[Youden]

I disagree, at least in my situation.

My DNS requests traverse my ISP's network to my ISP's DNS server (or my employer's ISP's DNS server if I'm at work).

I live in a country where I have very strong privacy protections and what my ISP can and can't do with my DNS requests is extremely limited.

If my DNS requests are sent to CloudFlare or Google instead, my DNS requests are under American jurisdiction, where I have no rights and both American businesses and the American government can do whatever they please with no real recourse.

[codedokode]

So it depends on the country. In my country (Russia) all Internet traffic is being recorded by the ISP for the last month and sites are blocked on political reasons. For me having DoH with Cloudflare is better.

[wp381640]

Ditto in Australia

The reason why browsers are moving to features like DoH and eSNI as defaults is because it's every type of nation that is now instituting pervasive surveillance against its citizens

You also can't trust laws since ISPs can be hacked or infiltrated from the inside

In terms of personal protection encryption trumps law

[icebraining]

> You also can't trust laws since ISPs can be hacked or infiltrated from the inside

Cloudflare isn't magically free from the same threats.

[realusername]

> I live in a country where I have very strong privacy protections and what my ISP can and can't do with my DNS requests is extremely limited.

There's very few countries with such strong privacy protections, even in the Western world.

[icebraining]

From what I can tell, all countries covered by the GDPR heavily limit what an ISP can do with DNS queries. That covers 515M people, which is more than the populations of three mentioned countries (US, Russia and Australia) put together.

[jsjohnst]

> which is more than the populations of three mentioned countries (US, Russia and Australia) put together.

Not sure it matters, but only by a small margin is that true. 500M vs 515M.

[realusername]

A lot of these countries currently have laws to record years of DNS logs for future analysis by the police. Due to the abuse these countries have done in the past about it, I do not want any record personally.

[vsl]

That’s a very good point. In fact all of them do, because the same EU that mandates GDPR also mandates data retention, which only differs in details in member states.

[cryptica]

That's a very good point.

I'm not familiar with DoH. Would it allow CloudFlare to match domain names to IP addresses still? If so, then I don't see how it adds any value to the current solution. If anything, it creates a false sense of security which is worse than no security at all.

What's the point of encrypting the DNS lookup step if a middleman can still potentially see everything in plaintext?

[o-__-o]

Couldn’t your isp watch traffic to pull out SNI information?

[wp381640]

the next step is eSNI and judging by the DoH rollout that will also be a new level of controversy advocating against it

[ithkuil]

What are the arguments against eSNI?

[ti_ranger]

> What are the arguments against eSNI?

Institutions providing internet access, but with an obligation or operational requirement to block certain kinds of content (e.g. insufficient network capacity on the free WiFi at a hospital to allow streaming video for all visitors) would not be able to do it at all.

Privacy proponents seem to forget that there are sometimes reasonable reasons to allow traffic to be blocked, and instead of looking for a real solution, are imposing ridiculous "solutions" on all Firefox users.

[vsl]

Your request will hit CloudFlare edge node in your country and be served from there. Under your jurisdiction.