Cloudflare DNS has DoH, but it’s Cloudflare so… ew. Is there one that is more privacy respecting and also has DNS over HTTPS?

  • kevincox
    link
    fedilink
    arrow-up
    2
    arrow-down
    3
    ·
    edit-2
    4 years ago

    This is controversial because they are “big bad” companies. But in some cases I think that is a plus because they have some responsibility to do as they say.

    1. Use a resolver that is a part of Mozilla’s Trusted Recursive Resolver Program. Mozilla makes them agree to a solid privacy policy: https://wiki.mozilla.org/Security/DOH-resolver-policy#Conforming_Resolvers
    2. Google DNS. Obviously controversial but their privacy policy is very good. They keep “full” logs for at most 48 hours and only for debugging purposes.

    The major concern for all of these is that they are allowed the keep anonymized logs forever. This means that if the hostname itself it sensitive then it can be recorded forever. (For example if you have “secret” subdomains).

    The other option is running your own recursive resolver, this mostly nullifies the private subdomain issue as only the authoritative server will see it (other than network snoopers) however this has very real downsides.

    1. It exposes your IP address to many authoritative servers with no guarantees about the logs they keep.
    2. It can be slow as there is no shared cache.
    3. Requests from your resolver to the internet are not encrypted.

    Disclaimer: I used to work at Google (but not on Google Public DNS) and have no affiliation with other named or referenced companies.

      • kevincox
        link
        fedilink
        arrow-up
        2
        arrow-down
        2
        ·
        4 years ago

        Just because it is not the advice that is expected does not make it bad advice. Obviously these names have some questionable behaviours but in this case they often have separate privacy policies for their DNS services (or the Mozilla endpoint for their DNS services) which makes it much better than the other Google products which are lumped behind a single privacy policy which isn’t very privacy friendly.

        Unfortunately it is impossible to know for sure they are complying with the privacy policy, but this applies to all providers, no matter how large or what businesses they have other than providing DNS. So while you shouldn’t blindly follow some random post on the internet you should may give these providers a second look-over and consider that these large companies have some privacy benefits if their privacy policy is accurate.

        • southerntofu
          link
          fedilink
          arrow-up
          3
          ·
          4 years ago

          Hello, i’m sorry you had to personally be downvoted for Google’s misbehavior. I may have disagreements with your (past?) ethics/politics (i genuinely hope you can sleep at night after working for Google/Instacart) but i checked out your blog and there’s some cool stuff on there so i’m taking a minute to answer :)

          Unfortunately it is impossible to know for sure they are complying with the privacy policy, but this applies to all providers

          That is precisely why we should evaluate the trust we place in a given actor who provides us with services. In the case of Google, i give it exactly 0/20. But to be honest, it’s not just Google, any for-profit entity gets 0/20 because our interests are fundamentally opposed: making money to survive in this capitalist hell is something we all have to do (and we all get our hands dirty to some extent, i’m not here to judge), but making money as a collective goal is guaranteed to have bad outcomes for everyone (except the shareholders, because these vampires always find a way to survive).

          When money is made in a non-profit settings with equal pay for everyone and full transparency on goals and funds, then the interests of the association/cooperative don’t have to be opposed to ours as end-users. I’d rather donate for services from a non-profit who’ll still be around for at least a decade (like Framasoft) than place my trust blindly in a commercial actor who’s part of the system ruining everyone’s lives and destroying the environment, and i think the same goes for a lot of people here.

          Google is pretty much part of the military industrial complex by now, and has been acting against the interest of users/humanity for well over a decade. They’re also collaborating with governments and copyright holders across the globe to take down content and imprison people (i’m NOT talking about child pornography here). Also, the centralized model of Internet and surveillance they promote is directly responsible for ecological damage: Internet without trackers wouldn’t require so much resources both client and server side.

          Google do not deserve a new chance, ever again. All that’s left to do with Google (or any private company for that matter) is to burn it down in opposition (as people in Berlin’s Kreuzberg neighborhood have done) and/or walkout (as Google employees themselves have done). We’re better off building alternatives on our own, and you’re welcome to help! :)

          Feel free to check out libreho.st, chatons.org and tildeverse.org for example lists of non-profit service providers who may need help developing/integration/deploying services. Take care

          • southerntofu
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            4 years ago

            He was making a good point. Huge multinationals often have departments with wildly different behaviors/policies. These departments are often in conflict with one another, or don’t know so much about one another. I agree with you trusting anything remotely associated to Google is utterly stupid when it comes to privacy, but the argument exposed was not stupid.

            It was in fact solid insider’s advice, to know to exploit differences between branches of a given tentacular company in some circumstances. For example, Debian’s cooperation with Lenovo for better hardware support is in fact a collaboration with a specific department within Lenovo, and has a lot of blocking points from other departments.

            EDIT: Also another good point was that selfhosting services (eg. services just for “me”) often leaks more metadata than using shared services which other folks connect to as well.

              • southerntofu
                link
                fedilink
                arrow-up
                1
                ·
                4 years ago

                I can tell there is more than just a world domination goal

                You do sound slightly conspirational and delusional. Of course people are gonna fuck up other people, because that’s precisely what capitalism is about, and we’re conditioned from a very young age to feed into this narrative.

                However, a lot of people try to avoid such dynamic, even in big evil corporations. Spitting on the face of these precise people is not gonna help anyone :)