Lướt web an toàn với công cụ mã hóa DNS request



Công cụ DNSCrypt mã hóa thông tin yêu cầu phân giải tên miền (DNS request) giúp bạn tránh bị ai đó rình mò theo dõi hoạt động truy cập web.

David Ulevitch, sáng lập kiêm giám đốc điều hành OpenDNS – công ty chuyên về hệ thống tên miền (Domain Name System – DNS), cho biết tháng 12/2011, hãng phát hành công cụ DNSCrypt phiên bản dành cho hệ điều hành Mac OS, và nay hãng ra mắt bản dùng thử kỹ thuật (technology preview) dành cho Windows.

Công cụ này dùng mã hóa các DNS request giữa máy tính và hệ thống DNS của OpenDNS. DNS request là thành phần thiết yếu của Internet, giúp “biên dịch” tên miền thành địa chỉ IP để từ đó máy tính truy cập Internet, “lướt web”.

Hầu hết các nhà cung cấp dịch vụ Internet và các tổ chức lớn đều xây dựng các máy chủ DNS của riêng họ. OpenDNS xây dựng các máy chủ DNS và cung cấp miễn phí cho người dùng có nhu cầu.

Nếu DNS request không được mã hóa, người khác có thể theo dõi truy cập (traffic) Internet của bạn. Cũng tương tự như việc bạn kết nối đến điểm truy cập không dây không mã hóa tại các quán cà phê, nhà sách. David Ulevitch nói rằng việc DNS request không mã hóa sẽ rất nguy hiểm vì tin tặc có thể lợi dụng chuyến hướng đến các trang web chứa mã độc hoặc khai thác các thông tin truy cập web của bạn.

David Ulevitch cho biết có khoảng 10.000 người đang dùng DNSCrypt bản dành cho Mac OS X, nay OpenDNS phát hành bản dùng thử dành cho Windows. David Ulevitch nói rằng bản dùng thử này có thể xuất hiện một số lỗi (bug), nhưng hãng sẽ tiến hành khắc phục khi nhận phản hồi của người dùng.

Quốc Dũng-Pcworld

NguồnIDG News




Introducing DNSCrypt (Preview Release)


Securing a critical piece of Internet infrastructure


Background: The need for a better DNS security

DNS is one of the fundamental building blocks of the Internet.  It’s used any time you visit a website, send an email, have an IM conversation or do anything else online.  While OpenDNS has provided world-class security using DNS for years, and OpenDNS is the most secure DNS service available, the underlying DNS protocol has not been secure enough for our comfort.  Many will remember the Kaminsky Vulnerability, which impacted nearly every DNS implementation in the world (though not OpenDNS).

That said, the class of problems that the Kaminsky Vulnerability related to were a result of some of the underlying foundations of the DNS protocol that are inherently weak  — particularly in the “last mile.”  The “last mile” is the portion of your Internet connection between your computer and your ISP.  DNSCrypt is our way of securing the “last mile” of DNS traffic and resolving (no pun intended) an entire class of serious security concerns with the DNS protocol. As the world’s Internet connectivity becomes increasingly mobile and more and more people are connecting to several different WiFi networks in a single day, the need for a solution is mounting.

There have been numerous examples of tampering, or man-in-the-middle attacks, and snooping of DNS traffic at the last mile and it represents a serious security risk that we’ve always wanted to fix. Today we can.


Why DNSCrypt is so significant

In the same way the SSL turns HTTP web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks.  It doesn’t require any changes to domain names or how they work, it simply provides a method for securely encrypting communication between our customers and our DNS servers in our data centers.  We know that claims alone don’t work in the security world, however, so we’ve opened up the source to our DNSCrypt code base and it’s available on GitHub.

DNSCrypt has the potential to be the most impactful advancement in Internet security since SSL, significantly improving every single Internet user’s online security and privacy.


Download Now: 


 Download DNSCrypt for Mac



 Download DNSCrypt for Windows


Frequently Asked Questions (FAQ):


1. In plain English, what is DNSCrypt?

DNSCrypt is a piece of lightweight software that everyone should use to boost online privacy and security.  It works by encrypting all DNS traffic between the user and OpenDNS, preventing any spying, spoofing or man-in-the-middle attacks.


2. How can I use DNSCrypt today?

DNSCrypt is immediately available as a technology preview.  It should work, shouldn’t cause problems, but we’re still making iterative changes regularly.  You can download a version for Mac or Windows from the links above.


If you have a firewall or other middleware mangling your packets, you should try enabling DNSCrypt with TCP over port 443.  This will make most firewalls think it’s HTTPS traffic and leave it alone.

If you prefer reliability over security, enable fallback to insecure DNS.  If you can’t reach us, we’ll try using your DHCP-assigned or previously configured DNS servers.  This is a security risk though.


3. What about DNSSEC?  Does this eliminate the need for DNSSEC?

No. DNSCrypt and DNSSEC are complementary.  DNSSEC does a number of things.  First, it provides authentication. (Is the DNS record I’m getting a response for coming from the owner of the domain name I’m asking about or has it been tampered with?)  Second, DNSSEC provides a chain of trust to help establish confidence that the answers you’re getting are verifiable.  But unfortunately, DNSSEC doesn’t actually provide encryption for DNS records, even those signed by DNSSEC.  Even if everyone in the world used DNSSEC, the need to encrypt all DNS traffic would not go away. Moreover, DNSSEC today represents a near-zero percentage of overall domain names and an increasingly smaller percentage of DNS records each day as the Internet grows.

That said, DNSSEC and DNSCrypt can work perfectly together.  They aren’t conflicting in any way.  Think of DNSCrypt as a wrapper around all DNS traffic and DNSSEC as a way of signing and providing validation for a subset of those records.  There are benefits to DNSSEC that DNSCrypt isn’t trying to address. In fact, we hope DNSSEC adoption grows so that people can have more confidence in the entire DNS infrastructure, not just the link between our customers and OpenDNS.


4. Is this using SSL? What’s the crypto and what’s the design?

We are not using SSL.  While we make the analogy that DNSCrypt is like SSL in that it wraps all DNS traffic with encryption the same way SSL wraps all HTTP traffic, it’s not the crypto library being used.  We’re using elliptical-curve cryptography, in particular the Curve25519 eliptical curve.  The design goals are similar to those described in the DNSCurve forwarder design.



Thank you so much

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s