|Domain Name System|
This article includes a list of references, but its sources remain unclear because it has insufficient inline citations. (January 2018) (Learn how and when to remove this template message)
DNSCrypt is a network protocol which authenticates and encrypts Domain Name System (DNS) traffic between the user's computer and recursive name servers. It was originally designed by Frank Denis and Yecheng Fu.
DNSCrypt wraps unmodified DNS traffic between a client and a DNS resolver in a cryptographic construction in order to detect forgery. Though it doesn't provide end-to-end security, it protects the local network against man-in-the-middle attacks.
It also mitigates UDP-based amplification attacks by requiring a question to be at least as large as the corresponding response. Thus, DNSCrypt helps to prevent DNS spoofing.
DNSCrypt can also be used for access control, as done by Comodo in their cDome Shield product.
In addition to private deployments, the DNSCrypt protocol has been adopted by several public DNS resolvers, the vast majority being members of the OpenNIC network, as well as virtual private network (VPN) services.
Later, Infoblox announced ActiveTrust Cloud, leveraging DNSCrypt to secure DNS communications.
Other servers that support secure protocol are mentioned in the DNSCrypt creators’ list.
Instead of relying on trusted certificate authorities commonly found in web browsers, the client has to explicitly trust the public signing key of the chosen provider.
This public key is used to verify a set of certificates, retrieved using conventional DNS queries. These certificates contain short-term public keys used for key exchange, as well as an identifier of the cipher suite to use. Clients are encouraged to generate a new key for every query, while servers are encouraged to rotate short-term key pairs every 24 hours.
Queries and responses are encrypted using the same algorithm and padded to a multiple of 64 bytes in order to avoid leaking packet sizes. Over UDP, when a response would be larger than the question leading to it, a server can respond with a short packet whose TC (truncated) bit has been set. The client should then retry using TCP and increase the padding of subsequent queries.
Public-key based client authentication
The DNSCrypt protocol can also be used for access control or accounting, by accepting only a predefined set of public keys. This can be used by commercial DNS services to identify customers without having to rely on IP addresses.
- DNS over HTTPS
- DNS over TLS
- Domain Name System Security Extensions (DNSSEC)
- Elliptic curve cryptography