Yet another Quadruple DNS?

Stephane Bortzmeyer bortzmeyer at
Thu Mar 29 14:32:18 UTC 2018

On Thu, Mar 29, 2018 at 09:08:38AM -0500,
 Chris Adams <cma at> wrote 
 a message of 12 lines which said:

> I've never really understood this - if you don't trust your ISP's
> DNS, why would you trust them not to transparently intercept any
> well-known third-party DNS?

Technically, tweaking your DNS resolver to lie (and/or to log) is much
easier and faster (and waaaaay less expensive) than setting up a
packet interception and rewriting device at line rate.

You're right, it is technically possible to "transparently intercept
any well-known third-party DNS". Two main ways, a routing trick (like
the one used in Turkey against Google Public DNS
which is simple, and packet-level interception devices like in China
which is not for the ordinary ISP.

That's why public DNS resolvers are not really a solution against
strong adversaries *unless* you authenticate and encrypt the
connection. Quad9 allows that

Public DNS resolvers still help against "ordinary" adversaries. (If
your ennemy is the NSA, you have other problems, anyway.)

More information about the NANOG mailing list