top | item 47068238

(no title)

Two current mitigations and one future:

DNSSEC prevents any modification of records, but isn’t widely deployed.

We query authoritative nameservers directly from at least four places, over a diverse set of network connections, from multiple parts of the world. This (called MPIC) makes interception more difficult.

We are also working on DNS over secure transports to authoritative nameservers, for cases where DNSSEC isn’t or won’t be deployed.

discuss

IgorPartola|11 days ago

Ah that makes sense. I was wondering why I haven’t heard of cases of successfully attacks like this. Thank you for the info!