Re: Hackers hijack 300, 000-plus wireless routers, make malicious changes | Ars Technica

[Jimmy Hess <mysidia () gmail com>]

On Tue, Mar 4, 2014 at 12:33 PM, Ian McDonald <iam () st-andrews ac uk> wrote:

> Until the average user's cpe is only permitted to use the resolvers one
> has provided as the provider (or otherwise decided are OK), this is going
> to be a game of whackamole.


No.   That is still just treating symptoms, and not the disease.
This also creates an unacceptable annoyance for the most slightly technical
user who needs to troubleshoot any DNS problems  with their domains.

When the ISP's nameservers are blocked,  the script kiddies will set up a
tunnel,  or configure the DNS client to use a different UDP port number for
DNS resolution,   or adjust the router firmware   to  run tcpdump and
upload  session data to/from interesting web destinations,   to a hostname
on port 80.

--
-JH