[necovek]

I think the objection is the type of company that sees your requests.

Traditionally, it's your ISP who gets to see your and all their users' DNS lookups.

But now it's Google (on top of your ISP) and Cloudflare (on top of with 1.1.1.1 and instead of your ISP for DNS-over-HTTPS), and the claim is that they are going to misuse the data (well, it's pretty much a fact for Google).

I am generally not in favour of any siloing and centralisation of that scale, but if you want private DNS, your options are quite limited.

I also wonder if it'd make sense to bundle a simple DNS-over-Tor service or would that be easy to track? I'd run it on my openwrt router.

[bbabaraba]

Hello my friend

List of public DoH Servers: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Serv...

Simple guide for DoH over Tor: https://github.com/piskyscan/dns_over_tls_over_tor

I don't consider 10+ public, free DoH servers as "quite limited".

[necovek]

You might not consider that "quite limited", but that is likely because of a different interpretation of "private DNS".

Private communication is something that only the two (or more) parties communicating are privy to.

With HTTPS, the risk is reduced to CA compromise. With DoH, the risk is the company running the service on top of the CA compromise.

The parties communicating are the root/TLD name servers and me. Private DNS is DNS where nobody sees any of my DNS traffic, except for the root resolvers (which thus become the target of potential privacy breach).

Any intermediary means that they can see your data, but if they are centralized in only a few places, it's a bit beside the point. But then again, if they are so small that only a handful people use them, your traffic will be simple to filter out.

Finally, how do I set up my system to use any of these half-solutions for all DNS requests today?

I'd still prefer a DNS-over-Tor solution if anyone came up with it.