Along these same lines, we have a service that captures all DNS requests regardless the server(only non-TLS, albeit), that people pay $9.99/mo for, so they definitely want this.. We just NAT all requests to Open DNS servers to provide internet filtering as a service. It would be arbitrarily trivial to run our own DNS service and reply to any unencrypted DNS request to any DNS server with whatever A or AAAA record we want.. On 29 March 2018 at 09:29, Bill Woodcock <woody@pch.net> wrote:
\On Mar 29, 2018, at 7:27 AM, Brian Kantor <Brian@ampr.org> wrote:
On Thu, Mar 29, 2018 at 09:08:38AM -0500, Chris Adams wrote:
I've never really understood this - if you don't trust your ISP's DNS, why would you trust them not to transparently intercept any well-known third-party DNS?
Of course they could. But it's testable; experiments show that they aren't doing so currently.
Experiments may show that in some tested cases they aren’t, but in the big picture, yes, there are ISPs who are internally capturing 8.8.8.8, and who try to do the same with 9.9.9.9. Which is why it’s so important to do cryptographic validation of the server and encryption of the transport, as well as DNSSEC validation.
-Bill