I am wondering if an ISP or network admin on my network would be able to change where a DNS server is located at (ex: if a DNS server is located at 132.192.175.210, the ISP/netadmin can redirect it to their own server at 11.29.102.201 to change where the DNS records point to). Does DNSSEC and DoH/DoT combat this, and how? Why is it safe to use a domain for DoH/DoT if it requires going through insecure DNS to get to a secure DNS?

  • rasensprenger
    link
    fedilink
    English
    arrow-up
    14
    ·
    edit-2
    6 months ago

    Yes they can, but it doesn’t really matter. They can’t send you a faked dns response if you are connecting to the website via HTTPS, because a fake website won’t have the correct certificate.

    They may block your DNS queries so you can’t connect to things, but they’re your ISP, they can block all of your traffic anyway.

    The worst they can do by injecting their own DNS server is to track your queries, but if you’re not doing complicated stuff you are telling your ISP which sites you visit anyway (because of TLS Server Name Indication) and where your traffic goes (because the ISP needs a target IP to route your traffic).

    A VPN “solves” all of these problems in so far as that now your ISP has a harder time tracking you, but you just moved the problem and now have to trust whoever is running the VPN server.