I think so too, though CDN's will mess with the results a bit. It would be nice ...

Procrastes · on Dec 31, 2013

It's interesting no one brought up DNSSEC[1]. Has anything happened there since 2010?

1. http://en.wikipedia.org/wiki/Domain_Name_System_Security_Ext...

dingaling · on Dec 31, 2013

DNSSEC is great in theory, but after three years I still haven't deployed a live instance.

It is cumbersome to implement and maintain, requiring co-operation of registrars and frequent key regeneration.

It is also very, very chatty and imposes a considerable processing burden on the first-hop DNS resolver.

We need a signed DNS solution that isn't DNSSEC.

helfire · on Dec 31, 2013

I was going to mention it, but I haven't found anyone using it or a usable implementation.

JoshTriplett · on Dec 31, 2013

CDNs will indeed mess with the results, but it would still likely be possible to tell the difference between a legitimate result and a forged one, especially if you know something about the CDN structures used by major site. And the more people run it, the more likely you can detect anomalies, much like Perspectives does for SSL.

SSL, incidentally, seems like a major help here: you could detect common DNS hijackings by accessing the site via SSL. If you access https://amazon.com/ , an ISP hijacking the site would produce either a certificate error or a connection failure (depending on whether they even attempt to listen for SSL traffic).

toomuchtodo · on Dec 31, 2013

http://perspectives-project.org/

Perspectives is a new approach to helping computers communicate securely on the Internet. With Perspectives, public “network notary” servers regularly monitor the SSL certificates used by 100,000s+ websites to help your browser detect “man-in-the-middle” attacks without relying on certificate authorities.

DavidHogue · on Dec 31, 2013

Isn't that exactly what DNSSEC is? Unfortunately not all that many domains are using it today.