Hacker News new | past | comments | ask | show | jobs | submit login

Long story short: Chrome will do DoH DNS, but only if your current DNS provider already supports DoH, and, for now, only as an experimental feature.

People are upset about Firefox's new default of routing DoH to Cloud Flare, and I understand why. But it's useful to keep the issues distinct: DoH is a good thing (your ISP should not be able to see your DNS queries), even if routing them to Cloud Flare isn't.

DoH is a good thing when I configure it on a system level. Each individual app bypassing the system DNS settings to implement DoH within the app is not a good thing.

As a thought exercise: why is the OS level the correct level for DNS configuration? Why would the LAN not own this?

It seems interesting that the article and many comments here identify the application level as inherently wrong and the OS level as inherently right.

What if you were running docker containers on a server?Is it incorrect for the containers to set their own resolver settings?

> Is it incorrect for the containers to set their own resolver settings?

For generic containers, it is. If you build your own very customised app, then sure, you can control what it does. But if you build an app, you don't know where/how I deploy it. It may be without internet access. It may be expected to use private DNS zones. It may be expected to query mdns. The container should not guess or assume those things.

I think I agree with you, but also I think I feel the same way about generic computers. I’d say that outside of specialized use cases, the OS is the wrong layer to define DNS settings: the network is the correct layer. Because that means that as computers move between networks, they handle things like private zones.

That said, I also think that there’s no absolute truth for what constitutes a “specialized use case”. I think if I’m the operator of a network, or a computer, or a container, or an application, having it use custom DNS settings is up to me. And Firefox/Chrome enable that: the operator can change the setting to whatever they want.

Speaking to the default case, Firefox/Chrome moving towards DNS defined at the app layer smells painful to me as a network operator, but ISP DNS interception also smells to me, and for the normal consumer threat model and network topology, Firefox/Chrome using CloudFlare DNS is essentially pure win. Most consumer users aren’t on networks with split-horizon DNS, and most consumer users aren’t at risk from CloudFlare logging their DNS requests, even assuming they’re violating their published privacy policies.

What is a good alternative to Cloudflare? What should we change the Firefox default setting to?

A tor client that only passes DNS traffic and nothing more. But does it exist?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact