Earlier this week the folks over at OpenDNS announced a preview release of their new tool DNSCrypt. This is touted as a huge step forward for privacy and security across the Internet. The premise is simple, encrypt all DNS traffic between the user and their recursive resolver. It’s a nice idea and all, but I think they missed the mark.
According to OpenDNS, the code is actually the first real-world implementation of the DNSCurve scheme. The stated goals are to provide privacy and authenticity to the entire DNS transaction. Unfortunately, you can’t just wrap an existing protocol with crypto and expect to be more secure than you were before. In this case you need to look at the entire ecosystem. Sure your DNS query will be private, invisible to other users or attackers on the same network. The problem comes a few milliseconds after you get the result. The privacy you gained by encrypting your DNS traffic evaporates when the browser makes its request of the server. An attacker in a position to see your DNS traffic is likely to have the same visibility into other forms of traffic.
If you are more concerned with authenticity of the data than privacy, there are better ways to get that as well. DNSSEC is ready to answer your call. A major advantage of DNSSEC is that in the case of some TLDs it can authenticate the result all the way to the root (This list includes an indication of which TLDs are signed). According to the DNSCrypt FAQ at OpenDNS, DNSSEC and DNSCrypt function perfectly in concert: “They aren’t conflicting in any way.”
DNSCrypt also possesses the interesting side-effect of driving more traffic to the OpenDNS infrastructure. They have open-sourced the client code, but they currently have the only running server implementation. If you are concerned that your ISP is sniffing your DNS traffic are you likely to be any less concerned that OpenDNS is doing the same thing?
Unfortunately, just wrapping existing protocols in encryption is not always the answer. In this case I would agree that the DNS conversation itself does become more secure. However, that additional privacy only applies to DNS. Other protocols are just as exposed as they were before.
If you want to ensure that the DNS replies you receive have not been tampered with, look to DNSSEC. If you are concerned that someone in the path is sniffing your packets and could tie Internet activity to you, consider using Tor or other VPN/proxy services.