A new free tool from OpenDNS promises to make domain name system (DNS) lookups, the conversion of a plain English domain name into a numeric Internet address, more secure.

A new free tool from OpenDNS promises to make domain name system (DNS) lookups, the conversion of a plain English domain name into a numeric Internet address, more secure. DNSCrypt prevents third parties from intercepting your DNS requests and rewriting them to point your browser, email client, or other software to malicious or fake sites. That may sound like a tedious bit of Internet plumbing, but it profoundly improves your security.

The software addresses a significant flaw in the way that software clients decide which Internet servers to trust. A client (like a web browser) and server create an encrypted connection with one another by relying on third parties, known as certificate authorities (CAs), to assure the client of the server's identity.

These CAs provide digital documents to a site operator that are bound to a domain name ( or a specific host-domain combination ( A client can validate a server's documents by checking their digital signatures against a list of trusted CAs. Those lists are built into operating systems (Mac OS X's can be viewed via Keychain Access) and some browsers (Firefox being the primary example).

Unfortunately, there's a flaw in the system: One step in the validation process isn't protected cryptographically. The CAs hand out a certificate with just the text of the server or domain name. They do so to give site operators the flexibility to move servers to different domains, or to have multiple IP addresses respond to the same domain name.

Software clients that want to make net connections must request those names in a plain text query that isn't protected against tampering. That creates a gap that can be exploited by substituting "poisoned" values for legitimate ones in DNS requests. So when your computer says it wants to go to, for which the DNS server should return an IP address of, a poisoned value of could come back instead.

How it works

As you might guess from the name, DNSCrypt encrypts this stage of the DNS client-server negotiation, so it's impervious to that sort of chicanery. This protects you from spoofing of servers that are protected by SSL as well as servers that aren't so well protected. If client software is connecting to a normal website, unprotected email server or other Internet service, DNSCrypt keeps that lookup accurate as well, defeating efforts by so-called evil twins and other hotspot and networking spoofing techniques.

When a software client makes a DNS request your computer consults a DNS resolver in the operating system, which then passes that query on to one of the DNS servers listed in its TCP/IP settings. That DNS server in turn passes the request up a chain of higher-level servers (to the .com root, for instance), which then finally hands off to the DNS server that manages information for a given domain. The results are sent back to the resolver.

DNSCrypt forces DNS lookups to go through OpenDNS instead of DNS servers operated by your own or a coffeeshop's Internet service provider. You can set your system to always point to OpenDNS or another service, like Wi-Fi, but otherwise the server addresses are provided when the network router assigns a local address to your computer or device.

OpenDNS came into being because the DNS servers at so many ISPs were slow and unreliable. It was (and is) a free and more efficient alternative to other DNS servers. But over the last few years those ISPs have improved their operations. In response, OpenDNS added more services to entice users, some free, like anti-phishing filtering, and some paid, like filtering and usage reporting.

It automatically fixes common typos, changing .cmo to .com, for example. Some security experts are critical of the company's policy of redirecting invalid domain name entries to a Google search page from which it derives advertising revenue. Curiously, Google, which also offers a free alternative DNS service, does not.

While DNSCrypt works with OpenDNS's service alone, the company has released the specification and software as open source. That means the system could be adopted elsewhere, turned into plugins (like a Firefox add-on), or built directly into client software. DNSCrypt works with OpenDNS's free and paid services, and is free to use.