Serve malicious updates from a locally controlled machine, for one. Lord knows about auth.

Do most DNS forwarders not block addresses that resolve to a local IP these days? I know dnsmasq does, and NextDNS too I think.

I think most will see it as a DNS rebinding attack [1].

1. https://en.wikipedia.org/wiki/DNS_rebinding

That’s the phrase I was looking for!

Why? Having local IPs on a public DNS is a legitimate use case.

As another reply mentioned, to prevent DNS rebinding attacks. The general expectation is you will whitelist domains from which you expect RFC1918 responses.

In fact, some people block domains by routing them to 127.0.0.1 in their host files. I've used private ranges too, in places where loopback might possibly do something funky.

> Serve malicious updates from a locally controlled machine. Lord knows about auth.

Wouldn't they have to break into my local machine first, plant an update service, and an update? That doesn't seem to scale well at all, and wouldn't it be easier to just break into the machine they want to 'update'?

A fairly prominent update service already runs from the domain microsoft.com Many machines come with it preinstalled.

The erroneous DNS change wouldn't help that sort of exploit. It just redirects attempts to contact microsoft.com to a local address, probably a router.

That's exactly what I said in the first post.

Why doesn't windows update use authentication (eg https)?

They do: the updates are signed so our hypothetical spies would need to have a zero day in Authenticode or to have compromised the signing keys.