Wednesday, March 21, 2012

How To Secure DNS with DNSCrypt



This open-source software for Mac and Linux does for DNS what SSL does for HTTP: It encrypts DNS traffic to prevent spoofing, snooping, and man-in-the-middle attacks.


Like most of the network protocols and systems in widespread use today, the Domain Name System (DNS) harbors significant security vulnerabilities. Though DNS provides a deceptively simple service -- translating human-friendly website addresses such as http://www.cnn.com into computer-friendly numerical IP addresses such as http://157.166.255.19 -- the system's integrity is a crucial cornerstone of Internet operations and trustworthiness.

One common attack on the DNS infrastructure is called "DNS spoofing." In this type of attack, also known as "DNS cache poisoning," an attacker tricks a DNS server into returning an incorrect IP address for a target website. For example, an attacker might perform cache poisoning on the DNS entry for a legitimate bank's website, thereby directing visitors to the hacker's fake look-a-like site in order to capture their login or banking details. This type of attack is difficult for users to detect, because the website address displayed in the user's web browser is not altered in any way. A single compromised DNS server at an Internet Service Provider can in this way affect potentially thousands of users.

Although DNS security issues and attacks have been around for years, recently there have been new developments in the area of DNS security solutions. Publically announced in December 2011, DNSCrypt is a recent example. Here I'll discuss what DNSCrypt is and how to give it a try.


What is DNSCrypt
DNSCrypt is an open source DNS encryption client program offered by OpenDNS, a third-party DNS provider, to prevent DNS snooping, spoofing, and other man-in-the-middle attacks. It does this by completely encrypting the DNS traffic to and from a user's computer and the OpenDNS servers. The encryption wraps itself around the DNS traffic much like SSL wraps itself around HTTP traffic, though DNSCrypt is using another form of encryption: a type of elliptic-curve cryptography, called Curve25519.
Keep in mind, DNSCrypt is currently in the Preview Release phase with only support for users on Macs with at least Snow Leopard or Linux users. Windows support is expected by the end of April 2012.


What about DNSSEC?
Domain Name System Security Extensions (DNSSEC) is a separate DNS security solution that authenticates DNS traffic. It modifies DNS to add support for cryptographically signed responses, thereby preventing the tampering of the IP addresses that are returned from the DNS server.

It may seem like DNSCrypt and DNSSEC are competing solutions, but they are actually complimentary and can be used together for comprehensive security. DNSSEC provides protection against DNS spoofing and other man-in-the-middle attacks, and DNSCrypt provides double-protection and prevents any eavesdropping on traffic, even by ISPs.

You could implement DNSSEC on your own DNS servers or use a provider that supports it, such as Comcast in the United States.


Using DNSCrypt on Your Mac
OpenDNS is currently offering a Mac OS X client that works on Snow Leopard or later. So if you're an Apple user, start by downloading the client. Then simply open DNSCrypt and check the Enable OpenDNS and Enable DNSCrypt checkboxes.

DNSCrypt

If you have a firewall, other network filtering solution, or are browsing from public Wi-Fi hotspots, try enabling the DNSCrypt over TCP/443 option to ensure the DNS traffic can reach their servers. And if reliability is a must, enable Fallback to insecure DNS, which makes the client use your original DNS server if it can't contact the DNSCrypt servers.

Keep in mind, the client currently does not retain preferences or state after reboots. So until the official release, you must manually open the client and re-enable after reboots and re-enable any other options as well.


Using DNSCrypt in Linux
OpenDNS released the DNSCrypt client on GitHub, so Linux users can give it a try. But keep in mind, there's no user interface yet and it must be enabled via the Terminal.

To get started, download the package for your Linux distribution: 32-bit or 64-bit DEB package (Debian, Ubuntu, other .deb-based distributions) or 32-bit or 64-bit RPM package (Openwall, CentOS, Fedora, other .rpm-based distributions).

Then install the package using your package manager and open a terminal to run:


sudo /usr/sbin/dnscrypt-proxy –daemonize

Next set your DNS settings to 127.0.0.1, such as via the Network Connections windows. Finally, confirm you're using OpenDNS here .

DNSCrypt won't start automatically at startup but you can, for example, create an init script.


In Summary
Your DNS security has a great deal to do with the DNS provider you use. OpenDNS claims to offer a high level of security, and using the service (even without DNSCrypt) in place of your ISP's DNS or your own server may increase your DNS security.

Using DNSCrypt, however, can completely encrypt your DNS traffic, preventing pretty much all DNS-based attacks and snooping.

If you run your own DNS server within your organization, consider implementing DNSSEC and/or DNSCurve.

No comments:

Post a Comment