1. 57
  1.  

  2. 20

    Alternatives to Google and Cloudflare are very welcome.

    Name resolution is getting too centralized on those as of the ongoing explosion of DoH adoption.

    1. 7

      As it stands I trust this significantly less than Cloudflare and Google. There is no privacy policy on the website and there is no mention of any legal entity behind the service so, if you use it, you

      1. have no idea what they do with your data (and remember, persistent SSL cookies means that if you use DoH, then you can be tracked across networks!)
      2. have no idea who to hold responsible for infringements on your privacy.
      1. 3

        We have added a privacy section to the DNS webpage, because indeed it could be difficult for people to extract than information from our generic terms page.

        1. 3

          I wouldn’t trust google with my data no matter what privacy policy they would be claiming. In the end those policies dont mean much. Better use common sense and instincts. These guys seems to me to be small scale in the “fed up with big corp” departement. At least for now ;)

          1. 2

            There is no privacy policy on the website

            I was also looking and found this.

            1. 2

              Yes, I saw that as well, but discounted it as it’s on a separate website and

              • there is no mention of when those terms were last updated and
              • there is no mention of who controls these services so there is no one to hold liable for any violation of those terms.

              EDIT: I’m sure the (AFAICT 3) people running this service are well-intentioned, but my point is that, unless you personally know these people, then you can trust them about as much as you can trust 3 randos coming up to you in public to offer you free candy.

          2. 4

            Who are the folks running this?

            1. 11

              We are a group of Open Source hackers. We value privacy, and we setup services that we find useful. Partially to scratch our own itch. But also because we feel that we should do our part and offer alternatives to Corporate centralization.

              1. 5

                https://libreops.cc/about.html ?

                Looks like a group is libreho.st

              2. 2

                Is this not simply “librewashing” a bad idea? i.e. giving proponents of centralized DNS a way to claim that it is not just Google and Cloudflare running this? Or am I being too cynical here?

                1. 1

                  I think that’s too cynical. How is standing up a service to compete with Cloudflare and Google bad for centralization?

                  What would be better is if 50 other organizations did the same thing.

                  1. 2

                    How is standing up a service to compete with Cloudflare and Google bad for centralization?

                    That was not exactly my point. My point is that is irrelevant to have mutiple copies of a bad idea. No matter how many “copies” of a DoH service you have, it remains a force of centralization. Sure there will be many at first, but in the end only 2 or 3 will get serious adoption.

                    Would one deploy DoH in a decentralized style, i.e. every ISP deploys a DoH server for their customers, DoH brings you exactly nothing compared to DoT or even plain DNS. DoH encourages further centralization, and that is the bad thing here.

                    If you are operating in a hostile network, e.g. when traveling, DoH also doesn’t really solve your problem. It may at the moment, but not when the capabilities of attackers catch up. Back to square one. Only a real VPN to a “trusted” endpoint would help in that scenario.

                    So DoH does not solve any real problem in a satisfactory way, instead it encourages further centralization.

                    1. 3

                      No matter how many “copies” of a DoH service you have, it remains a force of centralization.

                      You’ve made this assertion, but I don’t see you doing anything to support it, notwithstanding your point that DoH doesn’t offer anything over DoT (which is moot and anyway this service also provides DoT).

                      So, again, why is DoH bad for centralization?

                      1. 1

                        So, again, why is DoH bad for centralization?

                        Ah, I think the was some confusion here. I consider centralization a bad thing, not a good thing… DoH is good for centralization indeed!

                        1. 2

                          You can swap the question if you want, but it’s still a question you haven’t answered. Why is DoH good/bad for centralization?

                2. 2

                  https://securedns.eu offers an ad-blocking version of the resolver, would be nice to see that here too

                  1. 1

                    I didn’t dig into DoH RFC, but how is that supposed to work:

                    https://doh.libredns.gr/dns-query
                    

                    I understand how 1.1.1.1 works over HTTP as this do not need DNS resolution, but how I can resolve DNS query without DNS?

                    1. 2

                      My guess is it’s bootstrapped via traditional DNS.

                      1. 0

                        DoH in layman’s terms, uses HTTPS (S <— stands for security) to ask a remote DNS server and get the reply in firefox. The traditional way is for firefox to ask your operating system and your operating system ask your DNS via UDP that means cleartext & unencrypted traffic.

                        1. 1

                          Did you mean to reply to me? I’m well aware of how DNS (intimately) and DoH (from the spec) work. The GP was asking how it was possible to use a domain name to reference a DoH server, to which the obvious answer is that it finds the DoH server’s IP address by querying traditional DNS.

                      2. 2

                        For Firefox at least, the set of DOH settings (actually all prefixed in about:config with “network.trr”), there is a ‘network.trr.bootstrapAddress’ setting which allows you to specify a traditional DNS server to bootstrap the DOH system with. If it’s left empty, the bootstrapping defaults to your OS configured DNS resolver.

                        1. 2

                          Actually:

                          network.trr.bootstrapAddress

                          https://wiki.mozilla.org/Trusted_Recursive_Resolver#network.trr.bootstrapAddress

                          by setting this field to the IP address of the host name used in “network.trr.uri”, you can bypass using the system native resolver for it