|
Introduction to DNSCurve
DNSCurve uses high-speed high-security elliptic-curve cryptography
to drastically improve every dimension of DNS security:
- Confidentiality:
DNS requests and responses today are completely unencrypted
and are broadcast to any attacker who cares to look.
DNSCurve encrypts all DNS packets.
- Integrity:
DNS today uses "UDP source-port randomization" and "TXID randomization"
to create some speed bumps for blind attackers,
but patient attackers and sniffing attackers can easily forge DNS records.
DNSCurve cryptographically authenticates all DNS responses,
eliminating forged DNS packets.
- Availability:
DNS today has no protection against denial of service.
A sniffing attacker can disable all of your DNS lookups
by sending just a few forged packets per second.
DNSCurve very quickly recognizes and discards forged packets,
so attackers have much more trouble preventing DNS data from getting through.
Protection is also needed for SMTP, HTTP, HTTPS, etc.,
but protecting DNS is the first step.
Despite its extremely high level of security,
DNSCurve is very easy for software authors to implement,
and very easy for administrators to deploy.
DNSCurve is part of a larger project to encrypt and authenticate all Internet packets.
The techniques used in DNSCurve are easily adapted to other Internet protocols.
Version
This is version 2009.06.22 of the index.html web page.
|