Earlier this week the folks over at OpenDNS announced a preview release of their new tool DNSCrypt. This is touted as a huge step forward for privacy and security across the Internet. The premise is simple, encrypt all DNS traffic between the user and their recursive resolver. It’s a nice idea and all, but I think they missed the mark.
According to OpenDNS, the code is actually the first real-world implementation of the DNSCurve scheme. The stated goals are to provide privacy and authenticity to the entire DNS transaction. Unfortunately, you can’t just wrap an existing protocol with crypto and expect to be more secure than you were before. In this case you need to look at the entire ecosystem. Sure your DNS query will be private, invisible to other users or attackers on the same network. The problem comes a few milliseconds after you get the result. The privacy you gained by encrypting your DNS traffic evaporates when the browser makes its request of the server. An attacker in a position to see your DNS traffic is likely to have the same visibility into other forms of traffic.
If you are more concerned with authenticity of the data than privacy, there are better ways to get that as well. DNSSEC is ready to answer your call. A major advantage of DNSSEC is that in the case of some TLDs it can authenticate the result all the way to the root (This list includes an indication of which TLDs are signed). According to the DNSCrypt FAQ at OpenDNS, DNSSEC and DNSCrypt function perfectly in concert: “They aren’t conflicting in any way.”