[hg35h4]

It's horrible for environments with split horizon DNS. It presumes that the only network that should exist are home users consuming public Internet cloud services.

For privacy it's a discussion of do I trust my obnoxious non-US ISP or a US based .com with seeing all my browsing habits based on DNS queries. At least I could have legal recourse with my ISP in my own country, and there is slightly better privacy laws.

[mcguire]

Split DNS is a stupid, stupid idea. But DoH doesn't sound like an improvement.

[hg35h4]

It was a fine simple solution until DoH. In some internal environments the internal traffic volume can be much higher than the few services that might be publicly exposed.

Sure lots of ways you could do it - get a fat edge firewall to hairpin the traffic + support Internet access but you end up paying a lot more for all the threat licenses on the oversized edge. Could add many more tiers, maybe more translations or overlays... but why bother with a lot more complexity or especially more cost just because someone saw a threat in another country and are trying to solve a problem that does not apply to most.

Further more there can be internal only host names that are now getting probed and exposed externally. Exfiltration to a US company in the name of "security"

[mcguire]

Hiding a DNS entry doesn't do anything to hide the machine. How long do you think a newly exposed IP address, without a DNS entry, will last before it is probed?