> … some sort of "sanity check" against the license server endpoint IPs does make sense.
No it doesn’t. If you want to verify the response from a given endpoint, cryptographically sign the response and verify the signature. TLS + hostname verification for the license server is pretty close too (with the proviso that you’re trusting the CA cabal to not let someone else spoof you).
There’s no world where it’s okay for software or even hardware to mess with networking or DNS.
> with the proviso that you’re trusting the CA cabal to not let someone else spoof you
And keep in mind that usually, the user has ultimate control over the "CA cabal". Since the user is the antagonist in the world of DRM, relying only on HTTPS might not be the best idea.
But then again, the whole effort of preventing the user from doing what they want on hardware and an OS they have total control over might not be the best idea in general.
No it doesn’t. If you want to verify the response from a given endpoint, cryptographically sign the response and verify the signature. TLS + hostname verification for the license server is pretty close too (with the proviso that you’re trusting the CA cabal to not let someone else spoof you).
There’s no world where it’s okay for software or even hardware to mess with networking or DNS.