On Thu, Mar 29, 2018 at 09:08:38AM -0500, Chris Adams <cma@cmadams.net> wrote a message of 12 lines which said:
I've never really understood this - if you don't trust your ISP's DNS, why would you trust them not to transparently intercept any well-known third-party DNS?
Technically, tweaking your DNS resolver to lie (and/or to log) is much easier and faster (and waaaaay less expensive) than setting up a packet interception and rewriting device at line rate. You're right, it is technically possible to "transparently intercept any well-known third-party DNS". Two main ways, a routing trick (like the one used in Turkey against Google Public DNS <https://labs.ripe.net/Members/emileaben/a-ripe-atlas-view-of-internet-meddling-in-turkey>) which is simple, and packet-level interception devices like in China <https://labs.ripe.net/Members/pk/denic-case-study-using-ripe-atlas>, which is not for the ordinary ISP. That's why public DNS resolvers are not really a solution against strong adversaries *unless* you authenticate and encrypt the connection. Quad9 allows that <https://labs.ripe.net/Members/stephane_bortzmeyer/quad9-a-public-dns-resolver-with-security>. Public DNS resolvers still help against "ordinary" adversaries. (If your ennemy is the NSA, you have other problems, anyway.)