DNSCrypt from OpenDNS: Adds an extra layer of security


Are you an OpenDNS user?Did you know that OpenDNS released a free program for both Windows and Mac which adds an extra layer of security to your online activities? It’s called DNSCrypt… and OpenDNS describes it thus:

DNSCrypt is a piece of lightweight software that everyone should use to boost online privacy and security.  It works by encrypting all DNS traffic between the user and OpenDNS, preventing any spying, spoofing or man-in-the-middle attacks. DNSCrypt has the potential to be the most impactful advancement in Internet security since SSL, significantly improving every single Internet user’s online security and privacy.

OpenDNS has a well-earned reputation for safety and security, so if they come up with a product which claims to enhance online security, one tends to take notice. Download for Windows is a mere 1.05MB executable which, as one would expect from a company with a sterling reputation for security, scans 100% clean through Virus Total. Installation is also clean and straightforward.

DNSCrypt places an icon in the system tray which provides right click access to two basic options; Open Control Center or Exit.

DNSCrypt Control Center

DNSCrypt Control Center

I’ve only been utilizing DNSCrypt for a very short space of time but have not experienced any lag or slowdown in connection or browsing speed to date. If you are interested in trying DNSCrypt yourself, I suggest you read through OpenDNS’s introductory article first, which includes download links and a FAQ section, here: http://www.opendns.com/technology/dnscrypt/

**One important note: DNSCrypt is currently a “Preview” release and still under development:


DNSCrypt is immediately available as a technology preview.  It should work, shouldn’t cause problems, but we’re still making iterative changes regularly.

To be on the safe side, I advise creating a system restore point prior to installation.

OpenDNS

opendnsFor the uninitiated; OpenDNS provides an alternative DNS service to that of your ISP (Internet Service Provider). As per Wikipedia:

“OpenDNS offers DNS resolution as an alternative to using Internet service providers’ DNS servers. OpenDNS extends DNS (Domain Name System) adding features such as misspelling correction, phishing protection, and optional content filtering. The OpenDNS Global Network processes ~45 billion DNS queries daily from 50 million active users connected to the service through 19 data centers worldwide.”

You can view a guide on how to setup OpenDNS here: http://use.opendns.com/ (refers to Mac OS X, Windows XP, Vista, and Windows 7).

IMPORTANT FOOTNOTE: The version of DNSCrypt on offer under the OpenDNS GUI has been brought into question. Apparently, it is an older beta version which was released for testing purposes only. I strongly advise anyone interested in utilizing DNSCrypt to read through Frank’s enlightening comments under… Thank you Frank.


In the meantime, I’ve sent an email off to OpenDNS asking them why they continue to offer outdated software. Will report further if and when I hear back from them.

 

About the Author

Jim Hillier

Jim is the resident freeware aficionado at DCT. A computer veteran with 30+ years experience who first started writing about computers and tech back in the days when freeware was actually free. His first computer was a TRS-80 in the 1980s, he progressed through the Commodore series of computers before moving to PCs in the 1990s. Now retired (aka an old geezer), Jim retains his passion for all things tech and still enjoys building and repairing computers for a select clientele... as well as writing for DCT, of course.

12 Comments

  1. dnscrypt is 2 years old, and the user interface you are reviewing ships with an early beta version of dnscrypt that was just for beta testers and should not be used any more.

    dnscrypt has been out of beta for a while. Current version of is 1.3.2 .

    See http://dnscrypt.org for more info about dnscrypt.

  2. Jim Hillier commented on Daves Computer Tips:

    Thanks for the enlightenment Frank, much appreciated.

    “DNSSync” was a slip of the mind, I was simultaneously thinking about checking out folder syncing software and somehow managed to mash the two together… it happens to us old folks. Now fixed.

    I still don’t understand why OpenDNS would recently release an older (beta) version of DNSCrypt under their own GUI. It doesn’t make sense, surely they could just have easily done the same thing with the latest version?

    I included the link to the download on CNET merely to confirm chronology, my regular readers are well aware of my personal distaste for CNET download.com.

    Anyway, thanks again,
    Cheers… Jim

  3. DNSCrypt (not DNSSync) was released in August 2011.

    dnscrypt is a protocol, and there is a free, open-source client for this protocol, called dnscrypt-proxy (often referred to as “dnscrypt” although “dnscrypt” is the protocol).

    dnscrypt-proxy has no user interface. On Windows, it runs as a native Windows service. On other platforms (including iPhone and Android) it runs as a daemon. It’s on Github, the project home page is http://dnscrypt.org, and this is where all the development has been taking place for the past 2 years.

    It’s quite easy to use as is (see https://github.com/jedisct1/dnscrypt-proxy/blob/master/README-WINDOWS.markdown for instructions on Windows): install it, change your DNS settings to 127.0.0.1

    But still, a user interface might be way more convenient to non tech-savvy people.

    So I wrote a basic user interface for Mac, that was released at the same time as dnscrypt.
    This user interface, just like every other user interface, doesn’t do much: it just starts/stops the service and change the DNS settings to 127.0.0.1 when clicking a button.

    Shortly after, someone wrote a user interface for Windows: https://github.com/Noxwizard/dnscrypt-winclient
    That was a great surprise, and a welcome addition for Windows users.

    Later on, Open DNS released their own user interface for Windows.

    All of these are opensource and hosted on Github.

    Someone then wrote a user interface for (jailbroken) iPhone/iPad. It’s available on Cydia.

    Router firmwares started to include it, too, providing an easy way to enable it through a web interface.

    All of these user interfaces are still just user interfaces. They start/stop dnscrypt-proxy and change the DNS to 127.0.0.1. That’s it. The dnscrypt client is dnscrypt-proxy is all cases.

