[barbegal]

As a cynic I would say this is an attempt by Google and Cloudflare to collect DNS data. Why else would they provide this service for free?

Both Google's [1] and Cloudflare's [2] DNS privacy policy prohibits them from storing personally identifiable information or from correlating DNS information with other Google data coming from the same IP/account but it does allow them to store information about which domains are popular, from which locations and from which type of device.

TLS (and therefore HTTPS) provides a very useful fingerprint based on accepted cipher suites, extensions, compression methods...

[1] https://developers.google.com/speed/public-dns/privacy

[2] https://developers.cloudflare.com/1.1.1.1/commitment-to-priv...

[3] https://devcentral.f5.com/articles/tls-fingerprinting-a-meth...

[pornel]

> Why else would they provide this service for free?

Cloudflare runs the largest authoritative DNS server for their customers. The best way to make the DNS server faster is to make users query it directly.

For Cloudflare-hosted domains, instead of:

   User → ISP's DNS resolver → ns.cloudflare.com.

you get:

   User → [ 1111 → ns.cloudflare.com. ]

where the latter two are on the same machine.

[zackbloom]

I work at Cloudflare, this is correct.

1.1.1.1 runs on our existing hardware deployed around the world, it costs us very little. When you use it it improves performance for the 8 million or so sites we sit in front of, that's our actual business.

[freeopinion]

Mozilla sends people to https://mozilla.cloudflare-dns.com/dns-query.

Can you explain why this site is blocked by uMatrix?

[sli]

Strange, uMatrix doesn't block that site for me. It just doesn't have any content.

[iampims]

For Google it makes sense. The faster you resolve DNS, the more webpages with ads you visit. Small price to pay to increase impressions.

[mdellabitta]

DNS over HTTPS is actually a lot slower to resolve than traditional UDP DNS.

[gsich]

Yes, but only because of TCP and TLS connection overhead.

Once the connection is established, response time is similar to UDP.

[yjftsjthsd-h]

Does the connection get reused?

[cbsmith]

Yes.

[gsich]

Not for long.

[chipperyman573]

DNS is not the bottleneck for page load speeds, especially now that 99% of the internet has images or video (even if the images are not a main focus of the webpage, such as a news article's image header)

[T-hawk]

Bandwidth bottleneck, no. Latency, time to first usable content on screen, absolutely.

[stock_toaster]

> time to first /usable/ content on screen

If we are going by time to first /usable content/, then I would blame javascript for most of the it.

[gsich]

Also consider that every shitty webpage needs to load ressources from a dozen other domains.

[zaarn]

Google is the business of displaying ads by means of collecting data to form a profile.

Cloudflare is in the business of running websites really fast and subsidize a free offering through paying customers.

Which of those has a conflict of interest in running a DNS server while promising to protect privacy?

[codedokode]

Running websites and selling users' data brings you more profit than just running websites. With DNS Cloudflare can also learn what non-Cloudflare websites users are visiting and when.

[zaarn]

Why would cloudflare do that? It's not in their business model and "it makes more money" is hardly a thing that motivates corporations all the time, otherwise google and facebook would be offering subscription services at 20$/year to get ad- and track-free.

Why would cloudflare even want to know what websites you visit? They don't operate an adnetwork, they operate a CDN. At best they could use it to pre-cache websites in regions before demand rises. But they can already do that without DNS...

[codedokode]

> "it makes more money" is hardly a thing that motivates corporations all the time

Really? The primary purpose of any corporation is earning as much money as possible.

[zaarn]

Okay, let's do it by having an analog.

You are given advice on how to safely cross a four-way intersection by two companies.

One is an insurance company specialised in people being run over by semi trucks at four way intersections.

The other is a contractor that designs, builds and maintains four way intersections for the government and private entities.

Of course, yes, the later could collude with the former to make extra money.

But it's also not their business model. They build intersections, people pay them to make those safe and reliable. People do not pay them to collude with shady insurance companies which try to kill people by semi truck.

People would actively not pay them if they did that.

Same with Cloudflare. If CF sold data to ad networks, a lot of websites would simply jump ship and use one of the other CDNs with free offerings. People pay CF a shitload of money for ensuring the connection is private and safe (notably banks, governments, etc.)

