[segfaultbuserr]

Due to the architecture of DNS, DNS is not end-to-end encrypted. There is a potential solution (djb's DNSCurve), but it will not be deployed. As a result, let's do an assessment.

Using Google DNS, self-hosted resolver, or your ISP's DNS: NSA, your ISP, everyone and every dog at the middle of your link to the Internet can track and see your requests.

Using CloudFlare's DNS w/ DNS-over-HTTPS: only NSA (via a NSL or subpoena), Cloudflare and CloudFlare's upstream can track and see your requests. And I guess 10%-20% of the domain names already use CloudFlare, so for some domain, it's end-to-end encrypted, nobody but NSA and CloudFlare can track you. Even better, Cloudflare is experimenting with peering to upstreams (e.g. Facebook) using private encrypted connections, so the point-to-point encryption ratio would be even higher in the future.

Therefore, using CloudFlare is a net positive.

But one also needs to consider its second-order effect: is giving CloudFlare more leverage over the Internet infrastructure in the long run an acceptable choice over unencrypted DNS? I guess everyone has a different opinion.

[yegle]

Wait a minute... First Google DNS provide both DNS-over-HTTPS and DNS-over-TLS, second Pihole (or should I say dnsmasq, or FTL the name of their dnsmasq fork) does not support forwarding DNS query request to upstream using neither DNS-over-HTTPS and DNS-over-TLS.

In any case, if you really want a full solution, build your own https://github.com/yegle/your-dns

[josteink]

> Using ... your ISP's DNS: NSA, your ISP, everyone and every dog at the middle of your link to the Internet can track and see your requests.

Technically speaking the NSA wouldn’t be seeing your DNS requests, they would be seeing your ISP’s, for all its users anonymised.

If you use Cloudflare or Google DNS directly from home (or your own resolver), then yes, the NSA and anyone else can track your individual DNS requests directly.

In that regard using your own ISP’s DNS is clearly superior.

[yegle]

*if you are using plaintext DNS query. Both Google DNS and Cloudflare DNS support encrypted DNS query over TLS and HTTPS.

[KirinDave]

What threat model does concealing DNS but not indirecting traffic via Tor address, given that Tor can also tunnel DNS? Cloudflare's not wrong that the DNS requests are hidden, but many classes of observer who could read your DNS request could also see you connect to the resting host?

Follow up question, do you trust CloudFlare not to manipulate the results of DNS more or less than Google?

[woofcat]

Cloudflare has also rolled out ESNI (https://www.cloudflare.com/ssl/encrypted-sni/) which would mean someone reading your traffic would only be able to tell that you're connecting to a cloudflare IP address.

However be unable to determine which specific site you were accessing.

[KirinDave]

What does that accomplish?

As opposed to Tor use, specifically?

[woofcat]

Well it to me has a few use cases that are reasonable.

a) Used where Tor is unacceptable, such as some university networks, and workplaces where using anonymization such as Tor/VPN is prohibited by policy.

b) When using Tor protecting yourself from the Tor endpoint collecting information / statistics on what you are visiting.

[KirinDave]

Why do you want to present a false sense of improved privacy by only obfuscating your DNS queries in these networks?

It seems to me like these DNS tricks are parlor tricks in a security sideshow. Any attacker that could see your packets can also see who you are connecting to. It's pretty rare that SNI does anything relevant to a real threat model.

I think a false sense of privacy is at least as dangerous as the alternative.

[woofcat]

>Any attacker that could see your packets can also see who you are connecting to.

Yes they'd see that you're connecting to one of the largest reverse proxies in the world.

[calimac]

Cloudflare scaled up massively so quickly when they started offering cdns a decade ago.

I judged the company in a negative light when their ceo or cfo wrote an open letter rationalizing their ban silencing some obnoxious website over political belief virtue signaling.

A company that crushes free speech cannot be trusted.

I don’t even remember what the obnoxious or offensive website was but I know that offensive speech is protected speech.

Autocratic technocracy centralized into a few digital monopolies wrap our wrists into digital slave chains labeled “free”.

[mperham]

The first amendment applies to government censorship only.

Cloudflare is not the government. A business can choose not to service someone based on almost any criteria, that's not "crushing free speech". You can then choose not to patronize the business based on that policy. This is an important part of a free market.