And that should surely be the default. What's Mozilla's intent to send DNS queries to Cloudflare by default, and require regular DNS resolution to be configured manually?
My DNS requests traverse my ISP's network to my ISP's DNS server (or my employer's ISP's DNS server if I'm at work).
I live in a country where I have very strong privacy protections and what my ISP can and can't do with my DNS requests is extremely limited.
If my DNS requests are sent to CloudFlare or Google instead, my DNS requests are under American jurisdiction, where I have no rights and both American businesses and the American government can do whatever they please with no real recourse.
So it depends on the country. In my country (Russia) all Internet traffic is being recorded by the ISP for the last month and sites are blocked on political reasons. For me having DoH with Cloudflare is better.
The reason why browsers are moving to features like DoH and eSNI as defaults is because it's every type of nation that is now instituting pervasive surveillance against its citizens
You also can't trust laws since ISPs can be hacked or infiltrated from the inside
In terms of personal protection encryption trumps law
From what I can tell, all countries covered by the GDPR heavily limit what an ISP can do with DNS queries. That covers 515M people, which is more than the populations of three mentioned countries (US, Russia and Australia) put together.
A lot of these countries currently have laws to record years of DNS logs for future analysis by the police. Due to the abuse these countries have done in the past about it, I do not want any record personally.
That’s a very good point. In fact all of them do, because the same EU that mandates GDPR also mandates data retention, which only differs in details in member states.
I'm not familiar with DoH. Would it allow CloudFlare to match domain names to IP addresses still? If so, then I don't see how it adds any value to the current solution. If anything, it creates a false sense of security which is worse than no security at all.
What's the point of encrypting the DNS lookup step if a middleman can still potentially see everything in plaintext?
Institutions providing internet access, but with an obligation or operational requirement to block certain kinds of content (e.g. insufficient network capacity on the free WiFi at a hospital to allow streaming video for all visitors) would not be able to do it at all.
Privacy proponents seem to forget that there are sometimes reasonable reasons to allow traffic to be blocked, and instead of looking for a real solution, are imposing ridiculous "solutions" on all Firefox users.
This is already what happens. Your DNS queries have to go somewhere, and unless you control the DNS servers, there's a third party in the loop somewhere.
ISPs are highly regulated, as opposed to Cloudflare and Google. The only effect here is that Google closes another "loophole" in their view where web visit signals are send to another party (other than Google), and Cloudflare wanting their share of the cake as well. Has Mozilla disclosed what Cloudflare is paying them for being listed as default DoH provider?
Well to buy a domain you need to go to an accredited registrar for the respective TLD. And DNS registrations, renewals, etc. are standardized (and have TLD-specific policies). Also, you're entitled to transfer your domain name to another registratr, etc., also with a public and transparent protocol. The registrar will then arrange for their nameserver being registered as authoritative for your domain on the TLD's root domain server, etc. What's the problem with US ISPs here? That they're selling DNS query records (with your IP) against their nameservers? That's in the same territory as Cloudflare and Google, and will only stop with proper privacy laws; certainly not by giving up on the decentralized nature of DNS and giving all traffic/signals to Cloudflare/Google.
aren't you still sending your data to unregulated third party with any ISP? (i dont live in the US so i am not aware if they're regulated in this regard)
I think you mistook it. I was talking about doh providers, not all options, and responded to a line completely tangential, if not unrelated to what you try to bring here. An answer looking for a question, I guess?