OpenDNS Previews DNSCrypt, New Technology Poised to Positively Impact Security and Privacy of Internet Users As SSL Did for Web Traffic, Address the “Elephant in the Room” of DNS Security

Share Article

DNSCrypt, previewed today by OpenDNS, provides the missing link in securing the DNS traffic of Internet users, prevents spying, spoofing and man-in-the-middle attacks on 100% of last-mile DNS requests.


The technology empowers Internet users to secure their own Internet and DNS use

OpenDNS, the world's largest and fastest-growing provider of Internet security and DNS services that deliver a safer, faster and more intelligent Internet experience to everyone, today unveiled a preview of DNSCrypt, a new technology that dramatically improves both the security and privacy of Internet users, particularly those on unsecured wireless hotspots and residential ISP networks. The technology is being open-sourced by OpenDNS and starting today developers are encouraged to access the code on for review and improvements.

DNS has historically been one of the many insecure parts of the Internet’s critical infrastructure – even considering decade-plus attempts to improve it with technologies like DNSSEC. Despite DNSSEC, and the global improvements resulting from Dan Kaminsky’s discovery of a critical flaw in the DNS, there remains an inherent insecurity in the DNS protocol itself: it is transported in plaintext, unencrypted and in the open. This insecure connection between the end user and their DNS resolver, which might be described as the “last mile,” is ripe for abuse, and has been abused in the past. The insecure nature of that “last mile” connection enables an array or attacks and privacy violations. In truth, Internet users have very little privacy when accessing the Internet on unsecured wireless networks and as a result, are left highly vulnerable.

DNSCrypt is significant because it encrypts all DNS traffic between Internet users and OpenDNS, the world’s largest DNS service, today chosen by more than 30 million people or roughly 2 percent of the world’s Internet users. This technological advancement thwarts efforts by attackers, or even Internet Service Providers (ISPs), from spying on DNS activity, or worse, maliciously redirecting DNS traffic.

In the same way the SSL turns HTTP Web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks. It doesn't require any changes to domain names or how they work, it simply provides a method for securely encrypting communication between Internet users and OpenDNS servers in the OpenDNS data centers.

DNSCrypt protects Internet users and prevents three primary threats and privacy violations:

Spying: Attackers, ISPs and governments regularly use DNS to spy on Internet users’ online activity. OpenDNS security experts see this principal privacy violation occur frequently around the world, including in the United States. DNSCrypt prevents this spying, and attempts to thwart known DNS replay, observation, and timing attacks.

Man-in-the-middle attacks: The term describes when an attacker intercepts communication and impersonates both the Internet user and the website he or she is visiting. DNSCrypt prevents man-in-the-middle attacks by preventing insertion of unauthenticated and unencrypted DNS packets, giving Internet users greater confidence in the authenticity of the websites they’re visiting.

Resolver impersonation: It’s possible that ISPs or other intermediaries could hijack DNS traffic destined for sites like OpenDNS, Google, and others transparently. It’s important that users who choose to use a third-party DNS service have the confidence in knowing their packets are being answered by their designated third-party and are not being re-routed and answered fraudulently.

“DNSCrypt is a critical advancement for the DNS, for global Internet security efforts and for the Internet at large,” said OpenDNS CEO David Ulevitch. “The technology empowers Internet users to secure their own Internet and DNS use and protect themselves from nefarious activity that happens through their DNS connection, but also to insulate themselves from their Internet Service Provider’s uninhibited access to their DNS activity and domain lookup history. All Internet users have a right to privacy and DNSCrypt gives them both that and a heightened level of security.”

“I encourage developers to get involved with DNSCrypt, and use their skills to help make the Internet a more privacy-rich and safe place,” he continued.

At current, DNSCrypt is available for Mac. Downloads, code and more information can be found at

About OpenDNS
OpenDNS is the world's leading provider of Internet security and DNS services, enabling the world to connect to the Internet with confidence on any device, anywhere, any time. OpenDNS provides millions of businesses, schools and households with a safer, faster and more intelligent Internet experience by protecting them from malicious Web threats and providing them control over how users navigate the Internet, while dramatically increasing the network's overall performance and reliability. For more information about OpenDNS, please visit:


Share article on social media or email:

View article via:

Pdf Print

Contact Author

Allison Rhodes
Email >
Visit website