1. 28

  2. 9

    My parents’ ISP hijacks their DNS queries. I personally think that’s a bigger problem than Google or Cloudflare having a little more information about what websites they visit. They universally access websites via Google, I’ve literally seen them go to google.com in order to type the full domain name of a different site. Google definitely already knows everything they do without DoH.

    My ISP does the same, but doesn’t appear to interfere if I use or, so I’m “safe” for now. I haven’t actually done any verification, I just haven’t noticed anything fishy. So am I really safe? I’ve considered forwarding my home DNS traffic over a site-to-site ipsec VPN to a nearby data center, but haven’t gotten around to it. I’d rather just have DoH / DoC since I already use Cloudflare and Google as my resolvers to avoid my ISP’s tomfoolery.

    Maybe the ISP threat in Europe is minimal, but here in the US it’s very real.

    1. 10

      One aspect I feel is frequently left out is that, while it might make sense for Americans to let Google/Cloudflare see their DNS traffic instead of their ISPs, the situation is different in the rest of the world, even if we assume ISPs are equally shady everywhere. As a Norwegian, the current structure means that my ISP, a Norwegian company which follows Norwegian privacy laws, and who I have some form of legal leverage over if I feel they aren’t respecting the relevant privacy laws, gets all my DNS queries. I also have a voice in what those privacy laws should be. If we were to move to a system where Google gets all my queries instead, I would have almost no recourse if I feel like they’re not respecting privacy laws, and I would have no way to vote on what the laws would be. It would be an exclusively worse state of affairs.

      1. 2

        I agree that’s an issue, but it’s separate from DNS itself. International companies should have to respect the laws of other countries they operate in, and there should be a path to legal recourse if they don’t. The legal protections you have should apply everywhere on the internet, not just DNS.

        Web trackers are already so prolific, I’m not convinced this fight over DNS makes any difference. I personally would be satisfied as long as privacy plugins like Ghostery can block requests to centralized DNS like they block other tracking requests. I’m frustrated by this debate because I feel like it’s more important to tackle wide-sweeping regulation than bike shed DoH, especially considering so many people voluntarily use,, and anyway. Although again, I’m in the US, I don’t know how common that is in Europe.

      2. 2

        At least in France, Germany, Belgium and Luxembourg I never experienced it ever.

      3. 5

        This discussion is a false-choice between “should Google/CloudFlare violate my privacy” and “should ISPs violate my privacy”.

        1. 1

          Then please enlighten us, what are the other options?

          1. -1

            I don’t pretend to know all of the options, but I do know some. There could be others that are better than these:

            • Home routers that do resolution for you through blockchain namespaces via thin clients or full nodes
            • CJDNS
            • Mesh networks and local ISPs like Sonic.net

            For those who are concerned about IP tracking as well, we already have onion-routed protocols, and new ones like mix-nets, Vuvuzela and still more.

            When big-name companies publicly make embarrassing and shortsighted decisions, suddenly we forget innovation is a thing?

            1. 4

              I’m sorry, but… what just happened to simply running your own local resolver? You can easily setup a local unbound to resolve names for you. You can just as easily rent a VM somewhere, setup unbound as a DNS-over-TLS/DNS-over-HTTPS resolver and use that as your own private DNS server.

              There seems to be no need to turn to something obscure when the answer might as well be simple. This doesn’t even require innovation. It just requires you to care enough to take matters into your own hands, or come together as collectives and run DoT/DoH resolvers yourself.

              1. 1

                I’m sorry, but… what just happened to simply running your own local resolver? You can easily setup a local unbound to resolve names for you.

                This is exactly how it works today. My understanding is that the DoH stuff that Firefox wants to do will undermine this by disrespecting the DHCP info with the DNS server info.

                1. 0

                  The “DoH stuff” can indeed be configured to “undermine” the DNS Server provided by DHCP. But that’s not a bad thing. You have the choice of setting up your own DoT/DoH-capable DNS resolver and configure your system and/or firefox to use this. You can also tell firefox not to care about using DoH at all. “Disrespecting” the settings aquired by DHCP is, in general, a feature, not a bug. I don’t want to trust DNS resolvers provided by e.g. hotels or other public wifi networks. I want to use my own resolver via a secure connection. DNS-over-TLS and DNS-over-HTTPS allow me to do just that.

                  1. 1

                    You might do that, you nerd, but nobody else, including your grandma or most of your friends and family will.

                    We need to design better systems for them, or there will be a revolution.

              2. 1

                No one has forgotten innovation is a thing, everyone is concerned about how to actually launch a DNS replacement that gets widespread adoption for the average user, with minimal breakage.

                1. 0

                  everyone is concerned about how to actually launch a DNS replacement that gets widespread adoption for the average user, with minimal breakage.

                  Some people are. (Like the ones behind the projects I mentioned.)

                  Others seem more focused on discussing (and justifying) whether it’s better to send everyone’s DNS to CloudFlare or to Comcast.

                  1. 1

                    We’re having this discussion because DoH / DoC is the first solution that actually seems to have any meaningful chance of getting traction, and privacy is the major concern people have with it.

                    1. -4

                      Who says it’s a solution? You? Seems like a problem to me.

                      1. 1

                        I’m sorry, I refuse to participate in disingenuous discussions. If you genuinely see zero advantages for end users, you should reread the original post.

                        1. -2

                          I’m sorry, is the advantage their data is being sent to CloudFlare instead of Comcast?

                          1. 1

                            The advantage is that DoH lets me and more importantly, my friends, evade South Korean censorship of North Korean websites.

                            1. 0

                              Cloudflare already has (lots of) my data, so I guess that is an advantage. More than my isps, since they’re terminating ssl on a lot of sites I use.

            2. 1

              South Korea, with valid backing of democracy and law, nationally censors North Korean websites by violating DNS protocol and forging false replies. DoH evades this censorship and is very effective for now.