Blog

The InterNetX Blog provides you with news and background information on innovations concerning domains, servers, SSL and other industry-related topics.

DNSCrypt. What it is. How it works. What it’s used for.

DNSCrypt is a network protocol that, along with DNSSEC, helps to authenticate DNS traffic. To do so, DNSCrypt employs cryptographic signatures and ensures that DNS resolvers are pinged correctly, thereby effectively providing protection against DNS spoofing.


Blogartikel DNSCrypt – was ist das?

The network protocol DNSCrypt was originally created by Frank Denis and Yecheng Fu with the aim of increasing security, privacy and integrity online. DNSCrypt is an open specification with free and open source reference implementations. It can be used to provide increased security for DNS queries on computers as well as on servers or mobile devices.

The development of DNSCrypt resulted from analyzing the vulnerability of the Domain Name System. DNS spoofing, the so-called manipulation of DNS responses, is a method frequently used by hackers to penetrate a DNS system and manipulate the DNS queries. DNSCrypt is a supplement or extension of DNSSEC, which was the first initiative (also recognized by ICANN) to ensure the integrity and authenticity of data transfer on the DNS.

Although the DNSCrypt protocol is widely used to mitigate or prevent UDP-based amplification attacks, like Denial of Service (DoS), it was never published as Request for Comment (RFC) by the Internet Engineering Task Force (IETF), an organization promoting open source internet standards. DNSSEC, by contrast, was documented in RFC 4033.

DNSSEC guarantees high levels of security and trust. Find out more about how this internet protocol protects your domains!

DNS vulnerability

When the DNS was developed in 1983 by the IT pioneer Paul Mockapetris, security for the transfer of data rather played a subordinate role. The primary mission was to increase the user-friendliness of the internet, which was still in the making then. Instead of complicated numerical sequences, the aim was to make it simpler for users to access websites on the internet by employing domain names that were easier to remember. The Domain Name System is based on a simple operating principle. When a URL is entered in the browser bar, the query is sent to a DNS server. The task of the DNS server is to forward the query to the IP address that is associated with the relevant domain name. This fundamental task of the Domain Name System is also known as “Domain Name Resolution”.

During this process, all the information required to find the requested web address is collected and finally made available to the client as an IP address. The client can then reach the server in question via the IP address and the website that the user has been looking for will be displayed in the browser. In detail, this is how it works: The client sends the request for the specific IP address to the DNS resolver. The resolver then sends a request to the root server (DNS Root) to find out which DNS server is responsible for the respective top-level domain (e.g. .com). After receiving the information, the request is passed on to the TLD server, which returns the authoritative name servers of the provider. The request is then passed on to the authoritative name server (DNS zone), which will return the searched IP address back to the DNS resolver. The DNS resolver will finally return the IP address to the client, which can use it to request the responsible server (request - response) in order to call up the desired website.

In this way, DNS servers basically process all internet services, making them an attractive target for cyber attacks. For this reason, the DNS needs protective mechanisms to safeguard vulnerabilities and follow necessary security standards for processing data. This is exactly where DNSCrypt comes into play.

DNSCrypt against DNS vulnerabilities

In principle, every network user is able to read the queries sent by an end device in the DNS system. In corporate networks, exact protocols can be created listing the internet sites employees visit during their working day. This happens unobtrusively and does not require traffic over HTTP(S) to be read. Universities and other institutions also make use of this to accurately log internet traffic. In many cases,  only their own DNS server is allowed while other servers are blocked. Traffic can also be logged when redirected via a VPN connection. State organizations are also able to intervene in this mechanism in order to, for example, set up internet filters or blocks. With this form of manipulation, false IP addresses are sent back to DNS queries if they are on a blacklist.

Controlling the DNS queries of a client makes it possible to redirect users to any website. At first glance, the user does not notice anything as the address in the browser is exactly what was originally entered. In this manner, it is also possible to install foreign software on the user’s device. Many tools automatically check for updates or the availability of new versions when an application accesses the internet. Most applications offer to immediately download and install these for users. If the download is not verified using a signature, attackers can practically install any software they like. DNSCrypt uses a number of measures to ensure or increase the confidentiality of DNS queries.

What is DNS security and how can we use our technology to protect a domain? Klaus Darilion (nic.at) answers our questions in this article, so that we can protect what we love most: domains!

How DNSCrypt increases integrity and data protection

DNSCrypt ensures the integrity of queries on the client and server side by encrypting the DNS traffic. The cryptographic method used by the DNScrypt proxy is "elliptic curve cryptography" – specifically Curve25519.

By default, the browser query is sent to servers via a UDP (user datagram protocol) connection. The transmission of queries via TCP (transmission control protocol) only serves as a fallback solution here, as TCP offers attackers a great deal of useful information. Many networks not only enable UDP via port 443, but also TCP, as it enables communication with HTTPS-encrypted websites.

The transmission path of DNSCrypt helps to remove a crucial vulnerability. The filtering of queries on DNS basis via port 53 is solved. The DNS traffic encrypted by DNSCrypt can only be read and logged on the queried DNS server, preventing a man-in-the-middle attack.

InterNetX offers numerous tools to provide optimal domain security and protect the integrity of DNS queries.

Use these services for maximum domain protection