> People own their networks when they're not out in public.
People rent their networks from one, maybe two area options. The consumer networks want to completely control router hardware these days and these days charge extra rental fees for owned hardware instead of rented hardware. (It's fascinating that they can legally get away with that.) Some of the biggest consumer networks have already proven they are happy to use this hardware control to inject additional ads into customers' networks for a paltry amount of additional revenue.
You are correct that people should have networks that they own and trust at home. You may have missed that they don't and consumers have lost that battle. (You may also be underestimating just how much time people spend on devices "out in public". The mobile device has become the most common device for a lot of users. For some users the only device.)
> every application / Trojan writer
They've always had that power.
Applications have never been forced to use OS/network-configured DNS. DNS is an absurdly simple protocol that doesn't even have encryption by default. OS firewalls might block sockets to DNS ports by default, but there are ways to tunnel over other ports plus tools like UPnP given enough user trust.
DoH is a standardized port tunnel but that doesn't mean that unstandardized ones never existed before. Trojans/viruses have been doing weird things to avoid DNS for decades. DoH doesn't make them that much easier.
DoH isn't great and it is a shame that for privacy and control it's a big ugly trade-off/compromise from ideals. It's useful for some people. There are definitely unanswered questions in terms of which big corporation truly cares about privacy. I've seen my monopolist consumer ISP inject ads against my wishes and do change the DNS on my home (owned) routers (that I pay extra for each month despite owning my own hardware because of owning my own hardware). I don't always know what to think about Cloudflare's massive PR engine of how much they claim to value privacy, but so far I've never seen them inject an ad where one doesn't belong nor have I seen ad revenue make a splash in their quarterly reports. They don't seem to be an ad company. (Yet?)
Trust is hard and we all have different threat models. I don't blame you for distrusting Cloudflare. I have direct evidence for distrusting my current ISP and indirect evidence for distrusting most consumer ISPs I've encountered, despite being paying customers. There's no free lunch and there's no right answer, just a lot of "least wrong" answers. DoH isn't the right answer objectively. But DoH can be a "least wrong" for some users. Just as trying to be the MITM in networks you own is quite wrong from a security standpoint (once you've got one MITM it becomes harder to trust that there isn't a second one) but may be the "least wrong" answer for some users including maybe you.
Trust is hard, yes. Cloudflare might not be going for the low hanging fruit such as injecting ads, but they clearly want to be a monopoly around whom the Internet recentralizes.
Moving DNS from an ISP, who we pay and with whom we have legal contracts, to a company that does things, supposedly, for altruistic reasons, with whom we do NOT have contracts, doesn't fix anything. It makes things worse. The solution is to remove DNS from your ISP and run it yourself, or use a not-for-profit that isn't trying to become a monopoly, that isn't in a position to have its data syphoned off by the NSA, that doesn't knowingly and willingly host spammers, phishers and scammers.
How about we don't trust ISPs AND we don't trust Cloudflare?
BTW - I have to flatly disagree with your suggestion that, "once you've got one MITM it becomes harder to trust that there isn't a second one". That's ridiculous. I can check and verify things to a much greater degree by running my own network. Also, I never said anything about MITM my own network. I want to run my own DNS and block DNS to the rest of the Internet. That's not MITM.
The least wrong thing is to not replace something that MIGHT be shitty with something that MIGHT also be shitty, but might also open you to new problems and security issues. The idea that it MIGHT be less shitty isn't a good enough reason for DoH.
> The solution is to remove DNS from your ISP and run it yourself
This doesn't work because if you run your own recursive DNS server, it will make insecure requests to all of the authoritative servers, and so your ISP can hijack them all. And DNSSEC will keep you from getting sent to the wrong domain, but won't help you figure out the right domain.
> I want to run my own DNS and block DNS to the rest of the Internet.
Your private recursive DNS server, of course, has to send requests to the rest of the internet; you don't want to block those. They don't have to be plaintext, unless the authoritative server in question only talks plaintext.
Of course, and it's obviously easier to configure a single recursive resolver to prefer encryption wherever possible than it is to try to configure each client (or in the case of DoH, each program) to do opportunistic encryption.
The point is that these requests don't go to my ISP's DNS servers.
And for the other people who're making up unrealistic scenarios such as the ISP trying to MITM all DNS, not just queries they answer, there are many forms of tunneling that can be used such as VPNs. It's still easier to do one solution for the whole network than individual solutions for each client (or each application, for DoH).
