[userbinator]

send your own response with your IP before the real response comes back

Being able to inject traffic is not "passive".

[billpg]

The DNS response doesn't have to come from the same channel as the original request. If you've got an ISP that doesn't check the source IP of what you're sending, your target's endpoint will see your fake response and treat it as the real one.

Where we stand now, the only thing stopping an eavesdropper from becoming a man-in-the-middle is the will and resources of that eavesdropper.

[Karunamon]

Yup - but there's still a difference. Someone might just want to snoop on your traffic rather than mess with it.