|App Name||+ DNSCrypt|
|App URL||OpenDNS home page|
DNSCrypt download page
Lifehacker overview of DNSCrypt
|App Version Reviewed||DNSCrypt up to v0.0.6 (since May 2012)|
This is the current version as at the "Last updated" date at the top of this post.
|Test System Specs||Win7-64 Home Premium, Windows 8.1|
|Supported OSes||DNSCrypt runs on:|
- Windows - XP, Vista and 7 and 8.
|Upgrade Policy||DNSCrypt - FREE - as and when available.|
|Trial Version Available?||FREE - NO limitations.|
|Pricing Scheme||OpenDNS + DNSCrypt are both FREE.|
Screenshot of the main tabbed DNSCrypt GUI pane, showing the settings summary on the General tab:
I had been meaning to pull together a mini-review of this for some time, but after (a) some recent events and (b)some discussion about DNSCrypt and VPNGate on the DC Forum, I figured the mini-review was probably now overdue.
(a) The recent events were:
- 1. Guardian report: the published details of a leaked secret court order, as first reported in the gurdian.uco.uk on 2013-06-06: NSA collecting phone records of millions of Verizon customers daily
- 2. DemandProgress email: An email sent on 2013-06-08 to subscribers, from demandprogress.org:QuoteThe revelations of spying on telephone customers are extraordinary -- but it gets even worse. The government is spying, in real time, on all Internet users. From the Guardian:
(Referring to: NSA Prism program taps in to user data of Apple, Google and others)QuoteThe National Security Agency has obtained direct access to the systems of Google, Facebook, Apple and other US internet giants, according to a top secret document obtained by the Guardian.
The NSA access is part of a previously undisclosed program called PRISM, which allows officials to collect material including search history, the content of emails, file transfers and live chats, the document says.
(b) The DC Forum discussions were:
- Encrypted DNS queries via OpenDNS dnscrypt for Windows / linux / BSD / iOS / OSX
- VPN Gate - Univ. of Tsukuba launches Academic Experimental [Crowd] Project.
What this is all about is personal privacy and security: we now know that different governments - for a variety of reasons - are spying on their citizens, tapping into their Internet, telephone and general communications traffic. As well as that, there may be criminal operations with sophisticated equipment, tapping into the same communications, for multifarious criminal purposes. I'll leave it up to you, the reader, to figure out which of these two is probably the greater threat, or which countries' governments are not spying on their citizens in this manner.
Description of OpenDNS + DNSCrypt:
- 1. DNS:
DNS stands for "Domain Name Server". Here is a somewhat over-simplification of what this server does:
- When you set your browser to go to a URL (Universal Resource Locator) address - e.g., (say) google.com - your browser passes the request to your ISP (Internet Service Provider) connection node.
- That node is usually the Primary DNS for you, and there will be a Secondary one also, as backup.
- The IP (Internet Protocol) addresses - which are strings of numbers - of the 2 DNSes are set up in your broadband router.
- The DNS takes the URL your browser sends it, and looks it up in a huge conversion table of all available IP addresses.
- The DNS then finds the IP address for that URL, and sends off a request to connect to that IP address.
- This begins your Internet communication/transaction with (say) google.com.
- 2. OpenDNS:
This essentially is a FREE service that you access by setting two OpenDNS IP addresses as your Primary and Secondary DNSes in your broadband router, replacing those of your ISP's:
- First you could set up (it's not mandatory) your OpenDNS Premium account here.
- Then you set up these two IP addresses as your Primary and Secondary DNS in your broadband router:
There is an OpenDNS server map at https://www.opendns.com/technology/network-map/
(Hover over the network nodes to see a description of each one.)
Once you have set up the OpenDNS IP addresses in your broadband router, the ISP becomes a passive "pass-through" node, with the OpenDNSes taking over the role of serving your request to (say) google.com, and the handling of the communications between google.com and you from that point on.
The benefits of doing this are several, and include: (from the OpenDNS website)
- Speed up your Internet experience.
