While the world slowly implements DNSSec in the backbone of the Internet, OpenDNS has put forward its solution to securing the user-side of DNS, with the preview version of a DNS encryption tool. DNSCrypt only works on Macs at the moment. According to OpenDNS, the idea is to encrypt all users’ DNS requests, preventing nasties …
As a bonus
It would stop those buggers who instantly register a domain name when you look to see if it is already taken and then attempt to gouge you.
depends on whether opendns does that
because your dns query passing through the internet would leave no clue as to its actual requested contents.
DNS gougers, and general snoopers
Get yourself a dictionary file, have a script start randomly stringing domain names together and looking them up at a rate that won't get you in trouble with your ISP. The gougers will soon be stuffed even if they are only paying pennies on a domain name, and casual snoopers won't know what's real and what's not.
Same approach as using TrackMeNot: Why go under the radar when you can obliterate it with chaff?
Fix other issues first
I'd like them to fix other issues before worrying about encryption. It's trivially easy ( http://www.esrun.co.uk/blog/hijacking-an-opendns-user/ ) to hijack an openDNS user and have all their DNS queries put through your own account!
This hack AFAICS is very very limited. Using OpenDNS and being a registered opendns user are very different, most people using openDNS will not be registered users, they are simply using OpenDNS DNS resolvers and so this “social hack” would not work for them. Add that most openDNS registered users (who are probably quite IT savvy in any case for using opendns) would not follow a (phishing) link sent from just anyone makes the scope if this hack as I can see it is very very small.
The hack doesn't require that the user has an openDNS account - it simply requires that they're using openDNS.
Remember that it doesn't have to be used as a targeted attack. You could just put the code up on any busy website and hit any openDNS user who happens to access the website.
Bogus argument. 1 out of 3 schools in the USA use OpenDNS. It is often superimposed by administrators. Also, the hack described works regardless if you are a registered user or not, it only requires you to use OpenDNS's resolvers. The attacks only is required to be a registered user.
"such as would be mandated by any government seeking to block citizens’ access to a particular class of Website, whether over concerns about decency or piracy"
Is that really what they are proposing? Just how hard would it be to pass on ip addresses of blocked sites down other channels (including old-fashioned paper samizdat)?
I'm starting to wonder, if DNS didn't already exist would we bother to invent it? We manage to use the telephone system fine with just numeric addresses. No global distributed directory, just various un-coordinated look-up tables with various degrees of localisation, specialisation and automation.
DNS vs Telephones
I'd guess, given the chance, the telcos would love to (charge for) a phone equivalent to DNS
The telephone system in the form of phone directories, associates a name with a number. DNS does the same thing. A phone directory with just a list of numbers and no names is fairly useless.