Comment by josephcsible
1 day ago
> Except that your ISP gets it anyway via SNI and seeing which IP addresses you connect to.
Hence my point about CDNs and ECH upthread.
> Then why is Chromecast hard-coded to use Google's DNS with no option to even manually change it?
I lump Chromecast into the "IoT" category, not the "browsers" category. Google could spy on you even with no DNS access at all if it wanted to.
> The "devices in my family" want the same DNS server because they want to be blocking ads and malware. The issue is there are then rather a large number of them and requiring them each to be configured individually with many opportunities for omissions becomes a security vulnerability, since omissions allow the malware through.
If you're concerned about that, don't you realistically need something like uBlock Origin on each endpoint anyway, since so many sites serve their (malware-laden) ads from their own domains these days, specifically because of things like the Pi-Hole?
> You also need this if you want devices to resolve local names.
There would be nothing wrong with a fallback just for TLDs like ".local" and ".internal" that will never exist for real on the Internet. The critical "no fallback" point is just for potentially-real TLDs when the DoH server isn't reachable.
> The browsers already have this:
> https://support.mozilla.org/en-US/kb/canary-domain-use-appli...
> The problem is it's not a standard so then not everything respects it or does it the same way, and devices not implementing it out of malice (e.g. to purposely avoid ad blocking) get to pretend they're not doing anything untoward.
That setting is bad and needs to go away. It completely defeats the purpose of DoH.
> Hence my point about CDNs and ECH upthread.
ECH isn't widely used and the IP address still reveals a ton of information regardless.
> I lump Chromecast into the "IoT" category, not the "browsers" category. Google could spy on you even with no DNS access at all if it wanted to.
In that case it's more about ad blocking than spying.
> If you're concerned about that, don't you realistically need something like uBlock Origin on each endpoint anyway, since so many sites serve their (malware-laden) ads from their own domains these days, specifically because of things like the Pi-Hole?
Most sites don't have the technical capacity to do that and you still get to block all of the others. Also, a lot of the malware comes from scummy ad networks that innocent sites used out of ignorance, and then blocking the ad network blocks the malware which that site isn't purposely trying to foist on you.
> There would be nothing wrong with a fallback just for TLDs like ".local" and ".internal" that will never exist for real on the Internet. The critical "no fallback" point is just for potentially-real TLDs when the DoH server isn't reachable.
You can get a TLS certificate for any real name, including dynamic DNS names on some providers, even if those names are only used locally, using ACME DNS01. You can't get a TLS certificate for .local or .internal names. But you may not want to put local names in the global DNS, or they may not resolve to the same IP address everywhere, e.g. you need some server to resolve to the public IP from the internet but the local IP on the LAN.
> That setting is bad and needs to go away. It completely defeats the purpose of DoH.
It doesn't, because Mozilla owns that domain and ISPs refusing to resolve it would get in trouble in most countries, so they don't, and then people using the default ISP DNS still get DoH instead.
You can manually configure your browser to always use DoH regardless of that entry, which is what people on actually malicious networks do. Its purpose is to make it so the default can be changed without touching every single application on every single endpoint device.