    Someone also recently contributed a server (dnscrypt-wrapper).

    Except the iPhone user interface, everything is free, opensource, and on Github and on dnscrypt.org . Don’t trust random, unrelated mirrors like CNET, this is not where developers are uploading the official apps.

    dnscrypt (the client, the opensource server, and the protocol) is still actively maintained.
    However, the free user interfaces are pretty much all abandoned, including the ones written by Open DNS.

    The Windows ones are the most outdated. Noxwizard, who wrote the first Windows client, doesn’t seem to have much time/interest to work on it. The “official” one hasn’t been updated for ages (see https://github.com/opendns/dnscrypt-win-client/commits/master) and trivial contributions from users are not even looked at any more (see https://github.com/opendns/dnscrypt-win-client/pull/6).

    The Noxwizard client is still useable, because it doesn’t install its own copy of dnscrypt. So you can use a current version of dnscrypt, and it should work with the interface, even though the UI can’t take advantage of recent features.

    The OSX and the Open DNS Windows ones are problematic, because, for conveniency, they include and install their own copy of dnscrypt-proxy, which is whatever version was the current one when the UI was packaged, and dnscrypt never got updated since.
    The version in the OSX user interface is okay (until the protocol changes). Not the latest one, but at least it’s not a beta version. The one in the Open DNS Windows user interface is an early beta version that was only made for testing. It shouldn’t be used any more, as it has serious bugs and limitations. And these beta versions are totally unmaintained. The code has been completely rewritten since.

    The GUI on Cydia doesn’t seem to receive much updates either.

    At this point, the only free and well-supported user interfaces are the ones from firmware routers, namely Tomato Shibby and Advanced Tomato.

    I wouldn’t recommend any other ones, until someone (or a company) volunteers to write a new one, or updates an existing one.

    On Windows, please follow the instructions from https://github.com/jedisct1/dnscrypt-proxy/blob/master/README-WINDOWS.markdown to see how to run it as a service.

    On OSX, installing it from Homebrew is the preferred method (brew install dnscrypt-proxy).
    A lot of BSD and Linux distributions have it in their ports system / packages repository.
    Binaries for Android and iOS are available from http://dnscrypt.org

    • Many thanks for the enlightenment Frank, much appreciated. I’ve added a footnote into the article pointing to your comments.

      “DNSSync” was a slip of the mind, I had been thinking about checking out folder syncing software and somehow managed to mash the two together… it happens to us old folks occasionally. 🙂 Now fixed.

      I included the link to the download on CNET merely to confirm chronology, my regular readers are well aware of my personal distaste for CNET download.com.

      I still don’t understand why OpenDNS would release an older (beta) version of DNSCrypt under their own GUI. It doesn’t make sense, surely they could just have easily done the same thing with the latest version. Or at least kept the underlying software updated.

      BTW: The DNSCrypt-proxy downloads you linked to via GitHub appear to include Win32 only, no 64-bit, is that correct?

      Thanks again,
      Cheers… Jim

      • The Windows builds are indeed 32-bit builds.

        It can be compiled to 64-bit, but a 64-bit build doesn’t bring much. It’s bigger, not significantly faster, and since it requires very little memory, 64-bit addressing is not required at all.

        dnscrypt-proxy also has a plugin system (DLL can be dynamically loaded to add features, like custom filtering). 32-bit builds require 32-bit plugins and 64-bit builds require incompatible, 64-bit plugins.

        If there is a good reason to, I can make 64-bit builds available for download, though. It’s just a bit more work to maintain both.

  4. The Open DNS page you linked to was written 2 years ago. The last update of the Windows user interface (0.0.6) was released 1 year ago.

    • This seems particularly remiss coming from such a security conscious organization as OpenDNS. I wonder if OpenDNS realizes that its outdated beta version has recently been added to the listings on two major download sites.

  5. This has all really confused me. I am looking for something like this to use in hotspots such as cafe’s, librarys, hotels etc. Is DNSCrypt safe to use or is it still a repackaged beta version. If it is ok, should it be downloaded from the open DNS website? And where should I download the user interface for Windows 8?
    Hope you can help!

    • Hi Robin – I’ve been using DNSCrypt under the OpendDNS GUI for almost a week now with zero issues However, that does not necessarily mean that issues will not arise at some time.

      There is currently no Windows GUI (front end) available for the latest version of DNSCrypt. So, if you wish to utilize DNSCrypt, you have two choices:

      1) Use the OpenDNS version with the outdated DNSCrypt software…. or
      2) Follow the guide, from the link provided by Frank, to run the latest version of DNSCrypt. Here is the link again: https://github.com/jedisct1/dnscrypt-proxy/blob/master/README-WINDOWS.markdown

      Cheers… Jim

  6. Thank you to the both of you for discussing this worthy information outloud and sharing with the rest of us!
    Recently using “Domain Name Speed Benchmark (https://www.grc.com/dns/benchmark.htm)” I changed my DSL provider DNS to the one that the Gibson site recommended. Unfortunately, this recommended DNS server is not the OpenDNS servers I have employed previously.
    I just wanted to remark that if a user is to later change from using BOTH OpenDNS servers TOGETHER with the DNScyrpt protocol, BOTH must be simultaneously disabled. Since forgetting NOT to disable DNScrypt would continue encrypting the traffic to the new (non-compatible) DNS; thinking that it was still sending the encrypted query to the OpenDNS servers.
    I wonder if a better method would be to create different OpenDNS server IP#s; for being able to employ DNScrypt…

  7. Given the recent Snowden revelations about the NSA and others I wonder about what lies behind this apparent abandonment of a very useful security tool…