Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?
* Adam Borowski:
> Let's compare; by "ISP" I mean every hop on the network path.
>
> With local DNS:
> * the target server knows about you (duh!)
> * the ISP can read the destination of every connection
> [reading the DNS packets, reading the IP header, reading SNI header]
> * the ISP can block such connections
> [blocking DNS packets, blocking actual connection]
> * DNSSEC forbids falsifying DNS
>
> With DoH:
> * the target server knows about you (duh!)
> * the ISP can read the destination of every connection
> [reading the IP header, reading SNI header]
> * the ISP can block such connections
> [blocking actual connection]
> * Cloudflare can read the destination of every connection
> [they serve the DNS...]
> * Cloudflare can falsify DNS¹
> * Cloudflare can block connections
> [blocking or falsifying DNS response]
>
> So currently DoH is strictly worse.
Furthermore, you don't have a paid contract with Cloudflare, but you
usually have one with the ISP that runs the recursive DNS resolver.
If you look at
<https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/>
you will see that the data is shared with APNIC for “research”:
| Under the terms of a cooperative agreement, APNIC will have limited
| access to query the transaction data for the purpose of conducting
| research related to the operation of the DNS system.
And:
| Specifically, APNIC will be permitted to access query names, query
| types, resolver location
<https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/privacy-policy/>
Typically, APNIC will only see a subset of the queries if you use your
ISP's DNS resolver (or run your own recursive resolver).
Cloudflare only promises to “never sell your data”. That doesn't
exclude sharing it for free with interested parties.
(Some people may find it amusing that I'm concerned by this because I
opened that particular can of worms fifteen years ago.)
Reply to: