How do you know your DNS is not under a MITM attack?

Using 4.2.2.4 as a DNS server throughout.

How do you know you are connecting to the real 4.2.2.4 DNS server and not some other because of an attack similar to an ssl man-in-the-middle attack?

 

Annwering my own question, you don't, unless something like DNSCrypt is used.

Except this particular product requires faith in a third company, OpenDNS. Used to use this company as the DNS server provider in all my connections, until I noticed failed dns queries were redirected to their IP's. That's a foul in my book, who knows what else they are redirecting.

Any better way to guarantee your DNS queries are not interfered with?

What about this proposal: send the DNS query to 2 or 3 different DNS servers through 2 or 3 respective freeware VPN's, and if the results disagree, suspect interception. Would this work, does such a thing exist?

 

I haven't heard of such a tool. If you enter IP adresses from different DNS providers in you DNS configuration, only the first one will be used unless it is not connectable afaik.

OpenDNS's DNSCrypt is highly outdated. You can find the most recent version here which you can use with other DNS providers as well:
http://dnscrypt.org/

 

Now I saw this. Thanks for the dnscrypt link.

 

OpenDNS's DNSCrypt is a GUI wrapped around the real, open source DNSCrypt. I think OpenDNS have actually abandoned their efforts in promoting and updating this. All they do is support the protocol on their server now.

DNSCrypt is worked on by 1 person and to my knowledge is not funded or has any ties to OpenDNS. Recently the author has been stripping every mention of OpenDNS from his code.

 

And in case the DNS servers themselves get poisoned or otherwise become untrustworthy, we could compare the results from several DNS servers and only trust them if they all agree, as proposed above.

Tried to use a script for this. This listens to the DNS port as if it were a local DNS server. But it only responds to one DNS query, after that it does nothing. Why is that?

Running the following as root:

# create fifo's
mkfifo -m 0600 "$BACK" "$SENT" "$RECEIVED"

# Keep parsing SENT fifo to get domain name (this can then be used to query several public DNS servers with DNScrypt)
od -c -w100 < "$SENT" | sed "s/blah blah//g" &

# Keep parsing RECEIVED fifo to get IP
od -t u1 -w100 < "$RECEIVED" | sed "s/blah blah//g" &

# Keep listening and piping
nc -ul 53 < "$BACK" | tee "$SENT" | nc -u 4.2.2.4 53 | tee "$RECEIVED" > "$BACK"