Hacker News new | ask | show | jobs
by ribasushi 2199 days ago
> CDNs are a lesser evil than ISPs

This keeps being repeated, and I simply do not understand it. Could you elaborate how you arrive at this conclusion that CDN > ISP?

My take:

An unsavory ISP is the only thing I can "vote against" as an end user. I can boycott it by switching elsewhere, I can pick from a ton of mobile providers, I can use a VPN to "subcontract" my connectivity experience to an order of magnitude more providers, or if I am really so inclined I can shuffle all of that by the likes of Tor.

There is NOTHING I can do as an individual to avoid a CDN, aside from never visiting content backed by that CDN.
3 comments
andreareina 2199 days ago
Every ISP I have access to performs DNS-based blocking; to the extent of intercepting ALL UDP DNS traffic (i.e. using other resolvers doesn't work). DoH gets around that.

And I think from the context of the parent, you can choose your CDN('s resolver) -- my version of Firefox (77 on macOS) has NextDNS among the default DoH providers.

link
rswail 2199 days ago
The issue isn't whether you can choose your resolver for Firefox, it's that it balkanizes the namespace resolution mechanism.

Sure, Firefox is using CDN resolver #1, "optimized for the browser experience", while Spotify uses the CDN resolver #2, "optimized for music discovery".

The namespace will balkanize, and with that the control moves to the owners of the resolvers. That would be a natural evolution of the infrastructure purely due to literal "network effects".

If data can be gleaned from current DNS requests, what data can be gleaned from a browser sending metadata? Who controls those DoH servers?

At least the current DNS namespace, nominally, is devolved, particularly with the explosion of TLDs. That has other disadvantages, but there are advantages too.

link
troquerre 2198 days ago
NextDNS is great. I've been using it for the last few months to access Handshake sites[1] and there have been no issues, and it's important that there are more resolvers than just Cloudflare and Google on the market.

[1] You need to enable it in your NextDNS settings.

link
esperent 2199 days ago
If you can switch ISP, good for you. On my road, there's only one, and it's owned by the government.
link
swiley 2199 days ago
Even without switching ISPs you can just use a different recursive resolver by editing your libc resolver config file. This is more difficult when each application has its own config (or none at all.)
link
andreareina 2199 days ago
Without Do{H,T}, your ISP sees all your DNS queries anyway, and some will MitM them.
link