> With Group Policy, the computer's administrator chooses a specific domain to trust to receive policies from. With DHCP, whatever random network the computer connects to can send whatever settings it wants. This is why it's okay for Group Policy to control security-sensitive settings but not for DHCP to.
Computers don't connect to random networks. The user chooses to, and has the ability to not use the DNS from DHCP for any given network.
> Imagine if the coffee shop's DHCP server sent an option that meant "the client should open these ports in its firewall". Would you want your computer to respect that?
It already does this. The client gets its gateway via DHCP, which is not only the device that typically firewalls local networks from the rest of the internet, it's the device that can see and modify all of your traffic.
> Why is DHCP-provided DNS okay being the default, but Mozilla-provided DNS not? The user didn't choose the former either.
Because of what is necessary to change it. There has to be some default, but it should be possible for the user to change it all in one place for their entire LAN or device.
> The problem with the router doing it is that clients can't trust the router isn't owned by someone trying to spy on them.
They certainly can when it's their own router, and they can manually configure a DNS server of their choosing when it isn't.
Meanwhile, how can the user trust that Cloudflare isn't trying to spy on them?
> From a hardcoded default, e.g., Cloudflare, Google, Mullvad, or Quad9. Consider how most computers have a hardcoded default list of NTP servers to use rather than relying on getting that from DHCP.
NTP servers see that your computer wants to know what time it is. DNS servers see all kinds of privacy-sensitive information, so centralizing this in any way is inherently dangerous and so is making it more difficult for the user to change the default.
Computers don't connect to random networks. The user chooses to, and has the ability to not use the DNS from DHCP for any given network.
> Imagine if the coffee shop's DHCP server sent an option that meant "the client should open these ports in its firewall". Would you want your computer to respect that?
It already does this. The client gets its gateway via DHCP, which is not only the device that typically firewalls local networks from the rest of the internet, it's the device that can see and modify all of your traffic.
> Why is DHCP-provided DNS okay being the default, but Mozilla-provided DNS not? The user didn't choose the former either.
Because of what is necessary to change it. There has to be some default, but it should be possible for the user to change it all in one place for their entire LAN or device.
> The problem with the router doing it is that clients can't trust the router isn't owned by someone trying to spy on them.
They certainly can when it's their own router, and they can manually configure a DNS server of their choosing when it isn't.
Meanwhile, how can the user trust that Cloudflare isn't trying to spy on them?
> From a hardcoded default, e.g., Cloudflare, Google, Mullvad, or Quad9. Consider how most computers have a hardcoded default list of NTP servers to use rather than relying on getting that from DHCP.
NTP servers see that your computer wants to know what time it is. DNS servers see all kinds of privacy-sensitive information, so centralizing this in any way is inherently dangerous and so is making it more difficult for the user to change the default.