotiated and then answered your own question in your very next bullet point. DNS performance is EVERYTHING for a great many network applications. So having some handshake like IKE where the two sides negotiate adds at least three round trips before you can get to the actual query. That alone could add up to 500ms or more for many clients. So for an app that needs to do lots of DNS requests that means beaucoup wall time for end users.

Re:Good idea (1)

ledow (319597) | more than 2 years ago | (#38304614)

First packet, with query, sends a list of the accepted formats.

DNS server replies with answer, encrypted in one of them, and the name of the format it replied in, or an error because it didn't know any suitable ones.

No "round trips" above and beyond a normal DNS request except where the two don't want to talk the same language anyway.

Re:Good idea (1)

Defenestrar (1773808) | more than 2 years ago | (#38303820)

...That said, in principle, it's something I'd deploy. If it wasn't barely tested, using EC (and having that be non-negotiable) and having hardly any upstream providers support it.

Why do you think they're only releasing it to minority markets at the moment? We could take the current stereotypes of the sorts of users who run the systems mentioned and do an analysis of which part of the client each is a good test bed for, but applying heuristics would probably be seen as an invitation for flaming. Other users can fill in the thread if they think it's a worthwhile discussion.

Re:Good idea (1)

makomk (752139) | more than 2 years ago | (#38305788)

It uses elliptic curve rather than some pluggable system to negotiate an encryption method. EC *hasn't* had anywhere near the deployment hours that conventional PKE has had. It's still, to me, a "unknown" in terms of how breakable it is compared to anything else.

It's not just EC, it's also using an elliptic curve that's not one of the widely-used ones and an implementation that probably hasn't received much scrutiny.

Re:Good idea (0)

Anonymous Coward | more than 2 years ago | (#38306698)

Since it only need to be uncrackable on a timescale of single-digit seconds, almost any encryption system is probably sufficient -- you're just trying to provide strong-enough MACs so that your data can't be changed in-flight, and to prevent passive eavesdropping. There's no need to provide decades-strong protection; if you're worried that someone might dedicate days to cracking your DNS queries to see what hostnames you resolved you should probably not be using the public DNS system in the first place.

Windows Client Not Needed (-1)

Anonymous Coward | more than 2 years ago | (#38302942)

If course there is no Windows client. If you use Windows, you trust Microsoft to manage your security for you so you do not have to care about it. Why would anyone want to think about security when you can let a mega corporation do it for you? :-P

Only OpenDNS can tamper with your results now! (4, Insightful)

monkeyhybrid (1677192) | more than 2 years ago | (#38302948)

From Wikipedia [wikipedia.org] :-

If a domain cannot be found, the service redirects users to a search page with search results and advertising unless the user has paid for an upgraded service. Users can switch this off via the OpenDNS Control Panel, or specify another page to use for missing domains. This behavior is similar to that of many large ISPs who also redirect failed requests to their own servers containing advertising.

OpenDNS started resolving requests to Google.com. Some of the traffic is handled by OpenDNS typo-correcting service which corrects mistyped addresses and redirects keyword addresses to OpenDNS's search page, while the rest is transparently passed through to the intended recipient.

Also, a user's search request from the address bar of a browser that is configured to use the Google search engine (with a certain parameter configured) may be covertly redirected to a server owned by OpenDNS (which is within the OpenDNS Terms of Service).[24] Users can disable this behavior by logging in to their OpenDNS account and unchecking "OpenDNS proxy" option.

I'm sure they're no worse than other DNS providers and at least they do appear to have options to opt-out of the above behaviour, but if your DNS provider is fooling with your encrypted DNS requests, what's the point?

Re:Only OpenDNS can tamper with your results now! (1)

Mojo66 (1131579) | more than 2 years ago | (#38303498)

There are also some privacy concerns, at least for Europeans. From the Privacy Policy:

When you use OpenDNS services, OpenDNS stores certain DNS, IP address and related information about you to improve the quality of our service, to provide you with OpenDNS services and for internal business and analysis purposes.

Re:Only OpenDNS can tamper with your results now! (1)

Yaddoshi (997885) | more than 2 years ago | (#38303620)

Bear in mind they offer the service free of charge, and their redirects to their own pages provide OpenDNS with advertising revenue. This is all clearly stated in their TOS. I for one would rather be redirected to an OpenDNS page than to a site offering drive-by trojan infections.

