 nixenRockin' the BoxenPremium
join:2002-10-04
Alexandria, VA | said by openbox9:Ok, I guess we'll agree to disagree. The threat difference between "internal ISP DNS servers" and "external 'trusted' DNS servers" is minimal at best. Then you're REALLY underestimating the threat differential.
If the nameserver I consult - public or private - is compromised, then potentially every query can produce a bad result
If, however, a nameserver that is authoritative for a given domain is compromised - the delegated trust you speak of - then only queries for that domain can produce bad results.
Where the difference comes in with public vs. private nameservers is the relative likelihood of compromise. Each is open to compromise to anyone that the nameserver is available to. A public/third-party nameserver is available to the Internet at large for attack. A private nameserver is available to a lot smaller set of sources for attack.
said by openbox9:We could always throw out DNS and use the IP addresses if the world's DNS system is so potentially insecure and unreliable. Yeah, that's a reasonable response to your misunderstanding of my post. 
-tom
--
"Experience should teach us to be most on our guard to protect liberty when the government's purposes are beneficial. The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well meaning but without understanding." -Louis D Brandeis |
