[ignoramous]

> They don’t get traffic going through them.

A rouge DNS can reply to select queries with an IP of a middleware that can TLS proxy and/or MitM that traffic.

We built such a thing mostly for anti-censorship purposes (bypass IP blocks): https://github.com/celzero/midway#demo

[wink]

I use duckdns and the only service I'm accessing through that CNAME is ssh, which checks host keys, so it doesn't have to be a problem.

[drexlspivey]

wouldn’t that invalidate the cerificate?

[piperswe]

If they control the domain, they can get a new valid certificate