DNSCrypt
Your rating: Now say why...

(20) 3.575

Encrypt DNS traffic.   Free
Add to my Watch List
Email me when discounted
DNSCrypt encrypts and authenticates your site's DNS traffic.

DNS is one of the fundamental building blocks of the Internet. It's used any time you visit a website, send an email, have an IM conversation or do anything else online. While OpenDNS has provided world-class security using DNS for years, and OpenDNS is the most secure DNS service available, the underlying DNS protocol has not been secure enough for our comfort. Many will remember the Kaminsky Vulnerability, which impacted nearly every DNS implementation in the world (though not OpenDNS).

That said, the
What's New
Version 0.19:
  • dnscrypt-proxy has been updated to version 1.2.0.
  • Detection of IPv6 connectivity is now faster and more reliable.
  • AAAA queries are filtered out on networks with no IPv6 connectivity in order to significantly reduce latency.
Requirements
  • Intel, 64-bit processor
  • Mac OS X 10.6 or later
  • 64-bit processor



MacUpdate - DNSCrypt



DNSCrypt User Discussion (Write a Review)
ver. 0.x:
(20)
Your rating: Now say why...
Overall:
(20)

sort: smiles | time
burypromote

Fred Brock reviewed on 30 Mar 2014
The developer has pulled this software for security concerns, but users were not notified! See the following:

Note from jedisct1 (the developer, apparently), dated 10/18/2013 on the OpenDNS support forum, here: "https://support.opendns.com/entries/22495514-DNSCrypt-always-overrides-PPTP-DNS-Mac-OSX".

"The OSX GUI is abandoned. dnscrypt-proxy < 1.3.3 has a vulnerability and these versions should not be used any more. I don't remember which version the OSX GUI ships with, but it's vulnerable for sure.

I might update the OSX GUI at some point, but until then, you should use dnscrypt-proxy alone."

October 16, 2013 11:02

My note to OpenDNS Support:
Shouldn’t you have sent out a message to users if this is a known vulnerability?? If nothing else, clicking the ‘Check for updates’ option in the OpenDNS GUI could say "DANGER...UNINSTALL!!’ instead of always saying “You’re up-to-date!"
[Version 0.19]

1 Reply

burypromote

-34
artie505 replied on 02 Apr 2014
v 0.19 is still available from the dev's site, so I'm not sure what's up.
burypromote

+229
bbw7 commented on 05 Jun 2013
Current MU link gets "access denied" error. Download is available via dev's site.
[Version 0.19]


burypromote

+23

Markh reviewed on 22 Jan 2013
As near as I can tell (from Little Snitch and examining my outbound traffic), this works beautifully. The concept is excellent, and since it's from OpenDNS, I trust its inner workings.
[Version 0.19]


burypromote
+2

+397
Derekcurrie commented on 28 Sep 2012
I posted a note recently under the 'Troubleshooting' tab about version 0.16b. It was nasty buggy. Meanwhile, the OpenDNS.org site ONLY provides version 0.10b, including today. v0.10 actually works. Also, when you ask 0.10b to find new versions, it reports back that I currently have the most recent version.

I've written to the folks at OpenDNS about this situation and heard back from them the following:
~~~~~~~~

Hi,

We have not yet released an official version of the DNSCrypt and the github.com repository (https://github.com/opendns/dnscrypt-osx-client/downloads ) contains releases that may not be stable, but users are welcome to download and use. Once there is a stable version, it will be available both on our site (http://www.opendns.com/technology/dnscrypt/) and through the DNSCrypt client.

-Dominic
OpenDNS Support
~~~~~~~

IOW: At this time, OpenDNS.org is ONLY recommending 0.10b, whereas more recent versions at github are going to be buggy beta tests, you're on your own. v0.10b will report a recommended update when one becomes available.

From my lousy experience with 0.16b and the fact that I'm currently burned out from beta testing, I'm sticking with v0.10b. Unless you're into the rigors of beta testing, I'd recommend sticking with v0.10b as well.
[Version 0.17]

1 Reply

burypromote
+1

+3
jedisct1 replied on 29 Sep 2012
The problems you had were caused by the fact that you are using a static configuration instead of DHCP.

0.17 introduces support for static DNS, and it has been done specifically for you. Just enter your static DNS in the first field of the Advanced Preferences tab.

