[KirinDave]

What threat model does concealing DNS but not indirecting traffic via Tor address, given that Tor can also tunnel DNS? Cloudflare's not wrong that the DNS requests are hidden, but many classes of observer who could read your DNS request could also see you connect to the resting host?

Follow up question, do you trust CloudFlare not to manipulate the results of DNS more or less than Google?

[woofcat]

Cloudflare has also rolled out ESNI (https://www.cloudflare.com/ssl/encrypted-sni/) which would mean someone reading your traffic would only be able to tell that you're connecting to a cloudflare IP address.

However be unable to determine which specific site you were accessing.

[KirinDave]

What does that accomplish?

As opposed to Tor use, specifically?

[woofcat]

Well it to me has a few use cases that are reasonable.

a) Used where Tor is unacceptable, such as some university networks, and workplaces where using anonymization such as Tor/VPN is prohibited by policy.

b) When using Tor protecting yourself from the Tor endpoint collecting information / statistics on what you are visiting.

[KirinDave]

Why do you want to present a false sense of improved privacy by only obfuscating your DNS queries in these networks?

It seems to me like these DNS tricks are parlor tricks in a security sideshow. Any attacker that could see your packets can also see who you are connecting to. It's pretty rare that SNI does anything relevant to a real threat model.

I think a false sense of privacy is at least as dangerous as the alternative.

[woofcat]

>Any attacker that could see your packets can also see who you are connecting to.

Yes they'd see that you're connecting to one of the largest reverse proxies in the world.