DNSCrypt does not make sense – a rant

Over at the OpenDNS Blog, there is an announcement of a new service called “DNSCrypt”.  It is being advertised as a security enhancement.  But that makes no sense at all.  Perhaps it works for income enhancement at OpenDNS, but it is not clear that it could enhance security.

There is already a standard for enhancing DNS security, namely DNSSEC.  Unfortunately, OpenDNS has been opposed to DNSSEC.  And now they are pushing the faux security of their DNSCrypt as an alternative.

Let’s first look briefly at DNSSEC.  It uses digital signature as a way of validating the data.  By checking those digital signatures, you can be sure that the results of your DNS lookup are correct.  I can understand why OpenDNS does not like DNSSEC, for the OpenDNS business model is to make money by feeding you bogus DNS lookup results.

Here’s part of what OpenDNS is saying about the benefits of DNSCrypt:

It happens all the time on insecure networks at coffee shops, and even residences. Some ISPs have even been accused of spying on their customers’ activity. What’s worse, the “last mile” is ripe for man-in-the-middle attacks, where an intermediary injects themselves into your traffic path masquerading as your intended destination, but all the while, being able to see and modify your traffic. This leaves little confidence for the Internet user.

That’s laughable.  OpenDNS is itself a “man in the  middle”.  It sits between you and public DNS services, and gets to spy on all of your DNS traffic.  Moreover, it makes money from the results of that spying.

Bah, humbug!

Advertisements

About Neil Rickert

Retired mathematician and computer scientist who dabbles in cognitive science.

4 responses to “DNSCrypt does not make sense – a rant”

  1. Ronald Nissley (@25W) says :

    According to OpenDNS, DNSSEC and DNSCrypt are complementary; they don’t conflict. See http://www.opendns.com/technology/dnscrypt/.

    OpenDNS has a reasonable privacy policy in my opinion. http://www.opendns.com/privacy/

    Your man-in-the-middle comment could be made about nearly any DNS provider and/or your Internet service provider. You can either choose to trust someone else somewhere or disconnect altogether and wear a tin foil hat. 😉

    Like

    • Neil Rickert says :

      Your man-in-the-middle comment could be made about nearly any DNS provider and/or your Internet service provider.

      Agreed. However, most DNS providers do not claim that they are protecting against man-in-the-middle.

      Like

  2. anonymous says :

    You are so wrong. You would probably understand DNSCrypt if you were living in a country using censorship.
    Also, you say that OpenDNS is a Man in the Middle. That is also stupid because any DNS Host is a man in the middle : The solution in your eyes is to host your own DNS server?
    DNSCrypt is surelly not the best but prevents attack like MIM. Which is the main attacks at government levels.
    Cheers

    Like

    • Neil Rickert says :

      You would probably understand DNSCrypt if you were living in a country using censorship.

      How can you be sure that OpenDNS won’t secretly give access to the state security agencies, much as some USA ISPs have given access to the NSA?

      The solution in your eyes is to host your own DNS server?

      There is DNSSEC (digitally signed DNS data).

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: