Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Most end users don't just "run their own recursive resolver-cache" They take whatever DNS server is provided by their ISP

I'd guess that 99+% of Internet users have no idea how to run their own DNS server, let alone set up DoT.



That's not a good counterargument. Why you ask? Because that's something that OS vendors could easily and trivially deploy with only minimal effort.

For example on Linux you could do this with running a localhost instance of unbound, and having a DHCP client hook script updating unbound's configuration for domain specific authorative DNS servers based on the DHCP options for nameserver and domain name.

Just put that as out-of-the-box setup into default Linux distributions' installation: Not only does this greatly enhance privacy. It also prevents enterprise information leakage, and every program on the system is going to benefit from it. Not just the browser.

DoH is a clusterfuck of stupid. There's not one single redeeming quality about it. Everything positive it promises to do has been already solved in a far better manner by earlier developments. And it comes with the penality of concentration of failure points.

In the best case scenario it doesn't impair your privacy.

In the worst case scenario, all the DoH resolver operators in the U.S. will get FISA court orders – including a gag order – to install boxes helpfully provided by some three-letter-agency that monitor all incoming and outgoing traffic of their resolvers; getting the DNS queries/responses in the clear would be nice, but they don't really need it, for the resolvers provide some nicely observable traffic hub on where it's super easy to time correlate outgoing DNS resolver queries to incoming DoH requests.

And don't even believe that DoH requests would be indistinguishable from "regular" HTTPS traffic! Unless you're running into an DNS record that's been overloaded with everything DNSSEC offers the bandwidth requirements of DNS are fairly balanced in both directions. Plus, the amount of data transferred via DoH is more or less the net size of the final DNS query and request combined. So either you pad DoH for the worst case scenario size, or you have a pretty well readable side channel.

No matter from which angle you look at it, DoH makes no fucking sense whatsoever. It's just stupid, if not malicious.


I like how someone on HN tells you that ordinary users have no idea how to set up their own DNS servers and you respond with how Linux users can set up unbound. Like, well argued!

There is also something poetic about how the people that know how and are inclined to set up their own unbound servers on their laptops are getting worse security than everyone else. That sparks joy for me.


> you respond with how Linux users can set up unbound. Like, well argued!

I did write, that DISTRIBUTIONS should set this up by default, not the users.

And Microsoft could do the same for Windows, as could Apple (with almost zero effort) for MacOS-X


>For example on Linux you could do this with running a localhost instance of unbound

Not seeing _distributions_ there


Look again. Topmost paragraph. I'll quote myself:

>> Because that's something that OS vendors could easily and trivially deploy with only minimal effort.

"OS vendors" aka "distribution creators"

And then in the 3rd paragraph, I wrote (sic!):

>> Just put that as out-of-the-box setup into default Linux distributions' installation:




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: