How To Secure DNS with DNSCrypt
Like most of the network protocols and systems in widespread use today, the Domain Name System (DNS) harbors significant security vulnerabilities. Though DNS provides a deceptively simple service -- translating human-friendly website addresses such as http://www.cnn.com into computer-friendly numerical IP addresses such as http://126.96.36.199 -- the system's integrity is a crucial cornerstone of Internet operations and trustworthiness.
One common attack on the DNS infrastructure is called "DNS spoofing." In this type of attack, also known as "DNS cache poisoning," an attacker tricks a DNS server into returning an incorrect IP address for a target website. For example, an attacker might perform cache poisoning on the DNS entry for a legitimate bank's website, thereby directing visitors to the hacker's fake look-a-like site in order to capture their login or banking details. This type of attack is difficult for users to detect, because the website address displayed in the user's web browser is not altered in any way. A single compromised DNS server at an Internet Service Provider can in this way affect potentially thousands of users.
Although DNS security issues and attacks have been around for years, recently there have been new developments in the area of DNS security solutions. Publically announced in December 2011, DNSCrypt is a recent example. Here I'll discuss what DNSCrypt is and how to give it a try.