> My ISP is bound by robust privacy, telecommunications interception and other legislation.
It really depends on which jurisdiction are you in, unfortunately. US ISPs are selling everything they can hover (including DNS information) to advertisers, and it is impossible to switch to another one unless you're lucky (because the monopoly is essentially maintained).
Cloudflare is not an ISP. They have other services they sell. Maybe they're selling your data, maybe not. I honestly have not read their agreements and terms, but it's not nearly as obvious that you're the product as something like Google
Using the definition of "do they provide IP transit to anyone", yes, they offer services which do this, Tunnels is one, there may be others, but this would mean they are technically and legally classified as a service provider (and hence also enjoy Section 230 protection) in that case.
Some may also consider reverse proxying/caching to be providing transit service, but I'm not sure if the majority of people would agree on that.
So this company based in the US which provides internet services is not an internet service provider.
Given that they are funded and run by the same forces american parastical capitalism provides I would trust them as much as I'd trust google or alphabet.
I'll continue to route my DNS to quad-nine over mullvad over my specifically chosen ISP, and everything on my network does that as I can easily intercept and redirect udp/53.
The weak point are treacherous devices which use DoH which is a constant fight to block.
They provide network services on the internet, but unless I'm missing some product they don't list on their website they do not provide actual basic IP internet connectivity for businesses, everything they sell is some service on top of your existing ISP services
That's just one category of stuff that ISPs do. In the context of "who do I pay to get Internet at home", cloudflare is not an option, but in the context of the internet itself they are one. Hetzner, for example, is an ISP that mainly provides server hosting. There are companies that only provide Internet service at data centers too.
And google don't provide actual basic IP internet connectivity for businesses. They are still an american company that provides internet services and uses and sells your data.
Why would cloudflare, built from the same corporate background, be any more trustworthy?
The most important part of DoH, etc is that it allows you to make a choice. You can choose a vendor in your country. As a Canadian, I might want to use the service offered by my national TLD operator https://www.cira.ca/en/canadian-shield/configure/firefox/
Many ISPs explicitly sell DNS data, and are also advertising vendors.
With insecure DNS, the choice isn't meaningful since your ISP will see all of the data no matter which DNS server you pick to use. And those kinds of ISPs will probably block DoT because they want to keep seeing it all, but they can't block DoH.
I put my DNS service on a non-standard port. I’m the only one using it so standards be damned. Windows doesn’t allow setting a nonstandard port for DNS, but pretty-much everything else does.
Do ISPs do deep packet inspection to get lookup data? Maybe, but it increases the cost of doing so and makes the business aspect of it less viable. Perhaps a minor win.
With cleartext DNS, your queries may never reach your chosen server. Plenty of ISPs are configured to just answer any DNS query, regardless of its destination. Using a nonstandard port might help, but you’d be much better off deploying one of the DoH / DoT / DoQ / etc secure protocols.
In addition, your ISP can also extract whichever metadata it wants from your communications, incl. a very likely perfect guess of the hostnames you visit at which times _even if you don't use DNS at all_, just by looking at IP traffic metadata such as addresses and packet sizes.
So you already have to trust your ISP anyway -- but there was no need to trust Cloudflare *. DoH to Cloudflare is almost certainly a net loss in privacy compared to using your ISP's DNS over clear text.
* Right until they became hosters of half of the WWW. So Cloudflare can pretty much also guess your activity even if you don't do DNS with them anyway.
> In addition, your ISP can also extract whichever metadata it wants from your communications, incl. a very likely perfect guess of the hostnames you visit at which times _even if you don't use DNS at all_, just by looking at IP traffic metadata such as addresses and packet sizes.
Does it, really? Have you seen wireshark output lately? (the GUI can be configured to do reverse lookup on all IP address)
If I check up right now, form the top 10 links in HN right now, it is trivial to distinguish the top-level domain from just the IPv4 or IPv6 address. Heck, even _for this website itself_ the current IPv4 reverse DNS points to ycombinator.com. I don't even need to go into packet size heuristics, or the myriad of ad networks, etc.
