[Noumenon]

As a retired network engineer, I can attest that all of what you say is true. It doesn't take much to "poison" DNS caches. I've seen too many cases where it's the last place anyone thinks to look. It's a favorite malware target. This doesn't even begin to touch misconfiguration errors at any place along the DNS chain. It can be hard to get someone else to look at their own devices (Cisco, I'm looking at you) in pursuit of finding and correcting the problem.

Late in my career, I became a big fan of the Cradlepoint ecosystem. Their software and devices made it easy to route around most of the common DNS fuckery one would encounter. It did assume that one knew what they were doing. As was too often not the case. IT certs and college classes don't necessarily grant one an intuitive grasp of DNS and IP routing and hardware ecosystems with all of their peculiarities.

I've had to deal with higher-ups who went all ooooh, let's move everything to the cloud. I always had to bring the discussion back to the concept of business continuity. And the question was: how long can you operate the business without cloud connectivity? The same question applied to other critical path systems like servers and firewalls. I was always careful to document the responses to these questions, as I'm sure you can imagine why.

[Svartalfiar]

I really don’t understand why some many companies outsource their cloed/internal systems. It seems like a massive security risk to not host your own systems, especially for big defense companies and similar that can easily afford to do so.