You forgot the most important requirement, you have to be using insecure, unpatched DNS code (old versions of BIND, old versions of Windows, etc). If you use modern DNS code and which only follows trustworthy pointers from the root down, you won't get hooked by this. A poisoned DNS cache is irrelevant if your resolver never queries servers with poisoned caches. If you do, you should fix the your code. On the other hand, there are a lot of reasons why a DNS operator may return different answers to their own users of their resolvers. Reverse proxy caching is very common. Just about all WiFi folks use cripple DNS as part of their log on. Or my favorite, quarantining infected computers to get the attention of their owners. But it shouldn't matter what other DNS operators do, as long as your DNS code doesn't use them to resolve names without a pointer from the root (although you may not be able to log on to some WiFi hotspots). Why Microsoft didn't make "Secure cache against pollution" the default setting, I don't know.