How-To Geek

DNSCrypt Encrypts Your DNS Traffic

DNSCrypt is an open-source DNS encryption tool, from the makers of popular DNS service OpenDNS, that increases browsing security by encrypting all your DNS requests.

DNSCrypt adds another layer of security to your web browsing experience by encrypting the requests between your computer and the OpenDNS servers. OpenDNS explains the significance of this change in the DNSCrypt announcement:

In the same way the SSL turns HTTP web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks. It doesn’t require any changes to domain names or how they work, it simply provides a method for securely encrypting communication between our customers and our DNS servers in our data centers. We know that claims alone don’t work in the security world, however, so we’ve opened up the source to our DNSCrypt code base and it’s available on GitHub.

DNSCrypt is in preview release right now and, sadly, only available for OS X–the release announcement notes that Windows and Linux version will arriving soon.

Introducing DNSCrypt [OpenDNS via Tech Crunch]

Jason Fitzpatrick is a warranty-voiding DIYer who spends his days cracking opening cases and wrestling with code so you don't have to. If it can be modded, optimized, repurposed, or torn apart for fun he's interested (and probably already at the workbench taking it apart). You can follow him on if you'd like.

  • Published 12/7/11

Comments (10)

  1. deiler

    Maybe a dumb question, but will DNSCrypt replace the need for a vpn on untrusted networks?
    Thanks for your help.

  2. matt Lucas

    No, it merely prevents man in the middle attacks on a dns level.

  3. Cambo


    Not a dumb question at all.

    No, it will not replace your VPN. VPN is based on IP, not DNS name. This simply encrypts your DNS requests from your PC to OpenDNS’s servers, preventing man-in-the-middle attacks. It does NOT encrypt your IP traffic from your PC to another web server.

  4. Anonymous

    Something is always better than nothing where security is concerned. But I hardly see this as much protection. So I say, big whoop.

    I”m also wondering if anyone even knows what a “man in the middle” attack even is since it seems like the assumption is something else. Quite simply, a “man in the middle” is really just an illegitimate router which pretends to be whatever your computer wants it to be. This is usually done in an attempt to coax your computer to connect with it instead of another legitimate router. It’s also very good reason to NOT allow your computer to connect just willy-nilly to anything out there too. Then again, if you don’t care who/what watches what you do while you’re on the Internet – or if you use SSL to/from a VPN – then go ahead and use connections like that.

    Now, if you compare DNS encryption to the telephone system then all you’re really doing is scrambling every phone number you ever dial. Remember, all any DNS service ever does is associate names to IP addresses – just like a phone-operator/book does with names to phone numbers. So really, all you’re doing is scrambling the connection to the list of phone numbers but not necessarily the connection/conversation itself. Any “man” connected between you and who you call might still be able to listen in.

    Therefore, it seems to me that all this DNS encryption is a little pointless since anyone in between (source and destination) might still hear hear and understand what’s being said. About the only real protection would be to speak in a language that no one else can understand – which is pretty much what packet encryption (SSL) does.

  5. Johann

    @Anonymous (4.31pm)

    I’ve not looked at the nitty-gritty but the press statement implies that it protects against both eavesdropping and MITM. I admit that the eavesdropping aspect may be of limited use but if the MITM protection prevent DNS spoofing then it should be welcomed greatly. If it guarantees that when you connect to a domain name you get to a real IP, regardless of any local network interference, then it’s a welcome addition to your security.

  6. Niks

    Will this make my internet speed slow ?

  7. mdnuts

    it should be negligible performance hit I’d imagine.

  8. Art€

    @Anonomous; vagy Magyarul beszélni….. (of speak Hungarian….). Jus kiddin….

  9. deiler

    Thank you Matt and Cambo.

  10. me

    why did they make it for MAC first? Most users are on Windows

More Articles You Might Like

Enter Your Email Here to Get Access for Free:

Go check your email!