That said, should OpenDNS's advertising ever be compromised and start distributing malware, that would be a pretty big black eye.

Re:Only OpenDNS can tamper with your results now! (0)

Anonymous Coward | more than 2 years ago | (#38307136)

Google offers free DNS too without any tampering.

Re:Only OpenDNS can tamper with your results now! (1)

countertrolling (1585477) | more than 2 years ago | (#38307928)

And they keep VERY good records for anybody who asks.. nicely.. in triplicate..

Re:Only OpenDNS can tamper with your results now! (1)

kasperd (592156) | more than 2 years ago | (#38306436)

I'm sure they're no worse than other DNS providers

They are not the worst. But I'd still say OpenDNS is doing stuff that is worse than what users should put up with. Personally I would have been using Google DNS, if it wasn't because of lack of IPv6 support.

they do appear to have options to opt-out of the above behaviour

First of all something like this should be opt-in, not opt-out. Secondly, the DNS protocol doesn't even allow for users to configure this. The only way it could be made configurable by the end user is by running different DNS servers on different IP adresses, with one IP for each possible configuration. OpenDNS doesn't appear to be doing this, so I guess they are instead using some unreliable method based on an assumption about a 1:1 mapping between users and client IP addresses. That would work if every user had a static IP address and nobody was using NAT.

Using an IP address per possible configuration wouldn't even be much of a problem since they probably have allocated a /24 for an anycast address anyway. That means they have a total of 8 bits for configuration data. Is the configuration more complicated than what could be encoded using 8 checkboxes?

If you have a decent ISP (2)

sgt scrub (869860) | more than 2 years ago | (#38303084)

DNSCrypt will stop DNS replay, observation, and timing attacks, as well as Man-in-the-Middle attacks and resolver impersonation attacks.

This will be great for people that don't have ISPs actively redirecting DNS traffic to their specific servers so they can sniff it, Warner, Comcast et el.

Obligatory XKCD (0)

Anonymous Coward | more than 2 years ago | (#38303104)

DD-WRT / Tomato client? (3, Interesting)

aka_bigred (1366025) | more than 2 years ago | (#38303332)

So anyone know of a client that can be run from a DD-WRT or Tomato router? I'd be up for throwing it on my home router it there's a client that I can just add right into the router.

so what will this achieve for the enduser? (1)

blackest_k (761565) | more than 2 years ago | (#38303378)

i believe this tool hides the dns query from being logged by the isp.
However I'm unsure if that helps the enduser that much.

If i was to ask for say piratebay.org it will send back the ip address without my ISP knowing i have the piratebay.org ip address from opendns but then the next step would be to request a page from that ip and wouldn't that be logged or blocked by the ISP?

Can someone with a clue clarify the matter?

Re:so what will this achieve for the enduser? (3, Interesting)

Smallpond (221300) | more than 2 years ago | (#38303802)

The purpose isn't to hide your DNS requests from your ISP, its to prevent some of the known attacks that spoof a DNS reply. That's easy to do if they are sent in the clear and have no signatures.

phishing (4, Interesting)

Billly Gates (198444) | more than 2 years ago | (#38303400)

OpenDNS does have an appeal. However it is such a high target for malware writters. If you can poison it you get tons of bussiness andeCommerce bank logins who go out of there way to use openDNS for security. I am nervous switching to it. Especially after CA keeo getting hacked into

Re:phishing (0)

Anonymous Coward | more than 2 years ago | (#38304004)

Who the hell is CA keeo ?

Lack of window client doesn't seem too odd to me.. (1)

guttergod (94044) | more than 2 years ago | (#38303606)

There is no Windows client, which is odd considering a majority of the 30 million OpenDNS users run Microsoft's operating system.

I would assume they want a public test with less than 30 million users for now. :)

Re:Lack of window client doesn't seem too odd to m (1)

Nethemas the Great (909900) | more than 2 years ago | (#38304226)

While I haven't investigated it, I would suspect that Windows' DNS functionality isn't quite so pluggable as it is for the *nix OSs. It may well just be impractical to implement.

