To expand, I think the big issue was any time you searched your launch menu for your own machine's applications and files, the query was also sent to Amazon.
From the article, it sounds like it's that upstream systemd uses Google Public DNS as a default (if you don't configure a server or get one in your DHCP lease) and Firefox uses Cloudflare's DNS-over-HTTPS, which would allow those companies to see all your DNS queries.
option('dns-servers', type : 'string',
description : 'space-separated list of default DNS servers',
value : '1.1.1.1 8.8.8.8 1.0.0.1 8.8.4.4 2606:4700:4700::1111 2001:4860:4860::8888 2606:4700:4700::1001 2001:4860:4860::8844')
option('ntp-servers', type : 'string',
description : 'space-separated list of default NTP servers',
value : 'time1.google.com time2.google.com time3.google.com time4.google.com')
Seems like Cloudflare primary then Google primary (followed by the secondary records in the same order) is the preferred default order for both IPv4 and IPv6.
I think the objection is the type of company that sees your requests.
Traditionally, it's your ISP who gets to see your and all their users' DNS lookups.
But now it's Google (on top of your ISP) and Cloudflare (on top of with 1.1.1.1 and instead of your ISP for DNS-over-HTTPS), and the claim is that they are going to misuse the data (well, it's pretty much a fact for Google).
I am generally not in favour of any siloing and centralisation of that scale, but if you want private DNS, your options are quite limited.
I also wonder if it'd make sense to bundle a simple DNS-over-Tor service or would that be easy to track? I'd run it on my openwrt router.
You might not consider that "quite limited", but that is likely because of a different interpretation of "private DNS".
Private communication is something that only the two (or more) parties communicating are privy to.
With HTTPS, the risk is reduced to CA compromise. With DoH, the risk is the company running the service on top of the CA compromise.
The parties communicating are the root/TLD name servers and me. Private DNS is DNS where nobody sees any of my DNS traffic, except for the root resolvers (which thus become the target of potential privacy breach).
Any intermediary means that they can see your data, but if they are centralized in only a few places, it's a bit beside the point. But then again, if they are so small that only a handful people use them, your traffic will be simple to filter out.
Finally, how do I set up my system to use any of these half-solutions for all DNS requests today?
I'd still prefer a DNS-over-Tor solution if anyone came up with it.
