Quick question about DNS and DoH that I thought about after reading this post:
https://packmates.org/@silvereagle@furry.engineer/111176886781705659
Wouldn’t it make sense for Firefox or another third party to bundle and transparently forward all DoH requests to cloudflare so that:
A) Cloudflare doesn’t know who made what request due to not knowing the origin
B) Firefox doesn’t know who made what request due to TLS
That’s somewhat similar to how apple private relay works.
Just an fyi. DoH is a fucking nightmare for network management. For example, if you use a pihole on your network, you 100% do NOT want devices using encrypted DNS.
Is it possible for devices to ask the pihole without doh, and the pi-hole to forward the request with doh if the domain isn’t in the cache?
I’m not an expert but I’m pretty sure no.
I have a mini PC that is always on that runs my NTP and DNS, and it’s upstream DNS is quad nine out of Switzerland. (9.9.9.9). I tend toward the same usage patterns daily, and about a third of my requests never leave my home DNS to get resolved.
The TTL nowadays is about 3600 seconds, so I think that at about that rate your DNS server would flush stored entries every hour one by one and ask to 9.9.9.9 an update. That’s basically how every DNS server works (and I guess that even the ones embedded in router’s works like that with caching). Is your setup different? If yes, in which way? Thanks
I set it up a long time ago, so I don’t honestly remember. I followed some guide, and did a few domain redirects to point at stuff on my home network and to shut Zuck out of my life, but I didn’t do anything crazy. So, I doubt it, but I don’t know.
@Wander @privacyguides I think that’s what ODoH is. Apple also does something like that with their private relay service.
However, it still allows the last DNS provider in the chain to see all queries, even if they don’t know the exact source.
Not using Cloudflare as a DNS resolver would be an even better solution.
I’ve just started using their Zero trust stuff and so far I like it. Why should I not use them? What other options are better?
I meant Cloudflare DNS, I don’t understand why Firefox uses Cloudflare DNS when there are so many other great options like NextDNS. The reason why many people in the privacy community dislike Cloudflare or CDNs in general is because they are often hostile to VPN or TOR users, and they centralize the web.
Ah got it, that makes sense. Thanks.