Hacker News new | past | comments | ask | show | jobs | submit login

I think it depends on who you're trying to protect against. While using DoT to a public resolver gives the public resolver the ability to build a history of your queries, running a recursive resolver yourself means anyone who's watching the wire (ISP, local government, etc.) can build a query history instead. Some people trust Google or Cloudflare more than those other entities, or figure that Google already knows pretty well what they're up to since Analytics is pretty much everywhere and they use Gmail.

The most useful option I've seen for trying to get the benefits of both has been rotating between a list of DoT resolvers, so none get all the history and end up with fragmented profiles. There's issues there since people access the same services and thus they'll get the full list over time if the software doesn't record who got what request and stickies it to them. There's always the option of doing it over Tor, but then you're introducing multisecond latencies to your DNS queries, which isn't exactly a great experience.

If you think someone is watching your wire they will see what you connect to after resolving it. That's true if your ISP resolved it, Google resolved it or you resolved it. If this is a problem, you need a different solution altogether.

So because a snooping provider is irrelevant when we talk only about resolving DNS, that only leaves the choice of which party to the chain of entities that are able to easily snoop on your or not. If privacy is important, adding Google or any other DoT resolver to that chain is strange.

That's true if an IP only serves requests for a single domain. With ESNI it's now possible to connect to a server that hosts services for multiple domains without the domain being divulged in the clear on the wire.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact