Can someone please explain to me why DNS-over-HTTPS (DoH) is bad? Signed, someone who transitioned from BIND9 to djbdns circa 2000, learned about Curve25519 via DNSCurve, considers the latter an abject failure...https://twitter.com/kennwhite/status/1170753874279485440?s=21 …
-
Show this thread
-
Replying to @bascule
I see the argument, at least in the case of the Mozilla default - you're switching from "ISP sees your query" to "Cloudflare sees your query." Is that better for all ISPs? For some?
2 replies 0 retweets 1 like -
Replying to @geofft
This is a popular argument that completely misunderstands and misrepresents the threat model. I am not a fan of Cloudflare, but the cleartext alternative is “attacker with a privileged network position”, a.k.a. your barista
2 replies 0 retweets 3 likes -
Replying to @bascule
But the tradeoff is you're intentionally giving Cloudflare a privileged network position, no? For some systems (home, public cloud, some VPN users, etc.) it's entirely plausible to trust your network more than Cloudflare. And tbh I trust my baristas more than I trust Cloudflare.
1 reply 0 retweets 4 likes -
Replying to @geofft
I dislike Cloudflare fairly strongly, but the alternative is allowing arbitrary cleartext resolvers and anything in the network path to snoop on my DNS queries (or tunneling all of my traffic, often to a node in an inefficient and ineffective position). BUT...
2 replies 0 retweets 1 like -
The default should be to encrypt DNS traffic. PERIOD. It’s unfortunate Cloudflare is their only launch partner but heads up other DNS companies: you need to catch up and add DoH support.
4 replies 1 retweet 16 likes

Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.