-1

When a DNS server is specified (in my case in OS X, in the Network Preferences), can it be spoofed (for instance by an organization with the power of a government)?

I am asking the question because DNS poisoning is an important issue about which ample information can be found, but what about the spoofing of the DNS server itself?

Eric O Lebigot
  • 146
  • 8
  • Yes, and trivially so - it definitely doesn't require a government to do it. – MadHatter Jun 02 '15 at 08:40
  • Why the downvote? – Eric O Lebigot Jun 02 '15 at 10:27
  • Mouse over the down arrow; the popup says "*This question does not show any research effort; it is unclear or not useful*". Downvotes without comment may be presumed to be for at least one of those reasons. – MadHatter Jun 02 '15 at 11:15
  • That's precisely why I asked about the downvote: I did show that I researched the topic: as I indicated, I could only find "ample information" on DNS poisoning, but not on the subject of the question. I would argue that the question is clear, and also useful (especially given how difficult it is to find any answer with Google in a reasonable amount of time). An explicit explanation for the downvote would be useful. – Eric O Lebigot Jun 02 '15 at 14:15
  • [As has been made clear by a moderator](http://meta.serverfault.com/a/3055/55514) downvotes don't require that the downvoter explain him or herself. If you wish to try to appeal to the downvoter to shed more light on it, you're welcome to go on meta and ask, though I'd recommend against it. – MadHatter Jun 02 '15 at 14:31

2 Answers2

1

Of course. As long as the spoofer has access to the network hardware DNS requests are passing through, they can change the destination of your DNS queries to another - shady - server.

There is not much you can do about it, besides using an encrypted VPN to someplace safe. Even running your own DNS server would lead to the requests being redirected.

dnssec offers a way of detecting DNS request manipulation, but there is no way to prevent it.

Fox
  • 3,887
  • 16
  • 23
1

From a security point of view, assume yes. That is why we have things like DNS-SEC and TSIG.

From a practical point of view, assume that it would be entirely plausible to do. If not getting between yourself and your own (presumably) recursive DNS server, then at your network service provider or closer to the authoritative server that you need to query.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
Cameron Kerr
  • 3,919
  • 18
  • 24