Version up to 0.10 were a proof-of-concept. They worked fine for users with a static configuration, that are not roaming, are not using a VPN, are not using broken routers and are not using software that doesn't cope well with invalid DNS packets. DNSCrypt was still in beta and the related user interface was really just a convenient way for people to test it on a Mac.

That just didn't work for everybody else. After 8 months of inactivity, the code was abandoned. 0.12 was a rewrite from scratch, after DNSCrypt went out of beta. Support for static configurations was delayed, in order to focus on DHCP, good support of captive portals and other features testers had suggested.

0.17 tries to support both static and DHCP configurations. So, give it a spin.
burypromote

+7

ScienceGuy reviewed on 20 Sep 2012
Little Snitch reports a large number of different connection attempts from dnscrypt to various (non-obvious) sites and ports (5005 5007 etc), none of which appear to be documented on the OpenDNS site or at least easily found. I'm going to uninstall until I find out where and how dnscrypt thinks it is connecting. Under version 0.10 dnscrypt was pretty simple in its outbound connections. But not now.

For security software I expect more documentation. Also to not include an uninstaller for software of this nature is inexcusable. These are by no means fatal problems and should be pretty easy for the dnscrypt team to remedy.
[Version 0.16]

3 Replies

burypromote
-1

+3
jedisct1 replied on 20 Sep 2012
These connections to ports 5005, etc. are local connections, to 127.0.0.*, not to a remote server. Little Snitch 3 doesn't seem to properly handle local connections and shell scripts. Please submit a bug report to the LIttle Snitch authors, so that it gets fixed in a future version.

There is plenty of documentation, and the source code of dnscrypt and of the user interface are available. See http://dnscrypt.org for details.

And there is an uninstaller, available in the same directory as the user interface itself: https://github.com/opendns/dnscrypt-osx-client/downloads
burypromote
+2

+7
ScienceGuy replied on 21 Sep 2012
The issue with dnscrypt is not with Little Snitch proeprly handling local connections. It is with the lack of proper documentation that does not require going through the dnscrypt code - that is developer hubris to consider that documentation. Same with not bundling an uninstaller with the package. Again hubris to expect users to know to look on github for an uninstaller.
burypromote
+2

+3
jedisct1 replied on 21 Sep 2012
Hi ScienceGuy,

Thanks for suggesting bundling the uninstaller with the package. I just added this. The preference pane now has a button to directly uninstall everything (this is the change: http://sk.tl/yDa.sQ - it will be in 0.17).

I'd be glad to add documentation on how to avoid Little Snitch 3 displaying many alert boxes when using the dnscrypt user interface. However, I haven't been able to work around this either. The bug has been reported to LIttle Snitch authors and there is a thread on their forum.
Until this is fixed, the dnscrypt user interface and Little Snitch 3 should not be used together. I will add a check in the dnscrypt user interface to abort the installation if Little Snitch is detected.

Thanks for your input.
burypromote
+1

+71

Madmacmad reviewed on 11 Sep 2012
Works !!!!
No Problems so far 10.8.1
can really recommend it !!!
[Version 0.15]


burypromote
-4

-4

P.S.-Gregory reviewed on 28 Aug 2012
doesnt work
[Version 0.14]


burypromote
+1

+1

DJCAUSTIN reviewed on 22 Aug 2012
The update Caused multiple Kernel Panics on my Mac Pro running OSX Lion.

Uninstalling and reinstalling the older version resolved the issue.
[Version 0.14]

1 Reply

burypromote

+3
jedisct1 replied on 23 Aug 2012
If running simple shell scripts (see https://github.com/opendns/dnscrypt-osx-client/tree/master/DNSCrypt-Preference-Pane/DNSCrypt/extra/usr/scripts for these) is causing kernel panics, there's something really bad with your systems beyond dnscrypt.
burypromote
-1

-17
Shk747 commented on 17 Aug 2012
why nothing via update driectly from the app ?!
[Version 0.14]


burypromote
-2

-39

Surfspirit reviewed on 17 Aug 2012
While this utility is definitely needed these days, DNSCrypt 0.14 is not ready, it also lacks 32 bit support and it has no easy uninstall, I also have my doubts about privacy concern on DNS Crypt company.
[Version 0.14]

3 Replies

burypromote

+3
jedisct1 replied on 17 Aug 2012
There's a very easy way to uninstall this user interface: run the Uninstall script available at the same place: https://github.com/opendns/dnscrypt-osx-client/downloads
burypromote

+3
jedisct1 replied on 17 Aug 2012
Versions > 0.11 of the user interface don't use ARC any more, so they might work on 32 bit CPUs.
burypromote

+3
jedisct1 replied on 13 Nov 2012
There is a 32 bit version available for testing: http://opendns.github.com/dnscrypt-osx-client/

I don't have a 32 bit machine, so confirmation that it works/doesn't work would be more than welcome.
burypromote

+397
Derekcurrie had trouble on 24 Sep 2012
My Advice: Stick with version 0.10 for now.

