On security topic, it is possible to avoid DNS point to multi-point cleartext broadcasts.
There is DNS over TLS, DNS over HTTPS, and there is also a classic method...
Example (add to Windows hosts file):
185.20.49.7 rejetto.com
www.rejetto.com hfsservice.rejetto.com hfstest.rejetto.com
162.88.175.4 checkip.dyndns.org
Method: Copy c:\windows\system32\drivers\etc\hosts to desktop, edit, then reverse-copy (or a hosts utility program).
To get addresses, cmd, nslookup website.com and then search the ip to confirm owner. Then you can force windows to get the authentic address, every time, without reliance on a cleartext lookup from a random vendor.
Windows host file can't wildcard but it can do up to 9 url's per each ip address on the same line.
Example home-size open-source router's DNSmasq:
address=/rejetto.com/185.20.49.7
address=/checkip.dyndns.org/162.88.175.4
Method: Enter at dnsmasq custom config box in tomato or dd-wrt router. Other Linux is similar.
DNSmasq can wildcard, so the less your are specific, the more it will go to the ip address specified.
Gap:
If your hfs.ini list of ip-services= is automatically updated to different url's, it may do DNS lookups/broadcasts point to multi-point in the clear, until you find out and manually update your local lookups. That is how the classic method is inferior to newer methods, such as DNS over TLS, DNS over HTTPS.
Potential patch:
If future ip-service= updates were IP addresses (not url's), that could obsolete this post.