OpenDNSâ€™s 12 global data centers are strategically located at the most well-connected intersections of the Internet. Unlike other providers, OpenDNSâ€™s network uses sophisticated Anycast routing technology, which means no matter where you are in the world, your DNS requests are answered by the datacenter closest to you. Combined with the largest DNS caches in the industry, OpenDNS provides you with DNS responses faster than anyone else.
- Make your Internet more reliable.
With our extensive data center footprint and use of Anycast technology, the OpenDNS network has built-in redundancy ensuring zero downtime. SmartCache technology, an OpenDNS innovation, enables you to access sites that may otherwise be inaccessible due to authoritative DNS outages, providing you with the most reliable Internet possible.
- Phishing protection.
OpenDNS blocks phishing websites that try to steal your identity and login information by pretending to be a legitimate website. Surf the Web with confidence.
- Gain visibility into your network usage.
OpenDNSâ€™s reports provide you with visibility on your networks' Internet activity, giving you needed insight into how your Internet resources are being used.
- Easy to set up and itâ€™s free.
Getting started on OpenDNS Premium DNS takes minutes; there are no downloads or additional software required and itâ€™s completely FREE
- 3. DNSCrypt:
Here is the About tab on the DNSCrypt GUI:
DNSCrypt is a tool for securing communications between a client and a DNS resolver.
dnscrypt-proxy provides local service which can be used directly as your local resolver or as a DNS forwarder, encrypting and authenticating requests using the DNSCrypt protocol and passing them to an upstream server - by default OpenDNS, who run this on their resolvers.
The DNSCrypt protocol uses high-speed high-security elliptic-curve cryptography and is very similar to DNSCurve, but focuses on securing communications between a client and its first-level resolver.
While not providing end-to-end security, it protects the local network, which is often the weakest point of the chain, against man-in-the-middle attacks. It also provides some confidentiality to DNS queries.
You can download and install the DNSCrypt application from the link given in the table at the top of this review.
Who this app is designed for:
The combination of OpenDNS + DNSCrypt will appeal to those who wish to improve their personal privacy and security on the Internet.
The combination of OpenDNS + DNSCrypt works in this regard - i.e., the improvement of your personal privacy and security on the Internet.
The privacy/security could be further improved with the use of VPN (Virtual Private Network) services.
The needs improvement section:
Not so much needs improvement, but caveats to bear in mind:
- Though you can set your OpenDNS Premium account to not maintain your traffic logs, a government authority could oblige the OpenDNS operator to maintain logs, regardless of users' wishes, and these logs could be used for surveillance (spying).
- DNSCrypt only encrypts traffic between your PC and your OpenDNS server(s). The traffic between those DNSes and the Cloud is unencrypted, and compulsory government access and surveillance could still monitor that traffic at some point.
Further privacy/security and also anonymity could be gained through the use of a VPN (Virtual Private Network), in addition to OpenDNS + DNSCrypt.
Why I think you should use this product:
- Because your personal privacy and security would likely be improved with using the combination of OpenDNS + DNSCrypt.
- Because if you are using a VPN, then DNSCrypt could help avoid the risk of "DNS leak" (refer the Lifehacker review for explanation of this).
How does it compare to similar apps.:
I am not aware of any closely similar current services/applications.
Some paid-for (not FREE) VPN service providers might offer some form of PC-to-DNS encryption, but I do not know.
- 1. Objective achieved: Using OpenDNS should improve on the Internet service experience that you might normally expect to receive from your ISP.
- 2. Objective achieved: Combining that with the use of DNSCrypt should improve your levels of personal privacy and security on the Internet, even if you are already using a VPN.
- 3. Experience indicates that OpenDNSCrypt is very stable: I started using OpenDNSCrypt in May 2012 on a laptop running Win7-64 Home Premium, and in May 2015 migrated with it to Win8.1. OpenDNSCrypt has run flawlessly at all times, but it will always be dependent on the underlying network infrastructure being in a robust state.
Links to other reviews of this application: (the first two are all you really need to get started)