[craftyguy]

Your analogy is bad because it describes behavior which is illegal. If you want to make as much money as possible, you might avoid decisions like the one you present which will cost you more money when it is exposed.

[h1d]

It doesn't mean, take the shortest route toward the stack of money in sight.

If CloudFlare started selling DNS info when they have emphasized that their DNS service is caring for privacy, people apparently stop using their resolver and given the impression that they can lie, it can also hurt their main business.

[cremp]

Cloudflare itself never made sense to me. What possible incentive do they have to stop their primary purpose (DDoS protection) - They have value in promoting the behavior.

Whats worse, is everyone and their dog is using them. What happens when they push a bad config to their core routers, or foobar their anycast?

[txcwpalpha]

It probably doesn't make sense because you misunderstand their primary purpose. It's not DDoS protection. Cloudflare has a pretty wide-spanning platform of products and services, but if you had to pick one out as their "primary", it would be their CDN product. The DDoS protection is just more visible because of the nature of the product (a good CDN will never make you aware it even exists), and because mitigating DDoS attacks makes for good news headlines.

Even if DDoS was their main business driver, what you're saying is similar to "doctors don't make any sense to me. what possible incentive do they have for keeping people healthy? they have incentive for promoting bad health."

As someone who works in security, believe me, there are plenty of cyber attackers out there that will easily keep companies like Cloudflare in business, no "promotion" of bad behavior required.

[yosito]

> what you're saying is similar to "doctors don't make any sense to me. what possible incentive do they have for keeping people healthy

People do say this, all the time!

[ikeyany]

It doesn't make sense to you to do the right thing and protect people at the expense of profit?

[giggles_giggles]

It costs money to do the things they do. If there's no profit, the service has to beg for money, or die for lack of resources. CloudFlare is not a charity, and if it was one, it would be ineffectual because their services are too behind-the-scenes and technical to get a donor base wide enough to support them. Profit is not necessarily an anathema to doing the right thing, and if you can align your interests with your cash flow, you can do the right thing without begging for money, which imho is even better than doing the right thing but having to subsist on the money generated by profitable enterprises that aren't as noble (donated either directly, or by their employees). But of course, aligning those interests is a challenge.

[djsumdog]

Um .. you remember how they spammed random password data and memory all over the Interwebs right?

https://www.pcmag.com/news/351962/cloudflare-leak-exposed-da...

[walrus01]

As an ISP, I'm skeptical of the motivations of big CDNs and Google in general, but it's becoming an ietf standard. I run recursive resolvers for clients numbering in the hundreds of thousands, with an ACL that allows only our ARIN IP blocks to query them.

It is not hard to put a dns-over-https frontend in place for my clients which pulls queries from my own trusted bind9 servers.

Any ISP with a clue can do the same.

[djsumdog]

For people who know how, why not just run this stuff locally? Setup your own recursive resolver on an openwrt router? Or maybe in a hosted VM close to where you live?

I know Google and CF claim they don't track this DNS information, but why even use them when you can run your own. Keep in mind CF did have a software bug that spewed SSL traffic and passwords all over the Internet[1], and they took down a website once because their CEO didn't like it[2].

[1] https://blog.cloudflare.com/incident-report-on-memory-leak-c...

[2] https://fightthefuture.org/article/the-new-era-of-corporate-...

[h1d]

When you simply run a packaged router at home that doesn't have the ability to do its own resolver, then you have to host it somewhere but since DNS can't do authentication, it's hard to keep it private.

I'd like to know a way to host your own resolver but keep it private even when you're on mobile IP.

[NetOpWibby]

What’s your ISP’s web address?

[walrus01]

I share some controversial opinions on here semi-anonymously and wouldn't want my personal positions on certain topics to be confused with an official position held by the companies I contract for. I can say that it's not a huge one, it's a mid sized regional ISP.

[NetOpWibby]

Oh! I thought you were the CEO of an ISP. I'm curious about starting my own someday so I take notes of smaller operations as inspiration.

[jstewartmobile]

Whenever Mozilla puts out one of their nerd cartoons, I instinctively look over my shoulders and tighten my sphincter. Of course, it's always nice to know the reason behind a reflex.