DNSCrypt does not make sense – a rant
Over at the OpenDNS Blog, there is an announcement of a new service called “DNSCrypt”. It is being advertised as a security enhancement. But that makes no sense at all. Perhaps it works for income enhancement at OpenDNS, but it is not clear that it could enhance security.
There is already a standard for enhancing DNS security, namely DNSSEC. Unfortunately, OpenDNS has been opposed to DNSSEC. And now they are pushing the faux security of their DNSCrypt as an alternative.
Let’s first look briefly at DNSSEC. It uses digital signature as a way of validating the data. By checking those digital signatures, you can be sure that the results of your DNS lookup are correct. I can understand why OpenDNS does not like DNSSEC, for the OpenDNS business model is to make money by feeding you bogus DNS lookup results.
Here’s part of what OpenDNS is saying about the benefits of DNSCrypt:
It happens all the time on insecure networks at coffee shops, and even residences. Some ISPs have even been accused of spying on their customers’ activity. What’s worse, the “last mile” is ripe for man-in-the-middle attacks, where an intermediary injects themselves into your traffic path masquerading as your intended destination, but all the while, being able to see and modify your traffic. This leaves little confidence for the Internet user.
That’s laughable. OpenDNS is itself a “man in the middle”. It sits between you and public DNS services, and gets to spy on all of your DNS traffic. Moreover, it makes money from the results of that spying.