I am wondering if an ISP or network admin on my network would be able to change where a DNS server is located at (ex: if a DNS server is located at 132.192.175.210, the ISP/netadmin can redirect it to their own server at 11.29.102.201 to change where the DNS records point to). Does DNSSEC and DoH/DoT combat this, and how? Why is it safe to use a domain for DoH/DoT if it requires going through insecure DNS to get to a secure DNS?

  • @TheBigBrother
    link
    -3
    edit-2
    5 months ago

    I believe your ISP can modify the default DNS of your router so when you connect through DHCP a device it will set that DNS, but if you manually set the DNS in your device ISP can’t notice it.

    • @[email protected]
      link
      fedilink
      English
      76 months ago

      They can modify the DNS packets still. They aren’t encrypted or signed so the authenticity of a response packet cannot be verified. Parental controls from ISP relay on being able to snoop and modify your DNS (and SNI from TLS ClientHello packets).