On 7/17/2025 4:58 PM, Jay Acuna via NANOG wrote:
When using 1.1.1.1 with your browser: requests and responses can be exchanged using DNS over HTTPS; which means that a passive eavesdropper, such as your own Internet service provider with their DNS monetization program cannot capture and log your queries for resale to data brokers. You are reducing the number of parties you have to entrust with the privacy of DNS queries you make and their answers.
This is just like the HTTPS-everywhere nonsense for websites. It's just making the surveillance data that Cloudflare collects more valuable because only they can collect it and not the ISPs along the way, due to this encryption. Do you guys remember when we had SSL accelerator cards in servers? Now we waste that kind of energy on every web request to lie to users and tell them that it's end to end encrypted (is Cloudflare's spy proxy the end?). The public DNS services are clearly not good for privacy, and neither is pretending to encrypt website traffic, giving users a false sense of security while all of their sensitive information is visible in plain text at CF. They are literally doing a MITM attack and they can even generate certs that don't warn in browsers, showing how worthless that system is for users (but great for those selling certs). Do you trust those people with all your DNS queries and browsing history? At least you still have the choice to not use their resolver, but no way to opt out of the HTTPS-breaking proxy services (and CAPTCHAs) if the website operator implemented it. It's not a good situation for freedom and privacy, and the DNS resolvers are just the tip of the iceberg here.