Re: Are public DNS a good thing?

[Laszlo H via NANOG <nanog () lists nanog org>]

On 7/17/2025 4:58 PM, Jay Acuna via NANOG wrote:
> When using 1.1.1.1 with your browser: requests and responses can be
> exchanged using
> DNS over HTTPS;  which means that a passive eavesdropper, such as
> your own Internet service provider with their DNS monetization program
> cannot capture and
> log your queries for resale to data brokers.   You are reducing the
> number of parties
> you have to entrust with the privacy of DNS queries you make and their answers.


This is just like the HTTPS-everywhere nonsense for websites.  It's just 
making the surveillance data that Cloudflare collects more valuable 
because only they can collect it and not the ISPs along the way, due to 
this encryption.  Do you guys remember when we had SSL accelerator cards 
in servers?  Now we waste that kind of energy on every web request to 
lie to users and tell them that it's end to end encrypted (is 
Cloudflare's spy proxy the end?).

The public DNS services are clearly not good for privacy, and neither is 
pretending to encrypt website traffic, giving users a false sense of 
security while all of their sensitive information is visible in plain 
text at CF.  They are literally doing a MITM attack and they can even 
generate certs that don't warn in browsers, showing how worthless that 
system is for users (but great for those selling certs).  Do you trust 
those people with all your DNS queries and browsing history?  At least 
you still have the choice to not use their resolver, but no way to opt 
out of the HTTPS-breaking proxy services (and CAPTCHAs) if the website 
operator implemented it. It's not a good situation for freedom and 
privacy, and the DNS resolvers are just the tip of the iceberg here.


_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/HLPQ5652N2CFRAWLKSNRPF7LMQVKVOSO/