I am wondering if an ISP or network admin on my network would be able to change where a DNS server is located at (ex: if a DNS server is located at 132.192.175.210, the ISP/netadmin can redirect it to their own server at 11.29.102.201 to change where the DNS records point to). Does DNSSEC and DoH/DoT combat this, and how? Why is it safe to use a domain for DoH/DoT if it requires going through insecure DNS to get to a secure DNS?

  • TheBigBrother@lemmy.world
    link
    fedilink
    arrow-up
    3
    arrow-down
    5
    ·
    edit-2
    4 months ago

    I believe your ISP can modify the default DNS of your router so when you connect through DHCP a device it will set that DNS, but if you manually set the DNS in your device ISP can’t notice it.

    • sloppy_diffuser@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      7
      ·
      5 months ago

      They can modify the DNS packets still. They aren’t encrypted or signed so the authenticity of a response packet cannot be verified. Parental controls from ISP relay on being able to snoop and modify your DNS (and SNI from TLS ClientHello packets).