When you connect to Web sites on the Internet, your computer is using the Domain Name System (DNS) to convert URLs like "www.macfixit.com" to the IP address for the server where the Web site is located.
This system is a hierarchical network of computers around the world that distribute the database domains and subdomains, enabling the system to resolve the components of the URL ("com," "macfixit," and "www") to a specific IP address out of the millions that are available to the public. This system is used for web browsing, but also for various other Internet communication services including e-mail, instant messaging, synchronization, and application technology of registration.
DNS system is a major area of security for Web traffic, since data from the compromised DNS server can cause your system either can not find the server that is needed, or even worse, being redirected to a rogue server that will attempt to install malware, or force you into giving up personal information among other illegal activities.
While the attacker can try hacking the DNS system from any point, the most interesting area is the business-end connection DNS called "last mile", which is the relationship between it and your home computer, since this point is where your computer to receive instruction on the IP address used for connection to a specific URL. Attackers can compromise this relationship either by hacking the DNS server itself, or by using malware to change the DNS server on your system for a rogue, as seen with the effort DNSChanger malware.
DNSCrypt preferences
OpenDNS tool "DNSCrypt" will encrypt the connection to your DNS server, but it will only do so if you are using DNS servers from OpenDNS.
(Credit: Screenshot by Topher Kessler)
Some DNS service providers such as Google and OpenDNS has provided a relatively safe public offering control that claims to improve both the performance of name resolution and offer better security over the Internet provider's DNS servers are not well maintained. In addition, efforts by government officials and anti-malware company has put pressure on the developers of malware that tries to compromise the DNS configuration on your home computer. However, this option only help secure both ends of the "last mile," and do not address other security issues in the DNS system, DNS protocol itself.
DNS protocol is analogous to the protocol as "HTTP" for Web pages or "FTP" to transfer files between servers, and an instruction for how the structure of DNS servers pass information among themselves and to your computer. While a specific DNS server such as Google or OpenDNS may be relatively safe, hackers may still be able to take advantage of their connections with the computer by using man-in-the-middle attack similar to the vulnerability Kaminsky found in 2008.
According to OpenDNS, Kaminsky vulnerability, and many others like it, take advantage of the communication "last mile" in the DNS protocol because it is not safe, and can intercept and change the name of deciding who was sent to your system, allowing an attacker to redirect the computer you to a malicious server.
To overcome this problem on other protocols such as HTTP or FTP, the computer industry has developed a selection of encrypted (HTTPS and SFTP) that makes the connection much more safe and secure from man-in-the-middle attack can peek and steal information from the connection attempt ( passwords, servers, information machines, and so on). DNS protocol does not have the encryption option like this, however, OpenDNS DNS services company has released a tool for OS X called DNSCrypt that does not encrypt DNS traffic.
DNSCrypt is a small system preference pane for OS X (currently only available for Mac OS at the moment) which allows the encryption of the DNS protocol. It offers a simple option to enable or disable encryption on your Mac.
This is the best choice to have to secure the Internet, however, it does have limitations in that it will only work on the DNS servers provided by OpenDNS. This server is configured to accept encrypted connection handshake, while others such as Google's DNS servers from your ISP or they do not. Therefore, if you send an encrypted connection to Google server connection will not work.
As a result of this, when you enable encryption on your Mac, DNSCrypt tool will switch to your system using the OpenDNS servers, if an error occurs in the connection or if you disable encryption, then switches you back to your default DNS server.
These advances have great potential for securing the Internet, and while DNSCrypt only a preview release, hopefully it's based off of standard or technology as it will appear to the overall control system.
Posts
0 comments: on "Free tools Mac DNSCrypt improve Web security"
Post a Comment