DNSSEC and ISPs faking DNS responses

[mlm at pixelgate.net (Mark Milhollan)]

On Thu, 13 Nov 2015, John Levine wrote:

>At this point very few client resolvers check DNSSEC, so something
>that stripped off all the DNSSEC stuff and inserted lies where
>required would "work" for most clients.  At least until they realized
>they couldn't get to PokerStars and switched their DNS to 8.8.8.8.

Except that the ISP can intercept those queries and respond as it likes.  
Such is already done at all scales.  Not that a government generally 
cares what kind of burden is required once the law is passed, cf CALEA.

True, some users would be able to detect such tampering and many of 
those could work around it.  But most will have no way to do either.

Would the masses ever replace their stub with a full resolver?  
Doubtful, unless their OS vendor does it for them.  Would that be the 
right thing to do for a few billion users of Windows and another couple 
billion using Android most of whose ISPs are providing unfaked answers?  
Would the various authoritiative operators be happy / agree?  How does 
one fit local zones into the picture?

Would the masses setup a VPN to a service provider in a jurisdiction not 
subject to such foolishness so their resolver, whether stub or full, 
would have a chance at unfaked answers?  Again, I'm thinking most would 
be entirely ignorant of the issue, and in any case would be hard pressed 
to set anything up unless it was trivial, e.g., not just part of their 
OS but also Wizard-like with most answers pre-supplied.


/mark