OpenDNS has a new tool, DNSCrypt. Currently in beta, it is designed to help protect users on public Wi-Fi hotspots. DNSCrypt is a utility that encrypts DNS traffic between a user’s Mac and OpenDNS’s servers. A Windows version of the tool will be released in the near future.
OpenDNS is an alternative Domain Name Service (DNS) resolution provider. They act in place of an Internet Service Provider (ISP) which normally provides the service. DNS is essentially the same as the phone book for your Internet connection, it converts domain names into the IP addresses that connect web browsers to web servers. In addition, OpenDNS offers competitive advantage by adding transparent phishing, adult content, and auto-correction features that are platform independent; no software is needed to be installed on a computer for these additional features to function.
If you aren’t already using OpenDNS on your router, you may want to give it a try. Just log into your router’s admin page, and enter 208.67.222.222 and 208.67.220.220 as the DNS providers. If you run into issues, just delete them and fall back to your ISP’s DNS.
DNSCrypt is unique because it acts as an app that runs in the background, rather than deferring to a computer’s own TCP/IP service. OpenDNS uses DNSCrypt to bypass the traditional DNS system for two reasons; one, their proprietary system is faster… and two, it is encrypted.
Public Wi-Fi hotspots suffer from extreme security concerns. Any communication with a web site that does not employ Secure Socket Link (SSL) can be monitored. A public hotspot can also be hacked or impersonated, leading to man-in-the-middle attacks. A very-sophisticated hacker could emulate any DNS provider, be it the ISP’s, Google DNS (a rival to OpenDNS), or OpenDNS’s own DNS service. DNSCrypt makes this very difficult, if not impossible to accomplish.
The DNSCrypt setup on Mac OS X consists of three parts; an Installer, a Menu Bar Item, and a System Preferences panel. The Installer deploys the latter two components, which work in tandem. A Menu Bar Item gives current DNS provider status, while the actual enabling/disabling of DNSCrypt is done inside System Preferences. Ideally, users will be able to leave DNSCrypt on most of the time.
In terms of usage, DNSCrypt worked just as described. Our DNS traffic no longer showed up when we sniffed our own packets, and it was at least as fast and reliable as before with OpenDNS’s standard offering.
We did run into a problem using DNSCrypt with its intended target, public hotspots. To use most public hotspots nowadays, you have to first authenticate yourself. This often consists of viewing a redirected web page, and ticking off a box that says you accept the Acceptable Use Policy for the hotspot (which, of course, none of us read). If you have DNSCrypt enabled, you don’t get that popup, and can’t access the Internet.
This of course, is more of a flaw with the DNS system itself. And, there aren’t any good solutions coming any time soon. If you have your Wi-Fi settings set to use OpenDNS or Google DNS by default already… you’ve run into the same issue already at some point. The only solution is to disable the entire alternative DNS until you can log in properly to the public hotspot, and continue onward from there.
DNSCrypt does offer an option to “fallback to insecure DNS”. Of course, this option has a core vunerabilty; it could be used to target un-savvy users who have had DNSCrypt installed on a large fleet. Say Company A deploys DNSCrypt on every system in their company. Employee A then walks to lunch at a nearby bistro. The bistro’s location, being known to be popular by employees of Company A could be targeted with bogus Wi-Fi hotspots, which then block DNSCrypt, forcing over to an exploitable DNS server.
A better solution would be to employ a service similar to Windows 7, or Apple’s own mobile hotspot detection standards introduced in iOS and OS X Lion. If DNSCrypt cannot connect to OpenDNS’s servers, it should throw an exception, and suggest that the user disable DNSCrypt, and check to see if the public hotspot requires a log in, followed by re-enabling DNSCrypt when possible.
Eventually though, hotspot providers will likely switch to login pages that route to IP addresses, rather than internal (intranet-style) domain names.
Also, as cautioned by DNSCrypt during setup, some hotspot providers may interfere with DNSCrypt. Fortunately, there’s a workaround, which is to pipe DNSCrypt through port 443, which is used for SSL on secure web sites. This unfortunately comes with a bit of a performance hit, so you only want to use it at places affected. OpenDNS notes GoGo and Starbucks as two main suspects, though this may also impact other HP/AT&T-powered hotspots.
Routing over port 443 will also help hide DNSCrypt traffic in one other important situation: using your phone as a modem, in the face of a hostile wireless carrier. DNSCrypt dramatically improved the reliability of our Verizon 4G LTE mobile hotspot service, even though we were paying for the “privilege” to tether on Verizon.
Important note: DNSCrypt is always encrypted, even when not on port 443. Routing over port 443 just gets hotspot vendors to ignore the data and treat it as SSL data.
It’s also worth noting that DNSCrypt is not a cure-all. It is not a magical no-phishing-can-happen-tool for the masses. OpenDNS does not advertise it as such. A malicious hotspot could still resolve IP addresses to a malicious web site, hijacking logins and other data entered. But it does prevent someone from seeing what domains you are manually entering, making it harder to identify an intended web site. For example, many web sites operate on hosting that shares one IP with multiple domain names. For those sites, a hacker would have a much harder time knowing (on any hotspot), where the user intended to go.
DNSCrypt currently supports both OS X Lion, and Mac OS X Snow Leopard. OpenDNS has not yet set a firm release date for the Windows version, and stresses that the app is currently in beta. Also, it does not look like OpenDNS will arrive on the Mac App Store, and from an architectural perspective, Apple will likely never approve of an iOS version.
Fortunately, or unfortunately, DNSCrypt is one of the many examples of a tool that underscores why open platforms are great; and why walled gardens aren’t. We can see this powerful tool being denied entry on most mobile platforms.
In all, we cannot recommend DNSCrypt enough. For one, it makes it easier to get OpenDNS deployed on people’s machines, when they don’t know how to reconfigure their DNS. But, more importantly, it adds a layer of security that nearly all firewalls and anti-phishing tools lack; the ability to protect against a hijacked DNS service. While that may not sound like something that is commonplace today, it is a powerful open security vector that has been hard to protect against.
Encrypted DNS isn’t new, but DNSCrypt makes it possible for the tired, poor, huddled masses to benefit from this importantly layer of security. Considering what may be coming down the pike in terms of phishing, it’s a good tool to get acquainted with, even while in beta.
dnscrypt works on Mac, but also on OpenBSD, NetBSD, Dragonfly BSD, FreeBSD, Linux, Windows, and iOS (requires a jailbroken iPhone or iPad).
What is only available for Mac is a GUI to start/stop it and change the DNS settings. But this is not required, just convenient.
Chris, I ran into this problem last week and after hours of trying to debug it finally figured out my issue was with this web page auth that you mention here. I would caution that anyone who is going to use DNScrypt understand that they need to be aware of this. You are making major changes to your Mac, and while it can result in better security, if you forget that you have done this (as I did), you will spend some time trying to figure out why you can’t connect. I took DNScrypt off my system for the time being.
[…] heard of DNScrypt but do so now. And as I searched around the Internet to write this post, I came across this explanation. Too bad I didn’t see this […]
David Strom’s comment (and article on http://www.readwriteweb.com) highlights the real vulnerability with Mac users in general. Ignorance.
[…] sure know about it now. And as I searched around on the Internet to write this post, I came across this explanation. Too bad I didn't see it […]