[khabaal]

So, the dns server of my provider against Cloudflare DNS it is. That seems to be a good idea for people in unfree countries like iran.

But since my provider knows every ip i connect to, they already have everything they need in the first place, even if i dont use their dns.

So handing over the dns requests to a third party seems to be a rather not so smart move to me.

edit: oh, and the cloudflare dns servers are located within the 5 eyes states? nice...

[deadbunny]

> But since my provider knows every ip i connect to, they already have everything they need in the first place, even if i dont use their dns.

If you connect to something fronted by CloudFlare your ISP can see you connecting to CF, if they provide your DNS then they can see what you're connecting to that's fronted by CF. A subtle yet important distinction.

Ignoring that, switching from your ISPs DNS prevents all kinds of shit they like to do like redirecting to ads on an unknown domain.

[gruez]

>Ignoring that, switching from your ISPs DNS prevents all kinds of shit they like to do like redirecting to ads on an unknown domain.

That's like saying base64 encoding your texts prevents your carrier from snooping on them. DNS packets aren't encrypted. There's nothing preventing your ISP from intercepting your DNS packets and redirecting them back to their servers. All you're doing is making it slightly harder on their end.

[khabaal]

> redirecting to ads on an unknown domain

I can cleary see that, in states like iran or china, getting redirected to somewhere you did not chose to go is really problematic, but getting redirected to ads by your own provider, does this happen in your country?

In germany, i guess, this would be quite illegal for a provider to do and be considered as attacking the ingetrity of the dns system for personal gain.

>If you connect to something fronted by CloudFlare your ISP can see you connecting to CF, if they provide your DNS then they can see what you're connecting to that's fronted by CF. A subtle yet important distinction.

Well, most of the time, you would connect to ips that are not fronted by CF servers, so theres nothing to gain there.

[derefr]

In the cases where I’ve seen this happen, the DNS provider is rewriting NXDOMAIN responses. So, when you make a typo, you hit a “helpful” error page that has ads and tracking in it.

[deadbunny]

DNS hijacking is extremely common with ISPs.

https://en.wikipedia.org/wiki/DNS_hijacking#Manipulation_by_...

[paulcarroty]

> That seems to be a good idea for people in unfree countries like iran.

Cloudflare is better in quite technical aspect, ping to their DNS - 10-12ms vs 25-30 for Google (Europe).

[bovermyer]

If you're ambitious, you can run your own DNS resolver and route all your traffic through that.

[jstanley]

Your ISP routes all your DNS lookups anyway, so they can see what they are even if you don't use the ISP's DNS server.

They get to see every single unique name you look up, they just don't get to see how often you do it if you use a caching resolver.

You'd need to VPN to somewhere else in order for your DNS queries not to be visible to your ISP.

[khabaal]

This is not correct anymore since dns over tls. Well most routers do not support this yet, but its possible within your distro.

[gruez]

AFAIK you can't recurse using dns over tls. You have to use a provider such as google/cloudflare, at which point you're back to square one.

[deadbunny]

You still need to talk to upstream servers at some point.

[AsyncAwait]

Indeed, but much less frequently.

[bovermyer]

True. Using DNS at all means trusting one of the root servers at some point.

[q3k]

If you're not actively targeted, it's much less likely they're logging all of your traffic (or even new TCP connections or UDP 'connections') as it's expensive to do that for every customer in a non-sampled manner (like with Netflow).