[mike-cardwell]

I kind of hate this. Taking a decentralised service, and replacing it with a service provided by a small handful of tech giants.

"But this doesn’t mean you have to use Cloudflare. Users can configure Firefox to use whichever DoH-supporting recursive resolver they want. As more offerings crop up, we plan to make it easy to discover and switch to them."

Only defaults matter. Your average web user wont be interested in knowing about or configuring this, no matter how simple the explanation/choice is made.

[marzell]

If only defaults matter, then it's already a dead horse, as the majority of users don't know what DNS even is, and are using their ISP's servers by default.

[moderation]

There is no decentralized DNS where the default for most users is their monopoly ISP.

[gsich]

Why does the amount of people knowing about DNS matter? Especially in the context of decentralization?

[tracker1]

Depending on your ISP and/or country of origin, it can matter a lot.

[walrus01]

It does not need to be centralized at all. Any internet service provider with a modicum of Clue can install a DNS over https frontend listening on the IPs of their recursive resolvers, and pull data from their existing bind servers.

This does not contain any sort of proprietary or non free software. People are free to ignore the content delivery Network provided recursive resolvers, and set up their own.

[Perseids]

That is beside the point. What Firefox is doing is to actively distrust the DNS the ISP is advertising because of the bad practice of some ISPs. Even if the ISP would advertise a DoH endpoint, the same reasons for distrust would still exist (they only mention attacks at the ISP's DNS server or between the ISP's DNS server and the authoritative DNS servers).

Also note that DNS is one of those dinosaur protocols like email and usenet that have persisted from the early days of the internet, back when we could buy interoperable services from decentralized parties. Every service we buy today is centralized or even walled garden only, see Slack, Facebook, App Stores, AWS, etc. We currently just don't know how to build successful distributed ecosystems.

[walrus01]

People are understandably highly suspicious of DNS services and privacy issues with giant companies like Comcast, Verizon, Centurylink, etc. But I'd like to point out that there's a large number of small to mid sized ISPs where the final business management decisions rest with the individuals who also have 'enable' on the routers and core Linux/BSD server infrastructure.

There is such a thing as ethics in network engineering, and that term encompasses things like not attempting to MITM your customers' recursive DNS resolution queries, or monitoring/tracking/selling the data.

[kiriakasis]

Well, we never knew how to build a secure successful ecosystem. Between the various way to secure DNS this seems reasonalbe.

[djsumdog]

In this blog post, Firefox should encourage people who know how, to run their own. Maybe even provide/maintain some docker images for us tech heads.

I agree that immediately promoting CF doesn't seem like the best genuine idea for those who are still a part of the Firefox/Mozilla community.

[floatingatoll]

If the vast majority of users today are using DNS severs that are wiretapped for harmful purposes, such as advertising on NXDOMAIN pages or maliciously rewriting DNS, then switching them to one of a few DoH providers is no more concentrated than it is now. Most of my coast uses 75.75.75.75 and will someday use 1.1.1.1. This isn’t as significant a change relative to the horror of today’s plaintext, MitM’d user-hostile reality.

[inetknght]

Then put it as part of your startup process, whether that's first-time startup or just-upgraded-from-a-previous-version startup.

Do not select any default. Randomize the selections.

[dsr_]

We have the NTP pool groups as a model for how to organize groups to offer services like DNS-over-HTTPS.