Re:Lack of window client doesn't seem too odd to m (1)

guttergod (94044) | more than 2 years ago | (#38304688)

Sounds plausible enough too. Guess we can safely write off that "odd" remark. :P

Why not in the protocol stack? (0)

Anonymous Coward | more than 2 years ago | (#38304136)

Makes me wonder why encryption is not just an option inside the tcp/ip protocol stack?
Why do everything as an afterthought, at the application level?

Re:Why not in the protocol stack? (0)

Anonymous Coward | more than 2 years ago | (#38304262)

*cough* IPsec [wikipedia.org] *cough*

All your DNS are belong to us (4, Informative)

Animats (122034) | more than 2 years ago | (#38304150)

This is a bad idea, and it's being deceptively promoted. The OpenDNS site says [opendns.com] "DNSCrypt is a piece of lightweight software that everyone should use to boost online privacy and security." This is willfully misleading.

This isn't a way to make the existing distributed DNS infrastructure more secure. It just establishes an encrypted connection between your machine and one central DNS server farm belonging to OpenDNS. One that makes its money by redirecting nonexistent domains to ad sites.

There have been slimy DNS providers before. Comcast is notorious [dslreports.com] for this. The Wikipedia article on OpenDNS [wikipedia.org] summarizes the privacy issues, conflicts, and problems with OpenDNS. At one point, OpenDNS tried redirecting address bar searches to their own search page. [labnol.org] , which is apparently permitted by their terms of service.

OpenDNS isn't that bad. They're only a little evil. But they're also unnecessary.

Re:All your DNS are belong to us (1)

psydeshow (154300) | more than 2 years ago | (#38305638)

It's true that this is last-mile security only. It protects against someone impersonating OpenDNS and that's it. It makes their service more secure.

OpenDNS's resolvers could still be fooled by poisoning attacks and you'd be just as screwed. They could argue that they have all kinds of proprietary secret sauce on their resolvers, along with DNSSEC where applicable, to prevent that from happening, but we can leave that aside for now.

The thing is, both ISPs and attackers-who-p0wn-routers have good reason to intercept DNS requests to/from OpenDNS. ISPs want to be able to send you to their own Domain Not Found portal (a la Comcast). Attackers... well, we know what they want. One of the features of OpenDNS is that they intercept and neutralize malware lookups. OpenDNS is basically pissing on a lot of people's parades.

So it makes a lot of sense for them to give customers a secure connection to their service. Properly explained, it's a good idea.

But you're right that it's misleading to sell it the way they do.

Re:All your DNS are belong to us (1)

kasperd (592156) | more than 2 years ago | (#38306598)

They could argue that they have all kinds of proprietary secret sauce on their resolvers, along with DNSSEC where applicable, to prevent that from happening, but we can leave that aside for now.

What they should have done is include DNSSEC in the client and make that client open source such that it can be verified that it does indeed validate the lookups. That way OpenDNS would not be able to mess with the lookups, that protects against manipulation with the results both by OpenDNS and by attackers who can exploit vulnerabilities in the OpenDNS servers.

This of course only helps on domains protected using DNSSEC. Another thing they can do to help protect against cache poisoning is to use IPv6 by default when contacting authoritative servers, and randomize the last 64 bits of the IP address. Port number and ID field in the DNS request only provides 32 bits of entropy. If using IPv6 with 64 random bits in the IP address the entropy can be increased from 32 bits to 96 bits which defeats a lot of poisoning attacks.

That leaves IPv4 only domains without DNSSEC as the most vulnerable. Unfortunately that still accounts for a large number of domains. But it does look like more and more authoritative servers are getting IPv6 support, so I guess IPv6 deployment is ahead of DNSSEC deployment.

Re:All your DNS are belong to us (1)

Ash-Fox (726320) | more than 2 years ago | (#38312774)

That way OpenDNS would not be able to mess with the lookups, that protects against manipulation with the results both by OpenDNS and by attackers who can exploit vulnerabilities in the OpenDNS servers.

I guess you've never used OpenDNS, since one of the big advantages of it is that they can act as a middle man and block certain sites, redirect you to others etc. Also, I expect if they did implement that, they'd trust a key of their own for manipulating this anyway, so DNSSEC wouldn't offer the protection from OpenDNS manipulation as you claim.

