New tool patches security hole in DNS

A new, free tool from OpenDNS promises to make domain name system (DNS) lookups—the conversion of a plain-English domain name into a numeric Internet address—more secure. DNSCrypt prevents third parties from intercepting your DNS requests and rewriting them to point your browser, email client, or other software to malicious or fake sites. That may sound like a tedious bit of Internet plumbing, but it profoundly improves your security.

The software addresses a significant flaw in the way that software clients decide which Internet servers to trust. As I explained recently, a client (like a Web browser) and server create an encrypted connection with one another by relying on third parties, known as certificate authorities (CAs), to assure the client of the server’s identity.

These CAs provide digital documents to a site operator that are bound to a domain name ( or a specific host-domain combination ( A client can validate a server’s documents by checking their digital signatures against a list of trusted CAs. Those lists are built into operating systems (Mac OS X’s can be viewed via Keychain Access) and some browsers (Firefox being the primary example).

Unfortunately, there’s a flaw in the system: One step in the validation process isn’t protected cryptographically. The CAs hand out a certificate with just the text of the server or domain name. They do so to give site operators the flexibility to move servers to different domains or to have multiple IP addresses respond to the same domain name. Software clients that want to make Net connections must request those names in a plain text query that isn’t protected against tampering. That creates a gap that can be exploited by substituting “poisoned” values for legitimate ones in DNS requests. So when your computer says it wants to go to, for which the DNS server should return an IP address of, a poisoned value of could come back instead.

How it works

As you might guess from the name, DNSCrypt encrypts this stage of the DNS client-server negotiation, so it’s impervious to that sort of chicanery. This protects you from spoofing of servers that are protected by SSL as well as servers that aren’t so well protected. If client software is connecting to a normal website, unprotected email server, or other Internet service, DNSCrypt keeps that lookup accurate as well, defeating efforts by so-called evil twins and other hotspot and networking spoofing techniques.

When a software client makes a DNS request, your computer consults a DNS resolver in the operating system, which then passes that query on to one of the DNS servers listed in its TCP/IP settings. (In OS X, they’re found in the Network preference pane for each adapter.) That DNS server in turn passes the request up a chain of higher-level servers (to the .com root, for instance), which then finally hands off to the DNS server that manages information for a given domain. The results are sent back to the resolver. (Whew.) DNSCrypt forces DNS look-ups to go through OpenDNS instead of DNS servers operated by your own or a coffeeshop’s Internet service provider (ISP). (You can set your system to always point to OpenDNS or another service, like Wi-Fi, but otherwise the server addresses are provided when the network router assigns a local address to your computer or device.)

OpenDNS came into being because the DNS servers at so many ISPs were slow and unreliable; it was (and is) a free and more efficient alternative to other DNS servers. But over the last few years those ISPs have improved their operations; in response, OpenDNS added more services to entice users, some free (like anti-phishing filtering), and some paid (like filtering and usage reporting). It automatically fixes common typos, changing .cmo to .com, for example. (Some security experts are critical of the company’s policy of redirecting invalid domain-name entries to a Google search page from which it derives advertising revenue; curiously, Google, which also offers a free alternative DNS service, does not.)

While DNSCrypt works with OpenDNS’s service alone, the company has released the specification and software as open source. That means the system could be adopted elsewhere, turned into plug-ins (like a Firefox add-on), or built directly into client software. (DNSCrypt works with OpenDNS’s free and paid services, and is free to use.)

How to use it

When you install DNSCrypt, it creates a new pane in System Preferences. (The software is currently at version 0.7, but should be stable to use.) There, you check the Enable OpenDNS box, which switches your network’s DNS server to one run by OpenDNS. Next, check Enable DNSCrypt. If you’re on a network that, for some reason (perhaps due a government authority’s actions or a misguided Wi-Fi hotspot firewall) blocks this encrypted connection, you can select the DNSCrypt over TCP/443 option. That can add a short delay to DNS lookups, but they will be disguised as normal secure Web traffic and should work anywhere.

The DNSCrypt preference pane

Once you’ve enabled the software’s encryption option, its status changes to Protected and a green dot shows up in its menubar icon. If you can’t get a secure connection, that’s a good sign that something is rotten in the state of fill-in-the-blank.

DNSCrypt pairs neatly with a Firefox plug-in we wrote about in the above-mentioned September article: Perspectives. Perspectives ties into a certificate notary service that constantly checks the SSL/TLS certificates fed out by servers all over the Internet, and tracks whether they change over time. With DNSCrypt to protect the integrity of domain name lookup and Perspectives warning about suspicious certificates, you should avoid current traps into which you’d otherwise fall.

Closing this security gap will require cooperation among multiple parties, many of them with competing interests. Until that happens, DNSCrypt looks like a good intermediate measure.

[Glenn Fleishman, a senior contributor to Macworld, is the author of Take Control of Your 802.11n AirPort Network (Take Control Books, 2011), and he writes about security and technology for The Economist.]

Product mentioned in this article

(1 items)

  • DNSCrypt Free
    Shop ▾
    Amazon Shop buttons are programmatically attached to all reviews, regardless of products' final review scores. Our parent company, IDG, receives advertisement revenue for shopping activity generated by the links. Because the buttons are attached programmatically, they should not be interpreted as editorial endorsements.

Subscribe to the Apple @ Work Newsletter