Yet another Quadruple DNS?

• Previous message (by thread): Yet another Quadruple DNS?
• Next message (by thread): Yet another Quadruple DNS?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Mar 29, 2018 at 09:08:38AM -0500,
 Chris Adams <cma at cmadams.net> wrote 
 a message of 12 lines which said:

> I've never really understood this - if you don't trust your ISP's
> DNS, why would you trust them not to transparently intercept any
> well-known third-party DNS?

Technically, tweaking your DNS resolver to lie (and/or to log) is much
easier and faster (and waaaaay less expensive) than setting up a
packet interception and rewriting device at line rate.

You're right, it is technically possible to "transparently intercept
any well-known third-party DNS". Two main ways, a routing trick (like
the one used in Turkey against Google Public DNS
<https://labs.ripe.net/Members/emileaben/a-ripe-atlas-view-of-internet-meddling-in-turkey>)
which is simple, and packet-level interception devices like in China
<https://labs.ripe.net/Members/pk/denic-case-study-using-ripe-atlas>,
which is not for the ordinary ISP.

That's why public DNS resolvers are not really a solution against
strong adversaries *unless* you authenticate and encrypt the
connection. Quad9 allows that
<https://labs.ripe.net/Members/stephane_bortzmeyer/quad9-a-public-dns-resolver-with-security>.

Public DNS resolvers still help against "ordinary" adversaries. (If
your ennemy is the NSA, you have other problems, anyway.)

• Previous message (by thread): Yet another Quadruple DNS?
• Next message (by thread): Yet another Quadruple DNS?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]