There is no reason for ISP customers to use ISP DNS, given the available alternatives, and this will become even clearer as more people boot up DoH resolvers as alternatives to Cloud Flare.
Again this is absolutely false. Your ISP, and nobody else, can deliver the lowest latency and quickest path DNS resolution short of other providers paying ISPs for last mile fog boxes (as some DNS providers do). Why can’t my ISP support DoT?
But that also highlights a huge misconception about DoT/DoH: it only provides privacy to the resolver. It does not make your requests private in the eyes of the server or spanning the recursive queries that may be required during resolution. I’m not particularly compelled to trust Cloudflare more than OpenDNS or whatever. It’s the same situation with VPN.
Anyway it’s well known that the actual solution for people concerned with utmost privacy is a round robin resolver selection strategy. It’s super easy to implement... why aren’t browsers providing this type of option?
My ISP’s DNS servers take longer both in round trip and total resolution time compared to both 1.1.1.1 and 8.8.8.8... and I have both Comcast and AT&T in an urban area. While this might have been true in the past, that is definitely no longer the case in a lot of areas.
They can, and I would be fine using it if it were a) fast, b) reliable, and c) (here's the big one) legally required that they not log or do anything with my queries.
As it stands, Comcast's provided resolver is somehow slower than some of the third-party providers for me, and I don't care to give them the ability to sell my DNS data.
> There is no actual technical reason why they should care if you use their DNS servers or something else, even a private, encrypted DNS service.
That’s the part of your comment I am replying to. Anyway I see you’re arguing ISPs shouldn’t care which provider you use, not that they shouldn’t want to default you to running their own. Perhaps I misunderstood your point.
Regardless I’d argue the problem in the us is that any DNS provider can abuse your data. Today it’s big ISPs, tomorrow it’s Cloudflare. Unless we actually prevent (technically and/or socially) DNS from being an open book and develop strategies to mitigate the privacy issues it’s just a game of pick your poison, and that‘s what bothers me.
> But to say there is no reason for an ISP to serve DNS is absurd.
The part of my comment that you quoted does not at all say that. (In fact, no part of my comment says, or even suggest, that.)
I agree that any DNS provider can abuse your data, but it's important to look at incentives. Comcast doesn't care one bit about its public image because it already has a terrible one, but customers have no choice in the matter, so Comcast's public image is mostly irrelevant.
Several DoH providers bill themselves as privacy-focused, and make privacy a big point in their marketing around their DNS service. Violating that privacy would be damaging to their product and reputation, in a way that they'd likely care quite a bit about.
I'd rather just have my local resolver have a list of 5 or so DNS providers with reasonably low-latency presence in my area (possibly including the local ISP, even, who knows), and just round-robin requests to them. There's really no way to make DNS not an "open book" as you put it; you can't ask someone to resolve a hostname for you without telling them what the hostname is.
So yes, we need ways to mitigate harm. Unless a provider has their reputation on the line, I don't really see a way to keep providers from doing sketchy things with your data, at least not without legal regulation. It's not like things like the EU's GDPR and California's CCPA were dreamed out of nothing; they came about because people have started to realize that companies just will not act as good stewards of our data unless we legally mandate toothy financial consequences as punishment.
