I don't know if that's right. It seems to me that this could be a critical part of a larger attack:
One attack that occurs to me is to pause a client when it is looking up a DNS name, but before it has gotten the response. With the plaintext DNS response you can get the ID field and forge a response. If you can do this during an HTTP request you might be able to redirect your victim to another server.
TLS might be much of a problem either: a lot of devices poll HTTP urls to detect "captive portals" -- many offices even use these for corporate login via wifi, so our attacker may attempt to go after this infrastructure to collect corporate credentials.
There's probably more: Applications have been assuming this wasn't possible for a long time, so there are likely a lot of vulnerable targets.
It is a MitM attack on WiFi networks that seems to have an effect similar to the one provided by ARP spoofing, but works on networks with client isolation enabled, where ARP spoofing doesn't.
I for one am very concerned that someone may be able to spoof a device on my WLAN and listen to plain text packets or spoof packets of a device. Do you know how many users would click proceed if they got a certificate mismatch warning not even knowing what it means?
If you're passing around sensitive information with even TLS then you're already exposed to far easier attacks than this.
Interesting find but nothing to worry about overall.