No, because you're ignoring the fact that one of the 15-odd places that an attacker can bust up to redirect traffic to their own servers is the "observe all packets" vantage point, which allows them to predict DNS XIDs and source ports.
I know you're smarter than this, Colin. I think you're being pedantic. Would you advise anyone on this message board any differently than me? I think you already said "no".
Would you advise anyone on this message board any differently than me? I think you already said "no".
There are two parts to giving advice: Helping people with their immediate question, and helping people better understand the field in question so that they won't need your advice the next time. You told people that what they were talking about doing was a bad idea, which I agree with; but the explanation you gave was misleading.
I agree with your recommendation of "don't do that"; but I think it's important for people to understand WHY they shouldn't do that -- and claiming that it's "no more secure" rather than explaining that it's very slightly more secure obfuscates rather than elucidates.
I know you're smarter than this, Colin. I think you're being pedantic. Would you advise anyone on this message board any differently than me? I think you already said "no".