
For example, researcher Dan Kaminsky demonstrated a vulnerability that allowed fraudulent frames to be embedded on Facebook or PayPal.

This practice clearly violates the RFC standard.for DNS responses and makes users vulnerable to XSS attacks. The user saw ads and content that had nothing to do with in the address bar. This looked especially bad if the user requested a non-existent domain of a well-known site, for example,. The American provider Earthlink in 2006 began to redirect users and information about their requests to the advertising partner Barefruit. If the user tries to go to a non-existent site, the provider redirects it to their advertising page. Intercepting DNS queries (DNS hijacking) is not some rare horror story, but quite common practice.

I suggest recalling some real stories of interception and spoofing of DNS queries. This means that your provider, network administrator or an attacker using MITM can not only store the history of all the sites you requested, but also replace the answers to these requests. Both the request and the response to it are transmitted in the clear, without any encryption. Each time you want to open a site, the browser sends a request indicating the domain to the DNS server, which in response sends the necessary IP address. The architecture of the domain name system (DNS), with rare exceptions, has remained unchanged since 1983. Today I will once again draw attention to this problem and talk about how we solve it in Yandex.Browser using DNSCrypt technology. Unfortunately, many people forget about another unprotected side, namely, DNS queries. When it comes to protecting web traffic from interception and spoofing, the first thing that comes to mind is the HTTPS protocol or even your own VPN server.