Sure there are some instances where you will share the IP of the CDN. This has been seen recently e.g. in the recent article of the "LaLiga" blocks in Spain. But bigger sites cannot afford for this to happen, and even smaller sites tend to have at least one paid IP address for mail (reputation is a bitch, and Cloudflare doesn't have any).
> If I check up right now, form the top 10 links in HN right now, it is trivial to distinguish the top-level domain from just the IPv4 or IPv6 address.
And you can't even tell the TLD, because the TLD is "io", but the reverse lookup on the IPs will give you a TLD ending in "com".
> Heck, even _for this website itself_ the current IPv4 reverse DNS points to ycombinator.com.
That's because HN isn't behind the kind of CDN I'm talking about. But a lot are. Is your argument "since your ISP can see some of the sites you're going to, we should remove all protections and let them see all sites you're going to?"
I said top-level domain. Anyway, you have a better estimate, for the types of sites people here would visit? If HN itself isn't an example, then Github subdomains definitely ain't (not even close to the traffic of the main domain).
Well, I appreciate the correction: I meant second level (or whatever is most distinguishing for that TLD). However, even if what you say is true, you really cannot disprove my claim with one nitpick, you need to talk majorities. (And, in case it needs to be said: i really don't think the issue here is distinguishing activity to github.io vs github.com)
This was literally the worst example you could possibly do. I hope you kept which one was which, I'd like to know if Copilot was right.
In the meanwhile, from the current top #30 articles on HN (also via copilot script, but I removed non-cloudflare IPs):
ycombinator.com -- no CDN
letsbend.de -- no CDN
grepular.com -- no CDN
xania.org -- cloudfront
github.io -- no common CDN
owlposting.com -- AWS, but IPv4 remained static
netfort.gr.jp -- no CDN
simonwillison.net -- cloudflare, 104.21.112.1 fixed
folklore.org -- azure, 13.107.246.1-255 range
danq.me -- no CDN
nature.com -- fastly, IPv4 remained static
daringfireball.net -- cloudflare, 104.26.4.133
ssp.sh -- no CDN
trebaol.com -- cloudflare, 104.21.3.245
glek.net -- cloudflare, 104.21.112.1
gov.uk -- AWS, but IPV4 remained static
phys.org -- no CDN
diwank.space -- cloudflare, 104.21.80.31
free.fr -- no CDN (my French ISP, btw)
ericgardner.info -- AWS, but IPv4 remained static
ghuntley.com -- fastly, IPv4 remained static
paavo.com -- no CDN
railway.com -- cloudflare, 104.18.24.53
alloc.dev -- cloudflare , 188.114.96.2
Look at how many of them are self-hosted, have zero CDN, or otherwise return me always the same IP (even when I try from 3 different ISPs) which makes them trivial to reverse address. This is already a pretty huge success rate and all my context is that you browsed HN first (which I know, see first result on the list). Now imagine the tools a ISP will have at its disposal:
- IPv6
- Its Geo region will actually match yours
- Routing tables
- The patience to also include resources fetched from these pages in the analysis (i.e. page X always gets its JS from Y domain which results in a constant Z KB transfer).
- The rest of your browsing activity
- The rest of everyone's browsing activity including most popular _current_ hosts for each hostname.
Do you still claim that it is "impossible" to track your activity because of CDNs? I still bet you your ISP can do it with _100%_ accuracy.
It took me the whole of one Copilot conversation to do the entire thing. Most of the top #30 results are in fact one reverse DNS away. The rest is not much more complicated.
They're never going to be "1 IP ECH" . That would be the end of the Internet as we know it.
If it ever happens that the majority of the WWW is 1 CDN, we have a bigger privacy problem than DNS. Much bigger.
That just shifts the trust from your ISP to your VPN provider. Moreover if you're already using a VPN, your DoH requests to cloudflare is already anonymized.
If you are using WireGuard between endpoints your traffic if opaque, but yeah if/where it exits it becomes (depending on the encapsulated protocol) visible.
