When you use HTTPS or SSL, your web browsing traffic is encrypted. When you use a VPN, all of your traffic is encrypted (usually). Sometimes, even with HTTPS and VPNs in play, DNS requests — or the way your computer translates "lifehacker.com" into numbers that your computer understands, like "126.96.36.199" are completely unencrypted, leaving you open to spoofing and man-in-the-middle attacks. DNSCrypt can lock that down. Here's how.
Why You Might Want to Encrypt Your DNS
There are a couple of reasons why an everyday user might want to encrypt their DNS. First, if you think you've been secure, and you've still gotten security alerts or warnings from your ISP, or struggled with hacks or phishing attempts, it's possible that your security tools aren't as airtight as they claim to be. For example, many VPN providers promise end-to-end security, but "leak" DNS requests left and right. Second, DNS snooping and poorly configured DNS servers have become popular attack vectors recently (see the Kaminsky Vulnerability) as a way to spy on people (or companies) and collect sensitive data.
"DNS Leaking" happens when your system — even after you've connected to a VPN or anonymity network such as Tor — continues to query your ISP's DNS servers every time you visit a new website, connect to a new server or fire up a new internet-connected application. Ultimately, it means that even though your traffic is encrypted, your ISP — or worse, anyone snooping on the "last mile" of your internet connection (the network between your computer and your ISP) — can clearly see everything you connect to you're going on the internet and every site you visit on the web.
Some hackers will just collect that information, but the worst actually collect it and then use it to conduct man-in-the-middle attacks, where the attacker just sits in between you and your eventual destination and collects data along the way — passwords, cookies, and even enough encrypted data to eventually crack your encryption (if it's weak). In some cases, the attacker will actually pose as the service you're connecting to in order to collect whatever data they can before you figure out something's not right. To read more on DNS leaks, check out this explanation by DNSLeakTest.com. If you'd like to find out if your VPN is leaking DNS requests, you can test it on the same site. DNSLeakTest.com also has some other fixes you can try for a leaky VPN.
To be fair, encrypting your DNS is a level of security that many people may not need to aspire to. However, if you do regularly work with sensitive material, work remotely and need to make sure all of your traffic is secure, or travel to places where you may be snooped on, encrypting your DNS is a good idea. If you need true anonymity or privacy, even from your ISP, you may want to consider it. If you're just surfing the web from the comfort of your home, it may not be an issue for you. Combined with a good, trustworthy VPN and desktop tools to protect your privacy, encrypted DNS can take your security to the next level, especially when you need privacy, anonymity and security.
How DNSCrypt Protects You
DNSCrypt is a side-project from the folks at OpenDNS, which we've mentioned before as a way to protect yourself, speed up your browsing experience, filter content, and even correct mistyped URLs. It's simple software that you can install on your Mac, Windows or Linux system that will make even the leakiest VPN a bit more secure when used in conjunction with OpenDNS for DNS resolution at home.
OpenDNS's approach is that DNS encryption is just as essential a part of using the internet safely as HTTPS is to surfing the web. It explains:
In the same way the SSL turns HTTP web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks. It doesn't require any changes to domain names or how they work, it simply provides a method for securely encrypting communication between our customers and our DNS servers in our data centres. We know that claims alone don't work in the security world, however, so we've opened up the source to our DNSCrypt code base and it's available on GitHub.
DNSCrypt has the potential to be the most impactful advancement in Internet security since SSL, significantly improving every single Internet user's online security and privacy.
By encrypting DNS requests, DNSCrypt make sure that every part of your internet connection is secure, even if it's already secured by a VPN. For more information about the app and the nitty gritty about how it works, check out OpenDNS's DNSCrypt page.
Where to Get DNSCrypt
DNSCrypt is open source, and install packages are available to download directly from OpenDNS. The project is maintained at GItHub, so if you have trouble finding downloads, you can always get them there. Officially, only Mac OS X and Windows are supported, but the development community at DNSCrypt.org has installation instructions for more operating systems, including Linux and BSD-based systems, jailbroken iOS devices and rooted Android devices.
The official Windows and Mac DNSCrypt apps both work similar to VPN services that you can toggle on and off when you want the added security. You can install them as services that run on startup, but we'd suggest you try them this way first before you decide to leave them on all the time, just in case you run into problems or performance issues. Once installed (and you'll have to reboot after installation, since the apps are making network-level changes to your system), using DNSCrypt should be as simple as checking the box that says "Enable DNSCrypt" and "Always use OpenDNS". Doing this will configure your system to use OpenDNS for all DNS requests if it's not already and encrypt those requests.
If you're using OpenDNS on your router and you have all of the computers in your house pointed to your router for DNS, you can still use DNSCrypt. If your router is running recent versions of the DD-WRT or Tomato open firmwares (both of which we've shown you how to install). If your router supports OpenDNS out of the box, DNSCrypt may already be there, buried in the DNS settings. Enable it and you're all set. If it's not there, or your versions of DD-WRT or Tomato are old, this forum thread will help you install it.
It's important to keep in mind that DNS encryption is just another way to secure your internet connection from threats. Most attacks that use DNS as an attack vector have been aimed at organisations or individuals with useful data or creative enemies. Even if that's not you, it's a great way to add an extra layer of security to your computer or home network. It's easy to install, transparent to you, and useful if you're really serious about your security.