Re: Are public DNS a good thing? (was: Re: 1.1.1.1)

[Tom Beecher via NANOG <nanog () lists nanog org>]

> When using 1.1.1.1 with your browser: requests and responses can be
> exchanged using
> DNS over HTTPS;  which means that a passive eavesdropper, such as
> your own Internet service provider with their DNS monetization program
> cannot capture and
> log your queries for resale to data brokers.   You are reducing the
> number of parties
> you have to entrust with the privacy of DNS queries you make and their
> answers.


When using DoH, your ISP can't see your DNS requests, but they can
absolutely still see the IP of the thing you try to connect to right after
making that DNS request, not to mention probably exposed in the TLS SNI, so
it's not like you're gaining that much privacy anyways.

On Thu, Jul 17, 2025 at 1:00 PM Jay Acuna via NANOG <nanog () lists nanog org>
wrote:

> On Thu, Jul 17, 2025 at 9:40 AM Marc Binderberger via NANOG
> <nanog () lists nanog org> wrote:
> > This raises my question: are public DNS like 1.1.1.1 or Google's 8.8.8.8
> > actually a good thing?
>
> Overall I would say the services' existence is mostly a good thing,
> And you could mitigate most redundancy issues on the client by setting a
> different public DNS provider as a second or tertiary resolver.
>
> But there are definitely some disadvantages, and outages are
> not the only risk created by global centralization in one provider.
>
> For example: By centralizing in a few public rDNS providers;
> You are creating a single entity who can be easily served by governmental
> entities or large conglomerates with blanket censorship or blocking orders
> due to sites hosting content related to sensitive social issues or
> legal disputes,
> plus subpoenas or warrants exposing user data.
>
> By running your own recursive resolver you are guaranteeing that the
> interests
> of the person hosting your resolver servers are aligned with your
> interests,
> and they aren't going to block your access to resources some company
> doesn't want you to see.
>
> > Personally I tend to run "unbound" for recursive resolving and close it
> > against outside use. But I may miss an important point - any reasoning
> that
>
> In its simplest config: You lose out on a privacy benefit by running
> your own recursive nameserver.
>
> When using 1.1.1.1 with your browser: requests and responses can be
> exchanged using
> DNS over HTTPS;  which means that a passive eavesdropper, such as
> your own Internet service provider with their DNS monetization program
> cannot capture and
> log your queries for resale to data brokers.   You are reducing the
> number of parties
> you have to entrust with the privacy of DNS queries you make and their
> answers.
>
> However,  authoritative Nameservers have no equivalent encrypted transport,
> so you cannot obtain that privacy when you are running your own
> recursive resolution.
> You may perform DNSSEC validation,  but  TCP Port 53 or UDP DNS traffic is
> still
> unencrypted, and authoritative nameservers rarely or never offer an
> encrypted transport
> to secure your recursive resolver against passive spying.
>
> > points to the one or the other solution as being better?
> > (my setups/domains are for private use only these days, nothing big,
> nothing
>
> I think the best solution may be have your own DNSSEC-validating resolver,
> but operate it in a query forwarding mode towards multiple different
> DNS resolver
> providers for redundancy using DoH; DNS or HTTPS or DNS over TLS.
>
> --
> -JA
> _______________________________________________
> NANOG mailing list
>
> https://lists.nanog.org/archives/list/nanog () lists nanog org/message/QA2ENGWXEBFMKC3GOHI2OXI22NNUQTVX/
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/36P3MQDHNSOJFGZBTSHMQ2LJ5QC3PJ32/