On Thu, Mar 29, 2018 at 9:27 AM, Brian Kantor <br...@ampr.org> wrote: > Of course they could. But it's testable; experiments show that they > aren't doing so currently.
Some of the recursive DNS providers support a protocol called DNSCrypt for authenticating data between the client and the recursive nameserver, to mutually authenticate client+server, and ensure data hasn't been modified by a man-in-the-middle. https://www.opendns.com/about/innovations/dnscrypt/ > - Brian -- -JH