nanog mailing list archives

Re: Are public DNS a good thing?

From: "Constantine A. Murenin via NANOG" <nanog () lists nanog org>
Date: Thu, 17 Jul 2025 13:24:10 -0500

On Thu, 17 Jul 2025 at 12:37, Laszlo H via NANOG <nanog () lists nanog org> wrote:

On 7/17/2025 4:58 PM, Jay Acuna via NANOG wrote:

When using 1.1.1.1 with your browser: requests and responses can be
exchanged using
DNS over HTTPS;  which means that a passive eavesdropper, such as
your own Internet service provider with their DNS monetization program
cannot capture and
log your queries for resale to data brokers.   You are reducing the
number of parties
you have to entrust with the privacy of DNS queries you make and their answers.



This is just like the HTTPS-everywhere nonsense for websites.  It's just
making the surveillance data that Cloudflare collects more valuable
because only they can collect it and not the ISPs along the way, due to
this encryption.  Do you guys remember when we had SSL accelerator cards
in servers?  Now we waste that kind of energy on every web request to
lie to users and tell them that it's end to end encrypted (is
Cloudflare's spy proxy the end?).


I completely agree, and, the worst part, is that it also:

1. prohibits older devices from still being useful for reading
purposes and the general information access; for example, with
TLSv1.0, you can still Google Search on an older device, and shop on
Amazon, but Wikipedia will not let you access the "free" information,
because reasons™;

2. prohibits proxing and caching of public resources that don't even
change all that frequently;

Both of these widen the digital divide, since it's those less
fortunate that would be most affected.

But, of course, blocking http access, and deprecating TLSv1.0 on
Wikipedia, are done with the best of intentions, as is always!

For people who run their own home or corporate networks, the
prevalence of HTTPS also limits their ability to detect threats, do
security research, and ensure no funny traffic is exchanged;
ad-blocking on a network level at home would also be more effective
without HTTPS being in the way; but, of course, the HTTPS proponents
describe all of these "bugs" as "features", nevermind the extra impact
of having to run ad blockers on every device wasting more resources
and shortening the planned obsolescence cycles, plus the ever changing
API of the browsers that make it more and more difficult to
effectively block all of these resource hogs that hide within https.


The public DNS services are clearly not good for privacy, and neither is
pretending to encrypt website traffic, giving users a false sense of
security while all of their sensitive information is visible in plain
text at CF.  They are literally doing a MITM attack and they can even
generate certs that don't warn in browsers, showing how worthless that
system is for users (but great for those selling certs).  Do you trust
those people with all your DNS queries and browsing history?  At least
you still have the choice to not use their resolver, but no way to opt
out of the HTTPS-breaking proxy services (and CAPTCHAs) if the website
operator implemented it. It's not a good situation for freedom and
privacy, and the DNS resolvers are just the tip of the iceberg here.


I'm interested in fighting back.

One way to fight back is ensuring your non-commercial websites do NOT
support HTTPS.

If somehow you do support HTTPS, ensure you do NOT support HSTS, and,
also, do NOT redirect from HTTP to HTTPS.

Another way to fight back, may be to implement DNS delays specifically
for Cloudflare's 1.1.1.1, since Cloudflare is well known for wasting
our time as users with the mandatory ad-viewing of their captcha pages
on so many different web properties all across.

Does anyone know of any dual-horizon "delay" patches for NSD to target
the Cloudflare's resolver?

The person running archive.today used to expressly limits 1.1.1.1's
access to their DNS in its entirety because of these known issues with
Cloudflare:

* https://news.ycombinator.com/item?id=21155056

Cheers,
Constantine.
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/PDWBXCJ3GNQUGUG6HENZP5LQBCLXT24T/

Current thread:

Re: Are public DNS a good thing? (was: Re: 1.1.1.1), (continued)
- - - Re: Are public DNS a good thing? (was: Re: 1.1.1.1) Marc Binderberger via NANOG (Jul 18)
    - Re: Are public DNS a good thing? (was: Re: 1.1.1.1) Mel Beckman via NANOG (Jul 18)
    - Re: Are public DNS a good thing? (was: Re: 1.1.1.1) Tom Beecher via NANOG (Jul 18)
    - Re: Are public DNS a good thing? (was: Re: 1.1.1.1) Javier J via NANOG (Jul 18)
    - Re: Are public DNS a good thing? (was: Re: 1.1.1.1) Jay Acuna via NANOG (Jul 18)
    - Re: Are public DNS a good thing? (was: Re: 1.1.1.1) Paul Ebersman via NANOG (Jul 18)
    - Re: Are public DNS a good thing? (was: Re: 1.1.1.1) Tom Beecher via NANOG (Jul 18)
    - Re: Are public DNS a good thing? (was: Re: 1.1.1.1) Robert Kisteleki via NANOG (Jul 18)
    - Re: Are public DNS a good thing? (was: Re: 1.1.1.1) Jay Acuna via NANOG (Jul 17)
    - Re: Are public DNS a good thing? Laszlo H via NANOG (Jul 17)
    - Re: Are public DNS a good thing? Constantine A. Murenin via NANOG (Jul 17)
    - Re: Are public DNS a good thing? (was: Re: 1.1.1.1) Tom Beecher via NANOG (Jul 17)
    - Re: Are public DNS a good thing? (was: Re: 1.1.1.1) Jay Acuna via NANOG (Jul 17)
    - Re: 1.1.1.1 Stephane Bortzmeyer via NANOG (Jul 16)
    - Re: 1.1.1.1 Randy Bush via NANOG (Jul 16)
    - Re: 1.1.1.1 Anurag Bhatia via NANOG (Jul 17)
    - Re: 1.1.1.1 Randy Bush via NANOG (Jul 17)