Damn, this is a good point. Just because of network architecture, ultimately somebody-- either the client or the network-- has to have the Final Word on where DNS requests go, and either way opens people up to attacks depending on the scenario. If the client has the Final Word, you can't stop your Chromecast from talking to 8.8.8.8; if the network has the Final Word, you can't trust DNS on foreign networks or use your own resolver.