Re: What am I missing?
Allow me to demonstrate transparent proxying for you.
- You think you're talking DNS to 184.108.40.206 (Google's DNS server, as an example).
- Something between your application and the outside world (router, firewall software, anything that can sniff and modify packets en-route, basically, including software on the machine itself) sees that packet, looks inside, changes it to point at whatever server they want to and then sends it on its way.
- The DNS server it sends the query to sends a reply with whatever the hell they like (including redirecting your google searches to dodgy domains, etc.). Google listen out in vain silence for your (never-going-to-arrive) packets.
- When the reply comes back to your computer, you have ZERO idea which DNS server resolved that without checking thoroughly (which nobody does, not even web browsers accessing secure sites - DNS is assumed to be "authoritative", and only DNSSEC can fix this) but, hell, you TYPED IN www.mybank.com so it must be safe, right? (And, yes, SSL does have some fixes against this but NOTHING in the way you think - SSL is very reliant on DNS being authoritative)
There is nothing in the world that is going to be able to detect that until DNSSEC comes along. You know how I know? I run transparent proxies in work so even though everyone "thinks" they are going to www.facebook.com via their DNS lookup (and all their laptops have different settings for DNS), they are actually ALL going via OpenDNS and the school DNS filters lookup of the address. I can even turn all their images upside down or make paypal.com look like it's bbc.co.uk if I want.
DNS Changer literally adds itself to your Windows list of DNS servers and HACKS INTO common router models to change the settings on there too. Is your trusted DNS server that your network gives out via DHCP pointing to your broadband router at any point? 99% of home installations have a setup like that - anyone with a cable modem or ADSL router will use the modem/router as a DNS server and default gateway. This thing actually logs into your router via backdoors and changes your ROUTER settings to change the upstream servers it uses.
When was the last time you logged into the router interface and checked the DNS it uses, seeing as " all the machines on the LAN are configured to point to the router as the DNS source"? DNS is inherently insecure, interceptible and modifiable. Don't trust it. And certainly don't trust your local network to provide it without being VERY sure that it's all clean.
Saying that, they should just switch the damn thing off and let people moan. A few hundred thousand machines less on the Internet who are crawling with obvious malware is a GOOD thing. Their own Internet access is a secondary concern to not spreading that junk to all of us.