Hacker News new | ask | show | jobs
by ignoramous 1227 days ago
Better to send your queries to a single DNS provider (over TLS/HTTPS) rather than spread it out, because now, not one but multiple providers can build your browsing history. As someone who runs a public DNS resolver, I can tell you that it isn't that hard to build user profiles.

If you're running Unbound, might as well recurse DNS queries, instead of upstreaming it. If you are adamant on spreading DNS queries across multiple upstreams; doing so over ODoH and/or Anonymized DNSCrypt is what I'd recommend.
2 comments
daneel_w 1227 days ago
>"Better to send your queries to a single DNS provider (over TLS/HTTPS) rather than spread it out, because now, not one but multiple providers can build your browsing history."

What I'm wary about is indeed query logging and profiling, but whether it's one provider or a dozen providers isn't that relevant to me. I make a small effort in trying to gauge which providers are honest and which ones are not.

>"As someone who runs a public DNS resolver, I can tell you that it isn't that hard to build user profiles."

Yes, I understand this. May I ask why you/RethinkDNS are doing this with your users' query data?

link
ignoramous 1227 days ago
We aren't.
link
daneel_w 1227 days ago
You will forgive me for thinking "mmmmmmm-hmmmmmm" when you say that after your initial comment on how easy it is in light of running a public resolver yourself.
link
ignoramous 1227 days ago
Ideally, one should think that for every dns resolver they use.

As one example, even when a popular configurable dns resolver says they don't store logs outside the EU, they might yet be caching those logs and analytics with AWS and GCP servers all over the world.

Btw, Rethink is FOSS (https://github.com/serverless-dns/serverless-dns), and its deployment logs are inspectable right on GitHub. Not saying you should trust us, but that's already more transparency than most resolvers (speak nothing of vague / cute privacy policy). Any how, our focus with Rethink has mainly been anti censorship / anti surveillance, and nothing much else.

link
addingnumbers 1227 days ago
Won't recursing also spread your queries across multiple providers? And in the clear for deep packet inspectors to see, instead of encrypted?
link
ignoramous 1227 days ago
You wish all nameservers would support DoH / DoT, but until then using Qname minimisation limits exposure.
link