undefined

points

by aetherspawn6 hours ago |

comments

by layer86 hours ago|

[-]

That’s no good if you want uncensored DNS.

by 1970-01-016 hours ago|

parent|

[-]

Absolutely this. Parent advice is terrible for the reality of the problem. Shortest path does not equal fastest web page load, especially when you're filtering 99% of the crap from even resolving on your network. 0.0.0.0 is always faster than your ISP fetching extra garbage.

by krick1 hours ago|

prev|

[-]

Are these even real countries at this point? Also, it's not even about privacy, AFAIK pretty much any country will try to protect you from accessing something they don't like you to access, and in most cases it's some half-assed attempt to do so, like your ISP's default DNS directing you to some warning page instead of actually opening the website you were going to open. So changing your ISPs DNS to something like 8.8.8.8, while it doesn't necessarily increase privacy, is the first major step to improve your browsing experience.

by marginalia_nu5 hours ago|

prev|

[-]

Changing your DNS does basically bupkis for privacy, since they can still read your DNS queries and SNIs.

by tredre336 minutes ago|

parent|

[-]

If I set my DNS provider to use DoH or DoT, my ISP will no longer see my DNS requests. I'm confident that my ISP doesn't do DPI at scale to extract SNI, so the lack of ECH doesn't break the entirety of the privacy benefit.

The fact that they could perform DPI doesn't change the reality that most ISPs probably aren't doing it, unless mandated by law, because it's expensive and in my main country of residence they can't sell that data to offset the cost.

I'm surprised to see such lack of nuance coming from you.

by amiga3865 hours ago|

parent|

prev|

[-]

It doesn't fix privacy but it does work around censorship. Has a court or the government ordered your ISP to usurp its enemies' DNS records? If so, you need to talk to a different resolver, not constrained by your government or courts.

by KomoD3 hours ago|

parent|

[-]

> but it does work around censorship

* for the countries/ISPs that don't also hijack all DNS

https://en.wikipedia.org/wiki/DNS_hijacking#Manipulation_by_...

by llm_nerd1 hours ago|

parent|

prev|

[-]

There are gaps depending upon the client configuration, but "bupkis" is simply wrong or horribly obsolete.

Encrypted DNS isn't an "any day now", basically every platform and browser and provider supports it, and 100% of my household's DNS requests are opaque to anyone watching the wire. And basically every system like Cloudflare supports ECH, so SNI isn't a thing for the vast majority of sites.

by miniBill5 hours ago|

parent|

prev|

[-]

DoH and ECH fix that

by marginalia_nu5 hours ago|

parent|

[-]

Any moment now...

by 38 minutes ago|

parent|

[-]

deleted

by 5 hours ago|

parent|

prev|

[-]

deleted

by richardlblair4 hours ago|

prev|

[-]

> Thank you for your attention to this matter.

Had me in stiches

by 6 hours ago|

prev|

[-]

deleted

by vimda3 hours ago|

prev|

[-]

Cloudflare famously does anycast so the DNS answer you get is the same no matter where you're coming from. Your numbers there can't be attributable to DNS. On the contrary, Cloudflare can short circuit the recursive lookup for any of their properties, providing potential speedups at the resolution stage, and can use eDNS client subnet to route based on where you are if necessary

by ratorx1 hours ago|

parent|

[-]

Anycast DNS doesn’t mean what you think it means.

Your DNS traffic to Cloudflare is routed via anycast. If Cloudflare is sending this DNS query (eg to an authoritative DNS server), the IP address it uses for this is not going to be the anycast one. These IPs are geolocatable and Cloudflare even publishes feeds of their approximate location. The response you get will be geolocated based on the IP that Cloudflare is using to send traffic to the authoritative.

Cloudflare explicitly does not use ECS (the edns extension to provide client subnets to authoritatives): https://developers.cloudflare.com/1.1.1.1/faq/#does-1111-sen...