I absolutely agree with you about users already running dnsmasq, but the context here is a malicious developer abusing their position. The actual quality of the software is orthogonal.
I still think you are understating the risk of a malicious DNS server. As you note, many users will have unpatched IOT or network facing devices (e.g. cameras, baby monitors or other smart gadgets). With DNS spoofing they all become vulnerable to a remote attacker...
Maybe we can agree if we consider different types of users? Technically skilled users are likely to stick to secure hardware and have an awareness of their general software vulnerability. They choose their passwords carefully and are concerned about compromise. Less saavy users are more likely to own insecure devices, use the same password everywhere and be less concerned by account compromise.
High skill users have more to fear from a Web Extension, its impact is undetectable and can siphon passwords. Low skill users have more to fear from a malicious DNS server, they won't notice the lack of HTTPS on none-HSTS sites and their hardware will get compromised remotely.
I did not say "a compromised DNS server is completely inconsequential", I said that a compromised WebExtension with :/// and tabs permissions has UXSS (obviously true) and UXSS is worse than compromising DNS resolution.
Which one of these is worse:
a) I might be able to convince a bad IOT device to connect to an IP I control which may or may not let me do something interesting,
-- or --
b) I can just use your session cookie for GMail and reset all of your passwords for your IOT services and also everything else? And since I get UXSS, I can scan your internal network and get XSS on that IP/origin too. Or, I dunno: try to use UXSS to log in to your home router and change the DNS server to a machine I control?
The crux of your argument seems to be "it is more valuable to be able to point an IOT device at the wrong IP than it is to get UXSS on a machine on that network". That seems obviously wrong to me for any user, technical or not. If anything, it's worse for non-technical users, because they by-and-large don't have 2FA, making e-mail compromise far worse.
I only use the quality of the software in one sense: to bound how bad DNS resolution could possibly be. dnsmasq has had more than one of those style of game-over vulns. A malicious WebExtension or DNS server is indistinguishable from one with a bad enough vuln.
> The crux of your argument seems to be "it is more valuable to be able to point an IOT device at the wrong IP than it is to get UXSS on a machine on that network". That seems obviously wrong to me for any user, technical or not.
If PiHole is malicious, there is already an attacker on your network, DNS Spoofing is just one example of the possible consequences. The PiHole can also port scan, connect to services etc. I don't think mounting an effective phishing attack on a user would be very hard.
My point is that both scenarios are catastrophic, and its hard to justify choosing one over the other on the grounds "the developer might be malicious". Telling people "don't worry a DNS server can't do much" is massively understating the problem, considering all the local network devices directly exposed to the PiHole device and the fact it is the DNS server.
As I said, I use both and cross my fingers that Mozilla / Open Source code review / the GDPR mitigates the risk of a bad developer
OK, so there's an attacker on the network in both cases (UXSS and the worst-case-dnsmasq-vuln). So, to compare the two, you look at what else you can do -- and UXSS clearly wins there. "It wouldn't be hard to mount a phishing attack" -- maybe? Except on the most valuable phishing domains, which already have HSTS -- and the UXSS alternative is that I literally control your browser which is clearly worse since I have almost definitionally attained the goal of the phishing attack! And if I really want to just steal your password instead of just using your session, I'm guessing "full control of the DOM everywhere" will help with that.
I have also already argued that an extension does not need to be malicious -- just buggy -- to get UXSS.
>If PiHole is malicious, there is already an attacker on your network
In contrast, UXSS provides an attacker on your network that already has access to everything inside your browser. That's banking, email, keylogging credit card numbers, etc. That's the end game right there.
A malicious rPi on your network is quite a few steps away from there, you'd still have to phish and deal with HTTPS/browser security and unlike UXSS that only gets you one set of credentials.
I still think you are understating the risk of a malicious DNS server. As you note, many users will have unpatched IOT or network facing devices (e.g. cameras, baby monitors or other smart gadgets). With DNS spoofing they all become vulnerable to a remote attacker...
Maybe we can agree if we consider different types of users? Technically skilled users are likely to stick to secure hardware and have an awareness of their general software vulnerability. They choose their passwords carefully and are concerned about compromise. Less saavy users are more likely to own insecure devices, use the same password everywhere and be less concerned by account compromise.
High skill users have more to fear from a Web Extension, its impact is undetectable and can siphon passwords. Low skill users have more to fear from a malicious DNS server, they won't notice the lack of HTTPS on none-HSTS sites and their hardware will get compromised remotely.