This is an important reiteration of Google Chrome's existing policy on DoH. Chrome will support DoH but will not change a user's DNS provider by itself. It will only upgrade to DoH to the same provider if 1) it supports it 2) it is on a whitelist.https://blog.chromium.org/2019/10/addressing-some-misconceptions-about.html …
-
Show this thread
-
Bert Hubert 🇪🇺 Retweeted Bert Hubert 🇪🇺
In stark contrast, Firefox has decided it can just change the users' DNS to Cloudflare and only provide a notification about this, with a scary looking 'Disable Protection' button if you don't like it.https://twitter.com/PowerDNS_Bert/status/1187671766606532609 …
Bert Hubert 🇪🇺 added,
Bert Hubert 🇪🇺 @PowerDNS_BertDark Pattern: "a user interface that has been carefully crafted to trick users into doing things". Mozilla, which did a lot of the research into how users react to security warnings, has provided the new gold standard picture of a "Dark Pattern". Details: https://www.zdnet.com/article/mozilla-cloudflare-doesnt-pay-us-for-any-doh-traffic/#ftag=RSSbaffb68 … pic.twitter.com/acdgUfnU5sShow this thread2 replies 9 retweets 21 likesShow this thread -
Despite Google Chrome's current sane policy, I still urge internet service providers to: 1) Stop doing NXDOMAIN redirection 2) If not (allowed to do) logging/selling DNS data, say so 3) Offer encrypted DNS services (DoT/DoH) 4) Enable DNSSEC 5) Shore up DNS performance
4 replies 29 retweets 54 likesShow this thread -
If these steps are not taken, public DNS providers can credibly claim their DNS is better & might take it from you. I firmly believe the world will not be better if "DNS moves to the web", or as
@paulvixie says, "the internet and the web part ways".2 replies 12 retweets 27 likesShow this thread -
Update: to get on the Google Chrome whitelist (if you are a big access operator that runs DoH), contact doh-provider@chromium.org - details are on: http://lists.encrypted-dns.org/scripts/wa-ENCDNS.exe?A2=ENCRYPTED-DNS;f98e120c.1910&S= …
1 reply 1 retweet 8 likesShow this thread -
And a final update: Your connectivity to Cloudflare will be a *SINGLE POINT OF FAILURE* for your US Firefox users. And DoH is very sensitive to packet loss! So: 6) If you host DNS, make sure your peering/connectivity to Cloudflare is top notch 7) If an access provider, same
3 replies 3 retweets 8 likesShow this thread -
Replying to @PowerDNS_Bert @paulvixie
Using DoH from Cloudflare is *less* of a single point of failure than normally for users since they can fall back to the regular resolver, while users using only the regular resolver rarely have a backup...
1 reply 0 retweets 9 likes -
Yes, like most of the the other anti-DoH argument, this SPOF argument makes zero sense. It's no more or less of a SPOF than your existing provider.
1 reply 0 retweets 10 likes -
thanks for your snap judgement. i have more resilience and fewer possible points of failure than anyone using a so-called "public resolver" with or without DoH will ever have. and: you can too!
2 replies 1 retweet 11 likes
I believe you, I think you're very good at what you do. Your users are very lucky to have such reliable infrastructure, but a lot of people are not your users.
-
-
it doesn't take my skill level. running a single RDNS in your home has fewer points of failure than talking to a public resolver. it's not opinion, it's graph theory.
1 reply 2 retweets 9 likes -
This is not a realistic option for most users, and even if it was, what happens when it goes down?
2 replies 0 retweets 5 likes - 25 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.