[jeremejevs]

> only the domain nameserver owner knows what queries you made (and you are probably hitting that domain in a moment anyway!)

But these are different people, with different incentives. The NS owner may be logging everything, without the domain owner's knowledge, and the NS owner won't even be in the wrong, because they likely made no promise to not log.

With a single resolver, I can verify that they're trustworthy enough [for me], just once, and direct all my traffic to it. Cloudflare's "We committed to never writing the querying IP addresses to disk and wiping all logs within 24 hours" is something, I imagine, they very much wouldn't want to be caught violating or changing their mind about later.

In the meanwhile, with the root NS method, I can only hope that my queries will get lost in the "noise". And I'm putting noise in quotation marks because there isn't much diversity in the name server ownership: 75% of Alexa top 1M domains are hosted at Cloudflare, GoDaddy and Amazon. [0]

[0] https://www.datanyze.com/market-share/dns/Alexa%20top%201M/

[Isomer]

With QNAME minimalisation, RFC7129 (Authenticated denial of existence) and RFC8020 (NXDOMAIN: There really is nothing underneath), you should be sending almost nothing to the root servers of use.

QNAME minimalisation will only send <randomstring>.com to the root for them to give you the referral.

and RFC7129/RFC8020 mean that when you get a NXDOMAIN back from the root, you'll cache it and never try again for a large swath of possible names.

[vavrusa]

QNAME minimization just minimizes the name to one label under a delegation, there's no randomization. So root zone would only get 'com.' (and type NS). It's unfortunately easy for authoritative servers (below TLD level) to bypass it by returning NXDOMAIN. Resolver has to fall back on using a full name. The main reason is that a lot of authoritative DNS servers (notably Akamai) return NXDOMAIN when there's nothing under the minimized name, but there is something below it (aka empty non-terminal). So without workarounds the resolver would return NXDOMAIN early instead of retrying with the full name.

[josteink]

> With a single resolver, I can verify that they're trustworthy enough [for me], just once, and direct all my traffic to it.

Apply this deceptively simple principle to every need you have on our wonderfully decentralized Internet and see where that gets us.

Oh snap. Not so decentralized anymore.

[jeremejevs]

I'm talking about DNS and nothing else.

Okay, say, 1 year from now, somehow, 95% of internet users are sending their DNS queries to Cloudflare. What can go wrong? Malicious or not. Not rhetorical, actually curious.

[josteink]

Internet-wide censorship is now 1 US court order way. Compared to ... say 200,000 court orders away.

Centralizing things, makes it easy for law-makers to enforce bad policy which technology otherwise would have side-stepped.