[dns-operations] Hijacking DNS traffic (Was: Re: new public DNS service: 9.9.9.9)
Mark Milhollan
mlm at pixelgate.net
Tue Nov 21 20:58:14 UTC 2017
On Tue, 21 Nov 2017, Stephane Bortzmeyer wrote:
>On Mon, Nov 20, 2017 at 07:13:01PM -0800,
> Mark Milhollan <mlm at pixelgate.net> wrote
> a message of 43 lines which said:
>>Neither is very wonderful but each certainly seems defensible, yours
>>not alone for "my network, my rules".
>
>"My network, my rules" is fine when it is really MY network. I manage
>the LAN at home as a nasty dictator because it is really my
>network. But a public ISP is in a different position: it provides a
>service to users and they are expecting neutrality from this provider.
I doubt most are expecting that precisely, since most have no idea how
to fix most problems and want their ISP to do so even if their settings
are at fault (as the message just previous complain/explained for his
"why"). But I agree, hence the "Neither is" part, and yet with DNSSEC I
don't care as long as they operate faithfully so that the answers
validate.
>>There's not much security between the stub and a non-local resolver
>
>Precisely, Quad9 has one (DNS-over-TLS, RFC 7858). It protects users
>against rogue ISPs.
Precious little the masses can yet expect works for them. I believe
Google is also providing 7858 service.
/mark
More information about the dns-operations
mailing list