On Thu, 17 Jul 2025 at 12:37, Laszlo H via NANOG <nanog@lists.nanog.org> wrote:
On 7/17/2025 4:58 PM, Jay Acuna via NANOG wrote:
When using 1.1.1.1 with your browser: requests and responses can be exchanged using DNS over HTTPS; which means that a passive eavesdropper, such as your own Internet service provider with their DNS monetization program cannot capture and log your queries for resale to data brokers. You are reducing the number of parties you have to entrust with the privacy of DNS queries you make and their answers.
This is just like the HTTPS-everywhere nonsense for websites. It's just making the surveillance data that Cloudflare collects more valuable because only they can collect it and not the ISPs along the way, due to this encryption. Do you guys remember when we had SSL accelerator cards in servers? Now we waste that kind of energy on every web request to lie to users and tell them that it's end to end encrypted (is Cloudflare's spy proxy the end?).
I completely agree, and, the worst part, is that it also: 1. prohibits older devices from still being useful for reading purposes and the general information access; for example, with TLSv1.0, you can still Google Search on an older device, and shop on Amazon, but Wikipedia will not let you access the "free" information, because reasons™; 2. prohibits proxing and caching of public resources that don't even change all that frequently; Both of these widen the digital divide, since it's those less fortunate that would be most affected. But, of course, blocking http access, and deprecating TLSv1.0 on Wikipedia, are done with the best of intentions, as is always! For people who run their own home or corporate networks, the prevalence of HTTPS also limits their ability to detect threats, do security research, and ensure no funny traffic is exchanged; ad-blocking on a network level at home would also be more effective without HTTPS being in the way; but, of course, the HTTPS proponents describe all of these "bugs" as "features", nevermind the extra impact of having to run ad blockers on every device wasting more resources and shortening the planned obsolescence cycles, plus the ever changing API of the browsers that make it more and more difficult to effectively block all of these resource hogs that hide within https.
The public DNS services are clearly not good for privacy, and neither is pretending to encrypt website traffic, giving users a false sense of security while all of their sensitive information is visible in plain text at CF. They are literally doing a MITM attack and they can even generate certs that don't warn in browsers, showing how worthless that system is for users (but great for those selling certs). Do you trust those people with all your DNS queries and browsing history? At least you still have the choice to not use their resolver, but no way to opt out of the HTTPS-breaking proxy services (and CAPTCHAs) if the website operator implemented it. It's not a good situation for freedom and privacy, and the DNS resolvers are just the tip of the iceberg here.
I'm interested in fighting back. One way to fight back is ensuring your non-commercial websites do NOT support HTTPS. If somehow you do support HTTPS, ensure you do NOT support HSTS, and, also, do NOT redirect from HTTP to HTTPS. Another way to fight back, may be to implement DNS delays specifically for Cloudflare's 1.1.1.1, since Cloudflare is well known for wasting our time as users with the mandatory ad-viewing of their captcha pages on so many different web properties all across. Does anyone know of any dual-horizon "delay" patches for NSD to target the Cloudflare's resolver? The person running archive.today used to expressly limits 1.1.1.1's access to their DNS in its entirety because of these known issues with Cloudflare: * https://news.ycombinator.com/item?id=21155056 Cheers, Constantine.