Along these same lines, we have a service that captures all DNS requests regardless the server(only non-TLS, albeit), that people pay $9.99/mo for, so they definitely want this.. We just NAT all requests to Open DNS servers to provide internet filtering as a service. It would be arbitrarily trivial to run our own DNS service and reply to any unencrypted DNS request to any DNS server with whatever A or AAAA record we want..
On 29 March 2018 at 09:29, Bill Woodcock <wo...@pch.net> wrote: > > \On Mar 29, 2018, at 7:27 AM, Brian Kantor <br...@ampr.org> wrote: > > > > On Thu, Mar 29, 2018 at 09:08:38AM -0500, Chris Adams wrote: > >> I've never really understood this - if you don't trust your ISP's DNS, > >> why would you trust them not to transparently intercept any well-known > >> third-party DNS? > > > > Of course they could. But it's testable; experiments show that they > > aren't doing so currently. > > Experiments may show that in some tested cases they aren’t, but in the big > picture, yes, there are ISPs who are internally capturing 8.8.8.8, and who > try to do the same with 9.9.9.9. Which is why it’s so important to do > cryptographic validation of the server and encryption of the transport, as > well as DNSSEC validation. > > -Bill > >