[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Yet another Quadruple DNS?

On Thu, Mar 29, 2018 at 09:08:38AM -0500,
 Chris Adams <cma at cmadams.net> wrote 
 a message of 12 lines which said:

> I've never really understood this - if you don't trust your ISP's
> DNS, why would you trust them not to transparently intercept any
> well-known third-party DNS?

Technically, tweaking your DNS resolver to lie (and/or to log) is much
easier and faster (and waaaaay less expensive) than setting up a
packet interception and rewriting device at line rate.

You're right, it is technically possible to "transparently intercept
any well-known third-party DNS". Two main ways, a routing trick (like
the one used in Turkey against Google Public DNS
which is simple, and packet-level interception devices like in China
which is not for the ordinary ISP.

That's why public DNS resolvers are not really a solution against
strong adversaries *unless* you authenticate and encrypt the
connection. Quad9 allows that

Public DNS resolvers still help against "ordinary" adversaries. (If
your ennemy is the NSA, you have other problems, anyway.)