Easy...
Why not have a DNS resolver built into your browser that pipes all queries to a TOTALLY TRUSTWORTHY server over HTTPS? What could possibly go wrong?
Boffins from the University of Southern California's Information Sciences Institute have crunched six years and four months of data, and found that DNS spoofing, while uncommon, has doubled during that time. "We show that spoofing today is rare, occurring only in about 1.7 per cent of observations," explain Lan Wei, a doctoral …
> The paper points out that there's a protocol called DNSSEC that provides some protection against spoofing.
I've not read the paper, so I'm only going on El Reg's writeup, but it looks to me like DNSSEC provides little protection here.
They seem to generally be talking about the DNS servers that clients use - the recursors - deliberately or otherwise (i.e. the user might think they've configured 8.8.8.8 but it's being intercepted).
If so, DNSSEC is bugger all use to protect against spoofing at that level. DNSSEC is validated by the recursor, not the client. So if myevil.recursor is intercepting your queries before they reach 8.8.8.8 it doesn't really matter whether the domain in the QNAME has DNSSEC enabled or not, I'm hardly going to configure my interceptor to validate it, particularly if I'm intending to spoof responses.
What DNSSEC does protect against is someone intercepting the recursor's upstream queries and returning their own responses, so if you're running your own recursor locally, you'll get some protection (that's not most users), or if someone upstream of your provider intercepts queries to an authoritative, you should be safe.
I _believe_ validation in DANE happens on the client though, so that would be some protection if it were supported
I hope I'm misreading the article. What I think I read is that 1.7% of DNS queries are spoofed and that's a small number. So, no current concern. But why would one hijack a DNS query unless one had malign intent? Are they really saying that nearly one in 50 of my DNS queries will route me to some nasty site and I don't need to worry my pretty little head about that unless/until the situation gets worse?
The 1.7% is more concentrated. Some places make it nearly 100%, and some places make it 0%. The places with 100% usually spoof the answer with the correct answer. However, they sometimes choose not to, usually when the correct answer is "don't know that one" and they instead substitute "how about these ads". Their infrastructure for that purpose can also be used to censor something at a later point should they decide they want to do so.
A note: although a lot of ISPs do redirect unknown domains to an ad system, it does not necessarily follow that all of them spoof to do so. Many only do so if the user doesn't change away from the ISP-supplied DNS servers. That approach is annoying, but not the kind of violation of trust that spoofing does.
It may be done by internet service providers to respond to DNS queries more quickly inject ads
I filed a FCC complaint against Spectrum and I got a response saying it's ok because everyone else does it.
It broke some SAMBA scripts that relied on no-such-host to redirect to WINS resolution. Spectrum resolved everything to their shit adware site.
For those who missed the sarcasm of the first post, a browser doing it's own DNS circumvents a system level configuration. Remember, the Internet is not the WWW. So now you have a system where DNS queries are going to different locations depending on how client software is configured, very messy, overly complicated, and ripe for failure.
I had a problem with Charter blocking DNS going outside their network. That is not OK for an ISP where endpoint equipment is owned by their customers who pay for internet connectivity. It's fine for a company that owns the endpoint equipment and the network. I managed to have that problem resolved in a single phone call, albeit a long phone call with many transfers.