Comment by chatmasta

2 years ago

In general, I agree DNS-over-HTTPS is a step in the right direction, in terms of eliminating the low-hanging fruit of snooping over the wire. But it's still the same major companies providing the resolvers. And if you're sending them an NSL for push notifications, you may as well send one for DNS too.

3 comments

chatmasta

Reply
acdha  2 years ago

That’s usually untrue - for example, if I’m on Comcast but I use Firefox, my DoH requests go instead to Cloudflare who don’t log IPs – but also the larger point is that DNS isn’t complete enough: sometimes it’s unique companies but a lot of the time it’s just a shared endpoint. Push notifications don’t have that problem and happen every time, not just when a cache expires.

  • chatmasta  2 years ago

    Cloudflare is one of the "major companies" I was alluding to. It's still an issue of centralized authorities that are accountable to governments. But I do trust Cloudflare more than my ISP or Apple, and in fact I route much of my traffic through them so I hope I'm right in giving them my trust.

    • acdha  2 years ago

      It’s also a question of what information is available. In the United States, for example, it’s generally seemed to be the case that they can compel release of existing data but not changing systems to record new data or remove encryption. That’s not the case in every country, of course.