The Dynamic Name System (DNS) is used to translate the easy-to-understand and remember web addresses that we are familiar with, to their ‘true’ numerical IP addresses: for example translating the domain name www.bestvpn.com to its IP address of 188.8.131.52.
By default this translation is performed by your ISP’s DNS servers, which means that your ISP can easily keep track of the websites you visit. Even when using a VPN, DNS leakage can mean that your ISP sometimes handles these DNS requests rather than your VPN provider, which can compromise your privacy.
We therefore recommend changing your default DNS servers to those run by a neutral third party such as OpenDNS or Commodo. Instructions for doing this in Windows can be found in our article on DNS leakage.
Unfortunately however, DNS was not built with security in mind, and it is vulnerable to a number of attacks, the most important of which is a ‘man-in-the-middle’ attack known as DNS spoofing (or DNS cache poisoning), where the attacker intercepts and redirects a DNS request. This could, for example, be used to redirect a legitimate request for a banking service to a ‘spoof’ website designed to collect account details and passwords for unsuspecting victims.
This has prompted the fine chaps at OpenDNS to develop DNSCrypt, a lightweight program that encrypts ‘all DNS traffic between the user and OpenDNS, preventing any spying, spoofing or man-in-the-middle attacks’.
Using Curve25519 elliptical-curve cryptography, DNSCrypt is available for Windows and OSX, and although in ‘preview release’ stage, is considered stable.
If you prefer stability over security, make sure that you check ‘Fall back to insecure DNS’ in the Control Center
DNSCrypt does not replace DNSSEC (a system of server-side security extensions for DNS which do not provide any form of encryption), but is complementary to it.