Animats what about this/these option(s)? (0)

Anonymous Coward | more than 2 years ago | (#38306154)

Options for "DNSBL filtered 'secured'" DNS servers:

A.) Norton DNS (198.153.192.50 and 198.153.194.50/198.153.192.40 and 198.153.194.40/198.153.192.60 and 198.153.194.60) -> http://nortondns.com/ [nortondns.com] & you can even see how it updates every few minutes vs. known malicious sites-servers, here -> http://safeweb.norton.com/buzz [norton.com] as well as get a GOOD read on how/why it works, etc.- et al, here https://dns.norton.com/dnsweb/faq.do [norton.com]

It filters vs. MANY threats online & IS UP TO DATE as is possible I'd imaging (see those links, you'll understand WHY I state that). It's part of WHY I use it as my PRIMARY DNS here...

---

B.) ScrubIT DNS (67.138.54.100 and 207.225.209.66 ) -> http://www.scrubit.com/ [scrubit.com] & here is a good read on how/why it works via its FAQ's as well -> http://www.scrubit.com/index.cfm?page=faq [scrubit.com]

---

& of course

C.) Open DNS (208.67.222.222 or 67.138.54.100) -> https://store.opendns.com/get/home-free [opendns.com]

---

EACH IS FREE, & WORKS vs. threats online of MANY kinds, doubtless via a form of DNSBL they use for filtering those threats out!

(E.G.-> Phishing/Spamming, Malware hosting sites/servers, Maliciously scripted hosts-domains etc./et al & more...)

* Personally speaking - I use ALL 3 of them, "in combination". Yes, I am using that latter term loosely is why I quoted it!

(Mostly as "failovers" for one another, in case my primary can't resolve a host/domain name to an IP address, & w/ Norton DNS as primary, I can "fall back on" the others listed above...)

I do so, in a "layered triumvirate formation" in BOTH my IP stack DNS settings in Windows (OS/software-side), as well as in my LinkSys/CISCO router here (hardware-side))...

APK

P.S.=> DNS has issues though, period - it needs SOMEKIND of "Revision" for IPv4 @ least...

See - I don't know if Moxie Marlinspike's DNS solution for SSL protection via a browser addon's the answer either, ala http://www.google.com/search?sclient=psy-ab&hl=en&site=&source=hp&q=%22DNS%22+and+%22Moxie+Marlinspike%22&btnG=Search&gbv=1&sei=zwPhTs2wOMrL0QGTs-StBw [google.com]

OR

If OpenDNS' tool here is either!

However: They're better than nothing!

(It's that, or use the "secured DNS" (filtered rather via DNSBL) that I use, & the way that I use them in layered/phalanx style defensive formation noted above, if not ALL of them in "layered-security"/"defense-in-depth" style... in combination simultaneously, along with other means (like I use in a custom HOSTS file vs. online threats mostly))!

(Especially if DNS servers are set into "recursive mode", as I am SURE YOU OF ALL PEOPLE REALIZE, that DNS's VERY susceptible to DNS redirection poisoning (over port 53 via UDP/TCP, iirc)...

So - lastly:

Yes, I also know who you are Mr. Nagle, especially via your RFC I complimented you on this past week here no less on -> http://tech.slashdot.org/comments.pl?sid=2556266&cid=38265686 [slashdot.org] )!

Yes - I respect that in fact.

I.E.-> Not everyone, especially on /. here, does something to "help the human condition" via good works as you have.

... apk

Re:All your DNS are belong to us (0)

Anonymous Coward | more than 2 years ago | (#38306414)

The redirect to ad sites and other site redirects can be turned off (which I have) in the control panel. I'm not sure if this is available to their "free" sites but definitely available if you pay for it. They also are very reasonably priced for a home user.

Re:All your DNS are belong to us (0)

Anonymous Coward | more than 2 years ago | (#38309058)

Yes, if you are a free user and have a login, then you can disable it.

MAC ONLY (0)

Anonymous Coward | more than 2 years ago | (#38304446)

= actors muscians and rich morons get protection , rest of ya get bent

OpenDNS redirects google searches to their servers (0)

Anonymous Coward | more than 2 years ago | (#38308128)

How can you trust a DNS provider that redirects google searches to their own servers? They claim that they are trying to deal with crapware but do you not think that they profit somehow from all of the google searches they redirect to their own servers? That's a pretty sleazy way to run a business.

Don't get too excited yet... (1)

Kamiza Ikioi (893310) | more than 2 years ago | (#38308226)

FTA: "(mac only at the moment)"

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?