
Ask HN: What if your DNS provider is a honeypot? - niksmac
I started using nextdns.io recently and pretty happy with it until I got this thought of what if they are a honeypot? How can we validate it, for any DNS provider?
======
LinuxBender
If you mean they give a different answer specifically for you, then you would
have to mirror your requests to multiple providers and the root servers to see
who is not telling the truth. Perhaps build a web UI like this [1] or write a
script to select some of your commonly requested names and query all the
servers. At times you can expect answers to differ, as people change DNS and
TTL will expire from caches at different times. Some sites may give a
different IP based on the source location of your DNS client if they are doing
GSLB and not using Anycast.

In a script you might use the "dig" command with options like this so you can
see when the TTL is about to expire.

    
    
        dig @some_server +noall +answer some.domain
    

[1] -
[https://www.whatsmydns.net/#NS/ycombinator.com](https://www.whatsmydns.net/#NS/ycombinator.com)

~~~
Znafon
Don't DoH and DoT protect against this by having a chain of trust up to the
root servers?

~~~
elliottinvent
DoH and DoT encrypt the client's connection to the resolver, but they don't
always verify that the response is from the authoritative server. That can be
done by DNSSEC, and is often taken care of by DoH providers (e.g. Google and
Cloudflare) but only if supported by the authoritative server.

------
diablo1
Sending all your requests to a single DNS point is bad security. Best just
'spreading' your DNS out, so use a mix of Quad9, Google, OpenDNS, Cloudflare
1.1.1.1 etc

I live by the motto: Don't put all your eggs in one basket

~~~
niksmac
How can I achieve this in a normal laptop? How do you achieve this in any
machine?

~~~
diablo1
I meant spreading across devices. So separate DNS addresses for your phone,
another for your tablet, and another for your laptop. If you use virtual
machines, you can diversify the DNS addresses even further. You can also
enable different DoH servers for different browsers that you use to further
diversify.

------
viraptor
What do you mean by a honeypot? Do you mean if they're running a scam, or
actually a honeypot and you're running a scam that could be found?

~~~
niksmac
Lol. I mean they capture all the traffic and lead me somewhere else?

------
elliottinvent
I think you have to trust your DNS resolver or choose a new one. You can
compare the results of different resolvers but I'm not aware of any solutions
out of the box. For example:

dig example.com A

compare against

dig example.com A @dns.google.com

etc

