When we type a URL in the address bar, our computer contacts the DNS Servers to get the corresponding IP address of the website. Normally, these DNS queries are unencrypted. So, attackers can intercept this process of Domain Name Resolution for various malicious purposes like Man-In-The-Middle Attacks. DNSCrypt is a protocol which is used to prevent those.
Why DNSCrypt ?
DNSCrypt is a network protocol which encrypts the traffic between the systems and the DNS Servers at the time of Domain Name Resolution, so that attackers cannot intercept that.
When we use HTTPS, SSL/TLS or VPN, the browsing traffic in encrypted. The data which is transferred between the servers and the user's computer is encrypted. But, before even establishing the secure connection with the server, our computer needs to resolve the IP address of the website using a DNS query and the connection between our computer and DNS Servers are normally not encrypted.
So, an attacker can perpetrate a Man-In-The-Middle Attack to intercept the communication with DNS Servers and use that for malicious purposes.
DNSCrypt uses Elliptic Curve Cryptography to encrypt the traffic between our computers and DNS Servers, making it difficult for the attackers to intercept the traffic.
How does DNSCrypt work ?
In DNSCrypt, both the clients and the DNS Servers first generate short term key pairs. A DNS resolver may have multiple certificates each including a validity period, a serial number, a version to indicate the key exchange mechanism, the encryption algorithm and the short term public key. The resolver can support multiple encryption algorithm and advertise multiple public keys.
When the client wants to resolve an IP address, it starts the DNSCrypt session with sending an unauthenticated and unencrypted DNS query including certificate versions supported by the client and public identifier of the provider.
The resolver responds with a public set of signed certificates.
The client then verifies the public key of the resolver which is already distributed to it. It selects the appropriate certificate.
Each certificate sent by the resolver includes a magic number unique to the public key and encryption algorithm to be used. The client then encrypts the actual query with the client's private key and the resolver's public key and sends it to the resolver.
The resolver decrypts the query with the public key of the client and appropriate private key of the resolver. And, it sends the response, again encrypting it with public key of the client and appropriate private key of the resolver.
How is DNSCrypt different from DNSSEC ?
DNSSEC does not provide encryption of actual DNS records. DNSSEC makes sure that the resolved IP address is an authentic one. But, it sends the response in an unencrypted fashion. DNSCrypt on the other hand encrypts the DNS response with cryptographic algorithm.
Can DNSCrypt and DNSSEC be used together ?
Using DNSSEC and DNSCrypt together is always a better option. By doing that, the client can be assured that the resolved IP address is the authentic IP address of the website. And, as the response is encrypted, the attackers cannot perpetrate any Man-In-The-Middle Attack there also.
So, beware of various security features, so that you can protect yourself in a better way. And, stay safe, stay protected.