America's rotten ISPs object to encrypted DNS, argue that losing the ability to spy on your traffic puts them at a competitive disadvantage

Agreed. I don’t trust any of the usual suspects (like, say, Cloudflare, Verisign, etc.) any more, though.

I did just see the Chaos Computer Club runs a public DNS server, and there’s always OpenNIC. That might be worth looking into, but I haven’t gone there yet. (I guess I could just update resolver running in the house and see how that goes.)

If you don’t want to use the DNS service offered to you by your on-path connectivity provider, then don’t centralize – simply install Unbound or BIND on a gumstix or virtual machine, and so route your own DNS questions directly to the authority servers whose answers you require. Recursive DNS is a necessary middleman, but should remain close to the clients, and should be a contracted party. So if not your ISP or your enterprise, then, do it yourself inside your home or your company. There was never a reason to outsource this to opendns or google or the others, and there isn’t a reason to do so now, and there won’t suddenly be a reason in the future. BIND9 in particular now does exactly what’s needed including DNSSEC if you start it with no configuration file at all. There’s no “expertise” argument for centralization.

3 Likes

Yes. Laziness is my excuse. I’ve been using dnsmasq for years because it’s pretty set-it-and-forget-it, and I’ve since set it and forgotten it.

I know Unbound is supposed to be similarly simple to set up and leave it be, but it’s never come up sufficiently on my list of to-dos. Maybe I should burn an evening and set it up and try it out.

For most folks who simply use a forwarder, though (like, anyone who sets it in their home router), there are better options than using your ISP or Google. I’d never set up a full resolver at my relatives’ houses because they can already f* up a brass jackass, for instance. (I guess I could just set one up and tell them they could use mine, though.)

I am also a bit puzzled by the tone of the conversation in the US. However, please realize that, when seen from Europe, the argument looks quite different; European ISPs are heavily regulated and cannot monetize their users so easily, and on the other hand the browsers that seek to change the default resolver (i.e., at the moment, Firefox) actually move the data of European users outside of the EU and of the protections granted by the GDPR, from local companies into the hands of the usual big tech platforms. So, for European users, it is debatable whether DNS-over-HTTPS brings more privacy - many think it actually brings less.

Also, the ability for anyone to run their own DNS-over-HTTPS servers (which they should anyway do) is basically useless if browsers do not let you configure it easily, possibly once per device (not once per application) as it currently is, or attribute themselves the right to decide who can be a “trusted resolver” and who cannot, subject to their unilateral conditions. Up to now, Google has not been going down this path (like Mozilla instead did) and so I have no reason to argue against them, but we need mutually agreed norms to ensure that this will not happen.

I have loyalty cards in other names, too. Most of my non-grocery purchases, though, are made through eBay, where Google doesn’t track my spending habits.

My email account tracks back to a mini-warehouse in a town I’ve only passed through. No Facebook, Twitter, or Instagram.

A local criminal family runs our local ISP office and the chief of police’s brother reputedly works in the regional office. They busted my paid VPNS but one of my browsers includes one. I refuse to use Chrome but am stuck with Google, albeit without an account.

I pissed off a family ex-wife with a truly vicious and larcenous bunch of relatives and no respect for the Fourth Amendment.

Great answer and thank you so much!

“encrypted DNS” (DNS SEC feature) was once a thing we tried to do.

DNS over HTTPS is something no sane network or enterprise admin wants and even genuine security folks are describing as a potential nightmare. Keeping DNS functioning is genuinely hard work and debugging problems that boil down to DNS is harder work. Encrypting it with an already over bloated protocol that can be a horrid challenge to debug on its own is a fecal sandwich.

1 Like

Stuck with google? Seems that could be avoided with a little determination.

This topic was automatically closed after 5 days. New replies are no longer allowed.