You're next argument might be "but how do you know the server is really using ODNS?" You don't. If your security threat profile doesn't allow for this, whatever you're doing shouldn't be using a public internet network anyway.
If you live in a city or other urban area, typically you have the option of the decoupled telco (BT Openreach) that more or less everybody has, the entity which bought all the cable television companies (Virgin Media) and usually a fibre-for-purpose Internet company that decided to do your city or region.
If you live in a rural area where people are co-operative, there might be a community owned fibre operator plus Opeanreach, otherwise just Openreach.
If you live somewhere very silly, like up a mountain or on your own island, your only practical option will be paying Openreach to do the work.
Edited to add, Notably: Only Openreach is usable by an arbitrary service provider. So if you want to pick your service provider separately, the actual last mile delivery will always be Openreach. And if they're small it won't just be last mile, Openreach also sell backhaul to get your data from some distant city to the place where the ISP's hardware is, you're buying only the, like, actual service. Which is important - mine means no censorship, excellent live support and competent people running everything, but the copper under the ground is not something they're responsible for (though they are better than most at kicking Openreach when it needs kicking)
CityFibre is only available through wholesale ISP's. Other smaller alt-nets (such as the one I work for - Netomnia (including Brsk/YouFibre)) is gearing up to provide wholesale access.
In the UK there are even aggregators like Fibre Café [1] that makes it easier for ISP's to connect through multiple networks.
If you are lucky, yes. For example, I have a choice between CityFibre (XGS-PON), Openreach (GPON) and Virgin Media (DOCSIS) as well as 2 different 5G networks. It is rare for a property to only be covered by a single wired network these days in the UK.
No it's not. I'm saying don't let the perfect be the enemy of the good.
DoH does solve a problem for many people. Many large ISPs will sell your DNS requests, use them for targeted advertising, tamper with responses for various reasons, etc., and so DoH is an improvement over the status quo--not for everyone, but for many users, and I'd guess most users.
You're right, DoH might not be worth adopting if it were "stupid enough", but... it's not stupid enough.
Your ISP already has all this metadata and more from other sources, so it is pointless to switch to DoH in this case, and if you do you willingly give this metadata to Cloudflare, which (for the majority of users) may even be in a better position to do evil.
> Your ISP already has all this metadata and more from other sources
If you combine this with ECH and a good blocker, no they do not. That's exactly why Spain is blocking around 60% of the internet during football games now; the ISPs cannot tell which websites and subscribers are pirating football streams.
> Spain is blocking around 60% of the internet during football games now
[citation needed for the 60% figure]
Precisely due to these blocks is why I know that Cloudflare is NOT 60% of the WWW, not yet at least. Certainly, if Cloudflare was serving 60% of the Internet, I would consider switching my DNS to them. But that would be a privacy nightmare for another day (replacing federated ISPs with a single big centralized one? great idea /s). It is not yet the case as of today.
In fact, as of today, and even if you have a "good blocker", I, a total noob, have a high chance of reliably identifying which HN news item from the top #30 you clicked from just the addresses: https://news.ycombinator.com/item?id=44219061 . Imagine what the non-noobs at your ISP could do.
In the Politician's Fallacy, the chosen solution doesn't solve the problem. In this example, DoH solves many of the problems, perhaps not optimally, but better than the "do nothing" choice.
So it doesn't really solve the problem, and may generate more (privacy) problems of its own. "doing nothing" may be the better solution here, which was the entire point made in the original episode.
> Cloudflare gets all your DNS queries.
That's true, but Cloudflare is more trustworthy than my ISP, and probably most people's ISPs.
> Complexity is the enemy of security.
That's true, but that's no reason to go from an imperfect solution to a nonsolution.
> there is DNS over TLS
That doesn't solve most of the issues that the author brought up.
> How does a modern company in the IT business earn money? By selling data.
Maybe I'm naive, but I thought they made money by using all the data they collect for better threat prevention, and from their paid services.