I've been attempting to use DNSCrypt v0.16 (the current version over at GitHub) and finding it to be buggy, unreliable and unfinished. I've ended up having to change the Network System Preferences pane DNS servers by hand to OpenDNS.

Then I discovered that the ONLY version of DNSCrypt being offered at OpenDNS.org is v0.10, which actually works properly but is from last January and doesn't have the half-baked features of v0.16. Also, when I have v0.10 check for new version, it reports that there aren't any! I thought this must be a bug, but maybe the feedback is intentional.

So, I've written to OpenDNS.org via their 'Preview Feedback' tab for guidance as to what version is meant for public testing. I have to wonder if v0.16 is intended to be an 'alpha' release, not worthy of beta testing. It certainly acts that way.. Having installed v0.10 again and returned to functionality, I'm certainly not going back to v0.16 again.

If I hear back from OpenDNS about this situation, I'll post here.

If you'd like to play with both versions, here are the URLs:

Latest GitHub version:
https://github.com/opendns/dnscrypt-osx-client

Current version offered at OpenDNS.org:
http://www.opendns.com/technology/dnscrypt
[Version 0.16]



+10

Cyril-Howard rated on 22 Jul 2013

[Version 0.19]



Mclark rated on 04 Jun 2013

[Version 0.19]



+23

Markh rated on 22 Jan 2013

[Version 0.19]



+3

jedisct1 rated on 28 Sep 2012

[Version 0.17]



Dampier rated on 28 Sep 2012

[Version 0.17]



Bradk19 rated on 20 Sep 2012

[Version 0.16]



+41

Ythara rated on 19 Sep 2012

[Version 0.15]



+3

jedisct1 rated on 10 Sep 2012

[Version 0.15]



-39

Surfspirit rated on 10 Sep 2012

[Version 0.15]



+23

Markh rated on 22 May 2012

[Version 0.10]


Downloads:10,225
Version Downloads:4,054
Type:Internet : Internet Utilities
License:Free
Date:13 Oct 2012
Platform:Intel 64 / OS X
Price:Free0.00
Overall (Version 0.x):
Features:
Ease of Use:
Value:
Stability:
Displaying 1-10 of 18
1 2 >
Displaying 1-1 of 1
Displaying 1-10 of 14
1 2 >
-
-
-
Please login or create a new
MacUpdate Member account
to use this feature
Watch Lists are available to
MacUpdate Desktop Members
Upgrade Now
Install with MacUpdate Desktop.
Save time moving files & cleaning
up space wasting archives.
DNSCrypt encrypts and authenticates your site's DNS traffic.

DNS is one of the fundamental building blocks of the Internet. It's used any time you visit a website, send an email, have an IM conversation or do anything else online. While OpenDNS has provided world-class security using DNS for years, and OpenDNS is the most secure DNS service available, the underlying DNS protocol has not been secure enough for our comfort. Many will remember the Kaminsky Vulnerability, which impacted nearly every DNS implementation in the world (though not OpenDNS).

That said, the class of problems that the Kaminsky Vulnerability related to were a result of some of the underlying foundations of the DNS protocol that are inherently weak -- particularly in the "last mile." The "last mile" is the portion of your Internet connection between your computer and your ISP. DNSCrypt is our way of securing the "last mile" of DNS traffic and resolving (no pun intended) an entire class of serious security concerns with the DNS protocol.

There have been numerous examples of tampering, or man-in-the-middle attacks, and snooping of DNS traffic at the last mile and it represents a serious security risk that we've always wanted to fix. Today we can.

Why DNSCrypt is so significant?

In the same way the SSL turns HTTP Web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks. It doesn't require any changes to domain names or how they work, it simply provides a method for securely encrypting communication between our customers and our DNS servers in our data centers. We know that claims alone don't work in the security world, however, so we've opened up the source to our DNSCrypt code base and it's available on GitHub.


- -