Comment by lokar

21 hours ago

Why can’t you have a forwarding resolver send out queries via http and then use it as the system default?

22 comments

lokar

Reply
Mister_Snuggles  21 hours ago

There's no reason you couldn't, and this would actually be fine in my view.

The problem is that with DoH the applications themselves have their own resolver built in that doesn't respect the system defaults.

  • josephcsible  20 hours ago

    Today, it's a good thing that applications don't respect the system defaults, since on basically every OS, the system defaults are either "totally insecure DNS all the time", or "auto fallback to insecure DNS". I'd only want programs to start respecting the system defaults if that ever changes.

    • __turbobrew__  20 hours ago

      You can change the system defaults on sane OS.

      Thats like saying every application should come up with its own bespoke encryption framework because the OS doesn’t utilize full disk encryption by default. The solution is not to implement encryption in all your programs, the solution is to configure full disk encryption in the OS.

      3 replies →

    • anonymousiam  19 hours ago

      When applications don't respect system defaults, they are by definition "going rogue."

      I run Pi-hole because I like having some control over the IoT garbage on my (separate IoT) home subnet. Much of the IoT garbage already pins their DNS server, which limits my control, or makes control more difficult to achieve.

      8 replies →

  • VWWHFSfQ  21 hours ago

    Firefox at least allows to set your own DoH resolver if you want

    • Mister_Snuggles  21 hours ago

      I can see a future where Chrome will use the system resolver for everything except Google's advertising domains, and those name resolutions will be impossible to block because they're going to a Google IP that may also serve services you want. Maybe Chrome would get called out for this change and they'd back it off.

      But I doubt that a smart TV that does this would get called out, and even if they were the response would likely be "Oh, that model is three months old and we don't do firmware updates, sorry."

      4 replies →