I have been experimenting MITM attacks for over 7 months and I have been forced to seriously analyze my configurations quite a few times for deficiencies and vulnerabilities.
I now believe that
- consistent package signatures
- mirrors that support https only
- services like stubby (DNS over TLS)
are definitely a first step towards a better security that wipes an entire family of attacks out.
DNS over https has been suggested and promoted to solve this problem inside our browsers, but this partially solves the problem: other applications and services are still affected by the same vulnerabilities.
In my opinion, in fact, actively fighting DNS transparent proxies and spoofing, … at the system level is important to regain control of DNS, a prereq for a better internet, not just for our favorite browsers, but for any other service our computers are expected to provide us.