If not redirected, please click here https://www.thesecuritybuddy.com/securing-dns/what-is-dnscrypt/
When
we type a URL in the address bar, our computer contacts the DNS
Servers to get the corresponding IP address of the website. Normally,
these DNS queries are unencrypted. So, attackers can intercept this
process of Domain Name Resolution for various malicious purposes like
Man-In-The-Middle Attacks. DNSCrypt is a protocol which is used to
prevent those.
Why DNSCrypt ?
DNSCrypt
is a network protocol which encrypts the traffic between the systems
and the DNS Servers at the time of Domain Name Resolution, so that
attackers cannot intercept that.
When
we use HTTPS, SSL/TLS or VPN, the browsing traffic in encrypted. The
data which is transferred between the servers and the user's computer
is encrypted. But, before even establishing the secure connection
with the server, our computer needs to resolve the IP address of the
website using a DNS query and the connection between our computer and DNS Servers are
normally not encrypted.
So,
an attacker can perpetrate a Man-In-The-Middle Attack to intercept
the communication with DNS Servers and use that for malicious
purposes.
DNSCrypt
uses Elliptic Curve Cryptography to encrypt the traffic between our
computers and DNS Servers, making it difficult for the attackers to
intercept the traffic.
How does DNSCrypt work ?
In
DNSCrypt, both the clients and the DNS Servers first generate short
term key pairs. A DNS resolver may have multiple certificates each
including a validity period, a serial number, a version to indicate
the key exchange mechanism, the encryption algorithm and the short
term public key. The resolver can support multiple encryption
algorithm and advertise multiple public keys.
When
the client wants to resolve an IP address, it starts the DNSCrypt
session with sending an unauthenticated and unencrypted DNS query
including certificate versions supported by the client and public
identifier of the provider.
The
resolver responds with a public set of signed certificates.
The
client then verifies the public key of the resolver which is already
distributed to it. It selects the appropriate certificate.
Each
certificate sent by the resolver includes a magic number unique to
the public key and encryption algorithm to be used. The client then
encrypts the actual query with the client's private key and the
resolver's public key and sends it to the resolver.
The
resolver decrypts the query with the public key of the client and
appropriate private key of the resolver. And, it sends the response,
again encrypting it with public key of the client and appropriate
private key of the resolver.
How is DNSCrypt different from DNSSEC ?
DNSSEC
does not provide encryption of actual DNS records. DNSSEC makes sure
that the resolved IP address is an authentic one. But, it sends the
response in an unencrypted fashion. DNSCrypt on the other hand encrypts the DNS response with cryptographic algorithm.
Can DNSCrypt and DNSSEC be used together ?
Using
DNSSEC and DNSCrypt together is always a better option. By doing
that, the client can be assured that the resolved IP address is the
authentic IP address of the website. And, as the response is
encrypted, the attackers cannot perpetrate any Man-In-The-Middle
Attack there also.
So,
beware of various security features, so that you can protect yourself
in a better way. And, stay safe, stay protected.
Read More
What is DNS Cookies and how does it work ?
What is DNSSEC and how does it work ?
What is Dynamic DNS and how can Transaction Signature or TSIG make it more secure ?
What is DNS Cache Poisoning ?
What is DNS Hijacking ?
How can attackers steal sensitive data transferred over unencrypted emails using DNS Hijacking ?
What are the security concerns of DNS ?
What is Web Application Firewall and how does it work ?
How does Network Segmentation improve security and what is VLAN ?