Cloudflare, on the other hand is based in a foreign jurisdiction that offers none of these protections.
It really depends on which jurisdiction are you in, unfortunately. US ISPs are selling everything they can hover (including DNS information) to advertisers, and it is impossible to switch to another one unless you're lucky (because the monopoly is essentially maintained).
Some may also consider reverse proxying/caching to be providing transit service, but I'm not sure if the majority of people would agree on that.
Given that they are funded and run by the same forces american parastical capitalism provides I would trust them as much as I'd trust google or alphabet.
I'll continue to route my DNS to quad-nine over mullvad over my specifically chosen ISP, and everything on my network does that as I can easily intercept and redirect udp/53.
The weak point are treacherous devices which use DoH which is a constant fight to block.
Many ISPs explicitly sell DNS data, and are also advertising vendors.
Cloudflare, on the other hand, doesn’t share or sell data and retains minimal data: https://developers.cloudflare.com/1.1.1.1/privacy/public-dns...
So does UDP based DNS, and TLS based DNS. It’s all the same in that regard.
Do ISPs do deep packet inspection to get lookup data? Maybe, but it increases the cost of doing so and makes the business aspect of it less viable. Perhaps a minor win.
With cleartext DNS, your queries may never reach your chosen server. Plenty of ISPs are configured to just answer any DNS query, regardless of its destination. Using a nonstandard port might help, but you’d be much better off deploying one of the DoH / DoT / DoQ / etc secure protocols.
So you already have to trust your ISP anyway -- but there was no need to trust Cloudflare *. DoH to Cloudflare is almost certainly a net loss in privacy compared to using your ISP's DNS over clear text.
* Right until they became hosters of half of the WWW. So Cloudflare can pretty much also guess your activity even if you don't do DNS with them anyway.
Big CDNs and ECH make that impossible.
If I check up right now, form the top 10 links in HN right now, it is trivial to distinguish the top-level domain from just the IPv4 or IPv6 address. Heck, even _for this website itself_ the current IPv4 reverse DNS points to ycombinator.com. I don't even need to go into packet size heuristics, or the myriad of ad networks, etc.
Sure there are some instances where you will share the IP of the CDN. This has been seen recently e.g. in the recent article of the "LaLiga" blocks in Spain. But bigger sites cannot afford for this to happen, and even smaller sites tend to have at least one paid IP address for mail (reputation is a bitch, and Cloudflare doesn't have any).
Two of the top 10 links in HN right now (https://www.hackerneue.com/item?id=44215603 and https://www.hackerneue.com/item?id=44212446) are to different subdomains of github.io that resolve to the exact same IP addresses, so reverse DNS doesn't tell you which one is being visited.
And you can't even tell the TLD, because the TLD is "io", but the reverse lookup on the IPs will give you a TLD ending in "com".
> Heck, even _for this website itself_ the current IPv4 reverse DNS points to ycombinator.com.
That's because HN isn't behind the kind of CDN I'm talking about. But a lot are. Is your argument "since your ISP can see some of the sites you're going to, we should remove all protections and let them see all sites you're going to?"
Even if you use a VPN?
They know your government id when you subscribe to their service.
CloudFlare, otoh, never have your identity. They only have the metadata
Based on what?
The bar is real low, mostly for the fact that ISPs are mandated by law in most if not all countries to track traffic flowing through their pipes.
Cloudflare provides relatively better privacy guarantees for the public DNS resolvers it runs: https://developers.cloudflare.com/1.1.1.1/privacy/cloudflare...
CF issues are dealt with “hope to get a post on HN trending”.
You're next argument might be "but how do you know the server is really using ODNS?" You don't. If your security threat profile doesn't allow for this, whatever you're doing shouldn't be using a public internet network anyway.
If you live in a rural area where people are co-operative, there might be a community owned fibre operator plus Opeanreach, otherwise just Openreach.
If you live somewhere very silly, like up a mountain or on your own island, your only practical option will be paying Openreach to do the work.
Edited to add, Notably: Only Openreach is usable by an arbitrary service provider. So if you want to pick your service provider separately, the actual last mile delivery will always be Openreach. And if they're small it won't just be last mile, Openreach also sell backhaul to get your data from some distant city to the place where the ISP's hardware is, you're buying only the, like, actual service. Which is important - mine means no censorship, excellent live support and competent people running everything, but the copper under the ground is not something they're responsible for (though they are better than most at kicking Openreach when it needs kicking)
In the UK there are even aggregators like Fibre Café [1] that makes it easier for ISP's to connect through multiple networks.
This is textbook politician's fallacy. Yes, it may be preferable to continue with a "non-solution" if the solution proposed is stupid enough.
DoH does solve a problem for many people. Many large ISPs will sell your DNS requests, use them for targeted advertising, tamper with responses for various reasons, etc., and so DoH is an improvement over the status quo--not for everyone, but for many users, and I'd guess most users.
You're right, DoH might not be worth adopting if it were "stupid enough", but... it's not stupid enough.
If you combine this with ECH and a good blocker, no they do not. That's exactly why Spain is blocking around 60% of the internet during football games now; the ISPs cannot tell which websites and subscribers are pirating football streams.
[citation needed for the 60% figure]
Precisely due to these blocks is why I know that Cloudflare is NOT 60% of the WWW, not yet at least. Certainly, if Cloudflare was serving 60% of the Internet, I would consider switching my DNS to them. But that would be a privacy nightmare for another day (replacing federated ISPs with a single big centralized one? great idea /s). It is not yet the case as of today.
In fact, as of today, and even if you have a "good blocker", I, a total noob, have a high chance of reliably identifying which HN news item from the top #30 you clicked from just the addresses: https://www.hackerneue.com/item?id=44219061 . Imagine what the non-noobs at your ISP could do.
We must do something. This is something. Therefore, we must do this.
> Cloudflare gets all your DNS queries.
That's true, but Cloudflare is more trustworthy than my ISP, and probably most people's ISPs.
> Complexity is the enemy of security.
That's true, but that's no reason to go from an imperfect solution to a nonsolution.
> there is DNS over TLS
That doesn't solve most of the issues that the author brought up.
> How does a modern company in the IT business earn money? By selling data.
Maybe I'm naive, but I thought they made money by using all the data they collect for better threat prevention, and from their paid services.