Yet another Quadruple DNS?
bortzmeyer at nic.fr
Thu Mar 29 14:32:18 UTC 2018
On Thu, Mar 29, 2018 at 09:08:38AM -0500,
Chris Adams <cma at cmadams.net> wrote
a message of 12 lines which said:
> I've never really understood this - if you don't trust your ISP's
> DNS, why would you trust them not to transparently intercept any
> well-known third-party DNS?
Technically, tweaking your DNS resolver to lie (and/or to log) is much
easier and faster (and waaaaay less expensive) than setting up a
packet interception and rewriting device at line rate.
You're right, it is technically possible to "transparently intercept
any well-known third-party DNS". Two main ways, a routing trick (like
the one used in Turkey against Google Public DNS
which is simple, and packet-level interception devices like in China
which is not for the ordinary ISP.
That's why public DNS resolvers are not really a solution against
strong adversaries *unless* you authenticate and encrypt the
connection. Quad9 allows that
Public DNS resolvers still help against "ordinary" adversaries. (If
your ennemy is the NSA, you have other problems, anyway.)
More information about the NANOG