Comment by josephcsible
1 day ago
What do you propose they do instead? They obviously can't trust the network-provided one, since the whole point is that that one is often malicious.
1 day ago
What do you propose they do instead? They obviously can't trust the network-provided one, since the whole point is that that one is often malicious.
Malicious DNS in terms of returning bad results is generally irrelevant because if you can't trust the network then returning the wrong IP address and routing the right IP address to the wrong server are the same. Also, you're using HTTPS/TLS/SSH/etc. on the actual connection anyway, right?
So the point of this is to prevent Comcast from seeing your DNS queries. And then it works fine to trust the network to say "no, really, use this one and not the default DoH one" as long as that setting is one that Comcast would get in trouble for misusing. Notice that they don't return bad results for use-application-dns.net as it is.