[core-questions]

> Protect your kids and control what they can access online.

Yes, god forbid some parents would like to have a little bit of control and the ability to protect their children from seeing obscene material when they're too young to handle it.

Evil! Mozilla needs to quash these terrible people! May they burn with Brendan Eich!

[saagarjha]

"Protecting your kids" is often "we log everything and have complete visibility over how people are using our service, and we're willing to share a bit of that with parents to spy on their children". It's a valid concern to have unless there's evidence to the contrary.

[core-questions]

I assume every single DNS provider is logging and, if possible, selling my data. Why wouldn't I? This is actually why I use my own DNS server and resolve against the root, like anyone else who cares about privacy ought to be doing.

Still, if your goal is to block your kids' access to things, DNS is a good place to do it. Works across all your devices and doesn't require any install.

[icebraining]

> This is actually why I use my own DNS server and resolve against the root, like anyone else who cares about privacy ought to be doing.

How do you prevent the ISP from logging those requests to the root?

[LinuxBender]

I can't speak for them, but I do the same thing and use a VPN to resolvers on numerous VPS providers. Those talk upstream to the root servers. Between the min-ttl cache at each layer and the large number of resolvers, correlation of my DNS requests is non trivial. I also ensure that client subnet EDNS is blocked.

[autoexec]

Unless you're connected to a VPN 100% of the time wouldn't your ISP already have access to see every domain you browse to?

[icebraining]

They do via the SNI header, but Firefox already includes support for encrypted SNI. So if the server supports that, all the ISP gets is the IP of the server you're connecting to. If that IP only hosts a single domain, then they can still tell, but in other cases (think sites behind Cloudflare, or using shared load balancers), they can't.

Or actually, they might still, using side-channel attacks, but it's significantly harder to accomplish, especially at scale.

[core-questions]

Hey, good point. I guess there's not much I can do about that yet, without DNSSEC or whatever.

[tptacek]

DNSSEC does nothing whatsoever to prevent your ISP from logging your requests.

[newscracker]

I’d be interested to get to any links/descriptions on how you run your own DNS server and the monetary and time costs of it.

[core-questions]

You should look into setting up a Pi-Hole.

https://pi-hole.net/

Good jumping off point for this.

[newscracker]

Thanks. I have heard of pi-hole and know what it does (though I haven’t setup one myself). I’ll take a shot at it. I was wondering what stack the GP was using, where it was hosted and what the costs were.

[threatofrain]

Further, any mention of homosexuality is often considered to be inherently and unmistakably morally obscene, such as by the One Million Moms group, or as described by various state GOP platforms. This would include the narratives on whether lesbian or gay parents exist.

[cookiecaper]

One of the positives of DNS-level blocking is that it's relatively rough-grained. You can block pornhub.com, but you can't block out every mention of homosexuality at the DNS level without blocking any site that may potentially mention it, which would include any news site, discussion forum, social media, etc.

We should be skeptical of aggresively-enforced DoH. In most cases, the vendor's interest in stopping ad blockers is stronger than their interest in protecting user privacy. Mozilla is slightly more removed, but as they're dependent on The Big G for revenue, we're basically just waiting for that shoe to drop.

[core-questions]

Technology should not be inserting itself into the private lives of people and determining the values they can raise their children with. This is something parents should have as a tool. If you don't like it, tough; go raise your kids the way you want to. There's no reason why someone with traditional values shouldn't be afforded the ability to selectively block things they find obscene.

[threatofrain]

Nobody is fighting over whether you're going to be doing site-by-site blocking, because that's too exhausting and people know that.

That's why companies have to exercise moral taste when they do a blanket ban on moral obscenity, and that's precisely the kind of product that people mean to purchase -- curation and tastefulness. It's also why it's interesting for people to fight over this, because they're fighting over a policy of scale as opposed to what goes on in one single home.

And presumably this company would later be interested in dealing with schools and other big institutions, which means their product takes on yet another critical dimension, which is the re-allocation of responsibility for making morally tasteful decisions.

In both B2C and B2B, the refusal to exercise moral perspective, taste, and curation is missing the soul of the product. But of course not all areas of tech is for everyone; some people don't wish to work with advertising companies, and that's fine too, but advertising companies likewise make policies of scale and must exercise moral and political taste.

[threatofrain]

Yes, so one should expect that religious sites describing the healthy mode of heterosexuality should remain visible, while sites discussing homosexual parenting ought be stricken via DNS. Is the positive you're talking about summed up as "it's not that bad"?

[core-questions]

It's well within any parent's rights to block content like that, yes. If I can prevent my children from seeing obscene and objectionable things until they're old enough to have reasonable conversations about it, I will.

That doesn't mean I want to raise bigots, it just means I want to do what I can to ensure the narratives being pushed on my children are wholesome ones that will help them to grow up to be useful, contributing members of society and parents as well.

Maybe you don't care about that for your own kids; that's on you, champ. I'm not arguing for anything censoring anyone else, or anyone censoring what any adult reads.

[cremp]

I'm not saying that the product doesn't have it's use, but it is not how DoH should work.

I'm trying to bolster the point that they are promoting logs and more importantly, blocking DNS queries.

How can I trust the DoH endpoint if I know they have an active product whose purpose is to log and not give back the requested IP.