DNS Security

The Symantec Security Response weblog has a good entry today on DNS security. Its worth reading. The problem I see is that its short on solutions. Sure its a nice observation that SSL will warn you, but what else can you do?
I appreciate that they didn’t go with the “use OpenDNS” kneejerk response that I see a lot. Depending on your ISP, the OpenDNS servers may be more secure. But if you’re a large company, you want your ISP to be certified and accredited. That may be easier to force your ISP to obtain (you’re paying them a lot of money after all). As the article states, the DNS response is still vulnerable to spoofing
There were a couple of points not covered by the article.
1. What if you get infected and the infection changes your DNS server settings. Will you catch that?
2. DNSSEC if it were ever implemented would provide some protection. I would have been interested in the author’s take on that.