> People rent their networks from one, maybe two area options.
That's not the LAN.
> The consumer networks want to completely control router hardware these days and these days charge extra rental fees for owned hardware instead of rented hardware. (It's fascinating that they can legally get away with that.)
You can put your own router behind theirs. It's ridiculous for them to make you do that but nothing actually stops you.
> You may also be underestimating just how much time people spend on devices "out in public".
For which anyone can use a VPN.
> Applications have never been forced to use OS/network-configured DNS. DNS is an absurdly simple protocol that doesn't even have encryption by default. OS firewalls might block sockets to DNS ports by default, but there are ways to tunnel over other ports plus tools like UPnP given enough user trust.
Your local network can intercept ordinary DNS queries to any server and redirect them to your own. To work around this, a piece of malware would have to contact some custom server on a different port to do a name lookup -- but where does it look up that server's IP address? Hard-coding the IP address allows the malware's lookup server to be blocked.
But if centralized DoH servers become too popular to block because blocking them breaks too many legitimate applications, now the malware can use them and the user can't block them.
> I don't always know what to think about Cloudflare's massive PR engine of how much they claim to value privacy, but so far I've never seen them inject an ad where one doesn't belong nor have I seen ad revenue make a splash in their quarterly reports. They don't seem to be an ad company.
The question is, what are they doing with the data they collect?
> There's no free lunch and there's no right answer, just a lot of "least wrong" answers.
There is already a "least wrong" answer: Use a VPN you trust and use your VPN's DNS or run your own. VPNs have plenty of competition, and you can set up your own on any hosting provider, which also have plenty of competition.
This is basically the same thing as having Cloudflare do it over TLS, except that it's not centralized and remains in the control of the user, so is better.
It doesn't matter much that your LAN itself is trustworthy if the only way out of it isn't.
> You can put your own router behind theirs. It's ridiculous for them to make you do that but nothing actually stops you.
Yes, you can do that, but it doesn't do anything to help with the problem that DoH solves.
> For which anyone can use a VPN.
I want to live in a world in which you can have privacy without having to be on a VPN 24/7.
> To work around this, a piece of malware would have to contact some custom server on a different port to do a name lookup -- but where does it look up that server's IP address? Hard-coding the IP address allows the malware's lookup server to be blocked.
Couldn't it host a file with the IP on a service like Dropbox or GitHub Pages? People aren't likely to block them at the firewall.
> But if centralized DoH servers become too popular to block because blocking them breaks too many legitimate applications, now the malware can use them and the user can't block them.
Isn't this basically "privacy for computer programs is bad because malware benefits from it", which is wrong for the same reason that "privacy for people is bad because criminals benefit from it"?
> The question is, what are they doing with the data they collect?
What's your ISP doing with all of the data they collect from your insecure DNS queries? And if you're concerned about Cloudflare in particular, then just use some other DoH provider.
> There is already a "least wrong" answer: Use a VPN you trust and use your VPN's DNS or run your own. VPNs have plenty of competition, and you can set up your own on any hosting provider, which also have plenty of competition.
> This is basically the same thing as having Cloudflare do it over TLS, except that it's not centralized and remains in the control of the user, so is better.
> It doesn't matter much that your LAN itself is trustworthy if the only way out of it isn't.
> Yes, you can do that, but it doesn't do anything to help with the problem that DoH solves.
Well sure it is, because if you know the ISP isn't trustworthy, then you can have your own local DNS server encrypt the DNS traffic to the upstream DNS server of your choosing.
> I want to live in a world in which you can have privacy without having to be on a VPN 24/7.
Something has to encrypt the DNS queries. Why is TLS/HTTPS any better than a VPN?
> Couldn't it host a file with the IP on a service like Dropbox or GitHub Pages? People aren't likely to block them at the firewall.
Those services will take down the page when it's hosting malware.
> Isn't this basically "privacy for computer programs is bad because malware benefits from it", which is wrong for the same reason that "privacy for people is bad because criminals benefit from it"?
The question is, privacy from who? Privacy from governments and corporations is good. Privacy from the device owner is bad.
> What's your ISP doing with all of the data they collect from your insecure DNS queries?
Nothing, when you configure your LAN or device to encrypt them.
> And if you're concerned about Cloudflare in particular, then just use some other DoH provider.
Hard-coding Cloudflare in multiple applications on multiple devices makes it arduous to do this, which is the entire criticism.
