> I also remember some scandal a couple decades ago with some plugin scanning your /etc/hosts file for their domains
Given that this used to be enough to prevent Adobe CS5 and CS6 from phoning back home and detecting you used a keygen, some sort of "sanity check" against the license server endpoint IPs does make sense.
> … some sort of "sanity check" against the license server endpoint IPs does make sense.
No it doesn’t. If you want to verify the response from a given endpoint, cryptographically sign the response and verify the signature. TLS + hostname verification for the license server is pretty close too (with the proviso that you’re trusting the CA cabal to not let someone else spoof you).
There’s no world where it’s okay for software or even hardware to mess with networking or DNS.
> with the proviso that you’re trusting the CA cabal to not let someone else spoof you
And keep in mind that usually, the user has ultimate control over the "CA cabal". Since the user is the antagonist in the world of DRM, relying only on HTTPS might not be the best idea.
But then again, the whole effort of preventing the user from doing what they want on hardware and an OS they have total control over might not be the best idea in general.
Given that this used to be enough to prevent Adobe CS5 and CS6 from phoning back home and detecting you used a keygen, some sort of "sanity check" against the license server endpoint IPs does make sense.