On 7/17/2025 4:58 PM, Jay Acuna via NANOG wrote:
When using 1.1.1.1 with your browser: requests and responses can be
exchanged using
DNS over HTTPS; which means that a passive eavesdropper, such as
your own Internet service provider with their DNS monetization program
cannot capture and
log your queries for resale to data brokers. You are reducing the
number of parties
you have to entrust with the privacy of DNS queries you make and their answers.
This is just like the HTTPS-everywhere nonsense for websites. It's just
making the surveillance data that Cloudflare collects more valuable
because only they can collect it and not the ISPs along the way, due to
this encryption. Do you guys remember when we had SSL accelerator cards
in servers? Now we waste that kind of energy on every web request to
lie to users and tell them that it's end to end encrypted (is
Cloudflare's spy proxy the end?).
The public DNS services are clearly not good for privacy, and neither is
pretending to encrypt website traffic, giving users a false sense of
security while all of their sensitive information is visible in plain
text at CF. They are literally doing a MITM attack and they can even
generate certs that don't warn in browsers, showing how worthless that
system is for users (but great for those selling certs). Do you trust
those people with all your DNS queries and browsing history? At least
you still have the choice to not use their resolver, but no way to opt
out of the HTTPS-breaking proxy services (and CAPTCHAs) if the website
operator implemented it. It's not a good situation for freedom and
privacy, and the DNS resolvers are just the tip of the iceberg here.
_______________________________________________
NANOG mailing list
https://lists.nanog.org/archives/list/[email protected]/message/HLPQ5652N2CFRAWLKSNRPF7LMQVKVOSO/