> Well sure it is, because if you know the ISP isn't trustworthy, then you can have your own local DNS server encrypt the DNS traffic to the upstream DNS server of your choosing.
Isn't DoH exactly the way to "encrypt the DNS traffic"?
> Something has to encrypt the DNS queries. Why is TLS/HTTPS any better than a VPN?
Because with a VPN, you need a VPN endpoint that costs somebody money to run. With TLS/HTTPS, there are no extra systems in the mix.
> Those services will take down the page when it's hosting malware.
Don't domains hosting malware get seized and taken down too?
> The question is, privacy from who? Privacy from governments and corporations is good. Privacy from the device owner is bad.
I 100% agree with this. DoH only provides the former, though.
> Nothing, when you configure your LAN or device to encrypt them.
Again, isn't DoH exactly the way to encrypt them?
> Hard-coding Cloudflare in multiple applications on multiple devices makes it arduous to do this, which is the entire criticism.
Other than Firefox, what applications currently have Cloudflare hardcoded as their default DoH provider?
> Isn't DoH exactly the way to "encrypt the DNS traffic"?
There are any number of ways to do it, the most relevant factor being that the user can choose which DNS server they want to trust, not which protocol you use.
> Because with a VPN, you need a VPN endpoint that costs somebody money to run. With TLS/HTTPS, there are no extra systems in the mix.
Someone is paying to run the DoH servers. You might also ask why they're doing so, for free, when that costs money.
> Don't domains hosting malware get seized and taken down too?
Malware often uses domains on foreign registries that are legally complicated to seize, so it only happens to the most serious offenders and can take a long time.
You also have vendor spyware which is not going to have its domain seized but is also not going to resort to Github pages for name resolution.
> I 100% agree with this. DoH only provides the former, though.
It doesn't. If legitimate applications are using DoH to a server outside of the device owner's control without providing an expedient way to make them all stop, that server can't be blocked without breaking too many things, and then malware running on the owner's device can use it without being blocked or monitored.
> Other than Firefox, what applications currently have Cloudflare hardcoded as their default DoH provider?
When someone is setting a bad precedent it's reasonable to be concerned about what happens when others follow suit.
People rent their networks from one, maybe two area options. The consumer networks want to completely control router hardware these days and these days charge extra rental fees for owned hardware instead of rented hardware. (It's fascinating that they can legally get away with that.) Some of the biggest consumer networks have already proven they are happy to use this hardware control to inject additional ads into customers' networks for a paltry amount of additional revenue.
You are correct that people should have networks that they own and trust at home. You may have missed that they don't and consumers have lost that battle. (You may also be underestimating just how much time people spend on devices "out in public". The mobile device has become the most common device for a lot of users. For some users the only device.)
> every application / Trojan writer
They've always had that power.
Applications have never been forced to use OS/network-configured DNS. DNS is an absurdly simple protocol that doesn't even have encryption by default. OS firewalls might block sockets to DNS ports by default, but there are ways to tunnel over other ports plus tools like UPnP given enough user trust.
DoH is a standardized port tunnel but that doesn't mean that unstandardized ones never existed before. Trojans/viruses have been doing weird things to avoid DNS for decades. DoH doesn't make them that much easier.
DoH isn't great and it is a shame that for privacy and control it's a big ugly trade-off/compromise from ideals. It's useful for some people. There are definitely unanswered questions in terms of which big corporation truly cares about privacy. I've seen my monopolist consumer ISP inject ads against my wishes and do change the DNS on my home (owned) routers (that I pay extra for each month despite owning my own hardware because of owning my own hardware). I don't always know what to think about Cloudflare's massive PR engine of how much they claim to value privacy, but so far I've never seen them inject an ad where one doesn't belong nor have I seen ad revenue make a splash in their quarterly reports. They don't seem to be an ad company. (Yet?)
Trust is hard and we all have different threat models. I don't blame you for distrusting Cloudflare. I have direct evidence for distrusting my current ISP and indirect evidence for distrusting most consumer ISPs I've encountered, despite being paying customers. There's no free lunch and there's no right answer, just a lot of "least wrong" answers. DoH isn't the right answer objectively. But DoH can be a "least wrong" for some users. Just as trying to be the MITM in networks you own is quite wrong from a security standpoint (once you've got one MITM it becomes harder to trust that there isn't a second one) but may be the "least wrong" answer for some users including maybe you.