The reason is because I recently picked up studying penetration testing/countermeasures and I read about "dns cache poisoning" Until I know about the different ways this attack can be carried out I would prefer to use my own name resolution, for certain websites. As far as I can see, this would ensure that no matter what a hacker could do to dns server, at least I would know that the IP address I'm using is the right one..
1st: DNSSEC, a extension to DNS created to mitigate the problem of DNS cache poisoning (despite it being very rare and mostly caused accidentally) was deployed at least a few months ago.
2nd: the "threat" of DNS cache poisoning is about as real as the Y2K bug. That is, almost all the "damage" so called experts say it can do are all based on nonsense, because said experts aren't really experts at all and have no idea how DNS actually worked.
3rd: unless you actually understand how DNS cache poisoning works, as well as how DNS works normally you really have no experience in the matter and cannot claim to have a method of mitigating said issue.
Sure, Sure- Yes, the DNS you are using could have a poisoned entry. let's pretend it does, something "important", such as your bank.
So, your computer requests the Hostname. For me, this would be tdcanadatrust.com, and since the cache is poisoned, I get back a address to a malicious server somewhere. The first sign of trouble would be, I imagine, the fact that it's SSL certificate is not valid and FF would display a warning to that effect.
Second, the people responsible for said attack would need to pretty much duplicate the entire site.
Third, the end result would be that they would end up with a few numbers from my account number, as well as my "easyweb" password. The numbers they have would narrow it down to few hundred thousand different actual account numbers, but the fact remains that each request takes about 10 seconds, so even if they tried to "hack" into my account in that manner they would still need at least 12 hours to do so, but by that time I'm sure the bank and or their IT admins would have:
A:) noticed that a good amount of their traffic has dissappeared as a result of the cache attack
and
B:) notice a single IP address constantly requesting and being denied login for hours on end. Of course the "hackers" could thereotically distribute such attempts, but even then it would hardly conceal the first factor. Basically, they would go to all this effort to get a few passwords, without being able to match said passwords to the actual Account numbers. And even if they <WERE> able to do so, the banking software itself requires that we enter a security question whenever our accounts are accessed from a IP address they haven't been accessed from. I highly doubt they would be able to guess the nonsensical answers I gave, and even if my answers were something that could be accessed by a dictionary attack, they just took 12 hours to finally get in and now they need to take another few hours to get in all the way, this is even assuming that the bank was really slow and their IT staff was all on vacation and thus they didn't respond to the clear indications of something going on. That and the fact that the site is actually distributed across several domains would make attacking a financial institution- or, more precisely, the members of said institution - using a DNS poisoning attack very difficult and involve the expertise of designers (to duplicate the web page) script programmers (to duplicate it's functionality) as well as experts able to create the poisoned DNS records. It would require a great amount of organization amongst a group known for their solitary hubris.
DNS Cache poisoning can also be a local problem that goes deeper then the hosts file does. It won't mitigate DNS cache poisoning because the cache is checked before it reads from the hosts file anyway.
Check if you are "vulnerable" to DNS cache poisoning
http://www.froyn.net/poison.htmlEven if you are, the above info still applies. It would still take a concerted effort by a lot of skilled people to get anything.
