X

Free DNSCrypt tool enhances Mac Web security

The OpenDNS organization has released a tool for OS X that encrypts DNS connections, which enhances Internet security on OS X (for now).

Topher Kessler MacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
Topher Kessler
4 min read

When you connect to a Web site on the Internet, your computer uses the Domain Name System (DNS) to convert URLs like "www.macfixit.com" to the IP address for the server where that Web site resides.

This system is a hierarchical network of computers throughout the world that distributes a database of domains and subdomains, allowing the system to resolve the components of the URL ("com," "macfixit," and "www") to a specific IP address out of millions of publicly available ones. This system is used for Web browsing, but also for numerous other Internet communication services including e-mail, instant messaging, syncing, and application registration technologies.

The DNS system is a major area of security for Web traffic, since compromised data from a DNS server can result in your system either not being able to find the servers it needs, or even worse, being redirected to a rogue server that will try to install malware, or coerce you into giving up personal information among other illegal activities.

While an attacker can try hacking the DNS system from any point, the area of most interest is the business-end of the DNS connection called the "last mile," which is the connection between it and your home computer, since it is this point where your computer receives instructions on which IP address to use for a connection to a specific URL. Attackers can compromise this connection either by hacking the DNS server itself, or by using malware to change the DNS server on your system to a rogue one, as was seen with the DNSChanger malware efforts.

DNSCrypt preferences
The OpenDNS tool "DNSCrypt" will encrypt the connection to your DNS servers; however, it will only do so if you use DNS servers from OpenDNS. Screenshot by Topher Kessler

Some DNS service providers like Google and OpenDNS have provided relatively secure public DNS offerings that claim to increase both the performance of name resolution and offer better security over DNS servers from Internet providers that are not as well-maintained. Additionally, efforts by government officials and anti-malware companies have been putting pressure on malware developers that try to compromise the DNS configuration on your home computer. However, these options only help secure either end of the "last mile," and do not address another security problem in the DNS system, the DNS protocol itself.

The DNS protocol is analogous to the protocols like "HTTP" for Web pages or "FTP" for file transfer between servers, and is a structure of instructions for how DNS servers pass information between themselves and to your computer. While a specific DNS server such as Google's or OpenDNS might be relatively secure, hackers may still be able to take advantage of a computer's connection with them by using a man-in-the-middle attack similar to the Kaminsky vulnerability found in 2008.

According to OpenDNS, the Kaminsky vulnerability, and many others like it, take advantage of the "last mile" communication in the DNS protocol because it is not very secure, and can intercept and change the resolved name being sent to your system, thus allowing an attacker to redirect your computer to a malicious server.

To tackle this problem on other protocols like HTTP or FTP, the computer industry has developed encrypted options (HTTPS and SFTP) that make the connections much more secure and safe from man-in-the-middle attacks that can snoop on and steal information from connection attempts (passwords, servers, machine information, and so on). The DNS protocol does not have an encryption option like this; however, the DNS service company OpenDNS has released a tool for OS X called DNSCrypt that does encrypt the DNS traffic.

DNSCrypt is a small system preferences pane for OS X (currently only available for the Mac OS at the moment) that enables the encryption of the DNS protocol. It offers simple options to enable or disable the encryption on your Mac.

This is a great option to have for securing the Internet; however, it does have a limitation in that it will only work on the DNS servers provided by OpenDNS. These servers are configured to accept the encrypted connection handshake, whereas others like Google's DNS servers or those from your ISP are not. Therefore, if you send an encrypted connection to Google's servers the connection will not work.

As a result of this, when you enable encryption on your Mac, the DNSCrypt tool will switch your system over to using OpenDNS servers; if an error occurs in the connection or if you disable the encryption, then it switches you back to your default DNS servers.

This advancement has great potential for securing the Internet, and while DNSCrypt is only a preview release, hopefully a standard based off of it or technology like it will emerge for the entire DNS system.



Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.