[octoberfranklin]

Another goal is to deal with the problem of "no log" VPN providers being forced to tag all internet-bound traffic on port 53 with the customer IP it originated from.

This has evolved into the universal compromise, since the VPN provider still gets to claim that they themselves aren't doing any logging. But of course their upstream ISP is now easily able to do so.

This is why mullvad intercepts all DNS queries (even to 8.8.8.8 or 1.1.1.1). Try using OpenNIC from behind mullvad: you won't get the extra TLDs.

Logging DNS makes it easy to selectively deanonymize people. All you have to do is get them to browse to a website that resolves a weird domain name.

[throwaway525142]

Where can I read more about VPN providers tagging internet-bound traffic on port 53 with the customer IP address?

[octoberfranklin]

> Where can I read more about VPN providers tagging internet-bound traffic on port 53 with the customer IP address?

First, read this: https://en.m.wikipedia.org/wiki/EDNS_Client_Subnet

And this: https://tools.ietf.org/html/draft-hardie-privsec-metadata-in...

Then, start a VPN provider and wait for the NSL to arrive, like Mozilla did.

Not a coincidence that they suddenly started pushing DoH hard shortly after launching their own VPN. Before that it was just another protocol; after the VPN they suddenly were in a big huge hurry to put people on DoH by default whether the system resolver supported it or not.