nanog mailing list archives
Re: Yet another Quadruple DNS?
From: Stephane Bortzmeyer <bortzmeyer () nic fr>
Date: Thu, 29 Mar 2018 16:32:18 +0200
On Thu, Mar 29, 2018 at 09:08:38AM -0500, Chris Adams <cma () cmadams net> wrote a message of 12 lines which said:
I've never really understood this - if you don't trust your ISP's DNS, why would you trust them not to transparently intercept any well-known third-party DNS?
Technically, tweaking your DNS resolver to lie (and/or to log) is much easier and faster (and waaaaay less expensive) than setting up a packet interception and rewriting device at line rate. You're right, it is technically possible to "transparently intercept any well-known third-party DNS". Two main ways, a routing trick (like the one used in Turkey against Google Public DNS <https://labs.ripe.net/Members/emileaben/a-ripe-atlas-view-of-internet-meddling-in-turkey>) which is simple, and packet-level interception devices like in China <https://labs.ripe.net/Members/pk/denic-case-study-using-ripe-atlas>, which is not for the ordinary ISP. That's why public DNS resolvers are not really a solution against strong adversaries *unless* you authenticate and encrypt the connection. Quad9 allows that <https://labs.ripe.net/Members/stephane_bortzmeyer/quad9-a-public-dns-resolver-with-security>. Public DNS resolvers still help against "ordinary" adversaries. (If your ennemy is the NSA, you have other problems, anyway.)
Current thread:
- Re: Yet another Quadruple DNS?, (continued)
- Re: Yet another Quadruple DNS? Izaac (Mar 29)
- Re: Yet another Quadruple DNS? John Kinsella (Mar 29)
- Re: Yet another Quadruple DNS? Brian Kantor (Mar 29)
- Re: Yet another Quadruple DNS? Chris Adams (Mar 29)
- Re: Yet another Quadruple DNS? Brian Kantor (Mar 29)
- Re: Yet another Quadruple DNS? Bill Woodcock (Mar 29)
- Re: Yet another Quadruple DNS? Michael Crapse (Mar 29)
- Re: Yet another Quadruple DNS? Alan Buxey (Mar 29)
- Re: Yet another Quadruple DNS? Stephane Bortzmeyer (Mar 30)
- Re: Yet another Quadruple DNS? Jimmy Hess (Mar 29)
- Re: Yet another Quadruple DNS? Stephane Bortzmeyer (Mar 29)
- Re: Yet another Quadruple DNS? Baldur Norddahl (Mar 29)
- Re: Yet another Quadruple DNS? Ken Chase (Mar 29)
- Re: Yet another Quadruple DNS? Stephen Satchell (Mar 29)
- Re: Yet another Quadruple DNS? joel jaeggli (Mar 29)
- Re: Yet another Quadruple DNS? Christopher Morrow (Mar 30)
- Re: Yet another Quadruple DNS? Royce Williams (Mar 30)
- Re: Yet another Quadruple DNS? Royce Williams (Mar 30)
- Re: Yet another Quadruple DNS? Stephane Bortzmeyer (Mar 30)
- Re: Yet another Quadruple DNS? William Waites (Mar 30)
- Re: Yet another Quadruple DNS? Stephane Bortzmeyer (Mar 30)