On Thu, Apr 23, 2015 at 11:03:59AM +0200, Simon Josefsson <simon@xxxxxxxxxxxxx> wrote a message of 124 lines which said: > That is the risk of someone on the Internet actively intercepts my > DNS traffic, responding with correct data while gathering > privacy-sensitive information. >From the point of view of privacy, I do not see the difference with a purely passive attacker, reading the flow of requests and responses. Or the case mentioned in 2.5.1, "Recursive Resolvers see all the traffic since there is typically no caching before them. To summarize: your recursive resolver knows a lot about you." In all these cases, the bad guy has the same info, and is as difficult to detect because the responses are authentic.