DNS over HTTPS in Firefox
DNS over HTTPS in Firefox
Posted Jun 4, 2018 2:19 UTC (Mon) by gdt (subscriber, #6284)In reply to: DNS over HTTPS in Firefox by tialaramex
Parent article: DNS over HTTPS in Firefox
on the other hand you smash some of the routing data
That's only the case if the BGP feed to the ISP's CDN providers differs from the BGP offered to globally-visible neighbors. In which case the solution is to provide CloudFlare with the same BGP feed as provided to the ISP's other CDNs providers.
Posted Jun 6, 2018 15:18 UTC (Wed)
by buchanmilne (guest, #42315)
[Link]
Which requires you to deploy CloudFlare everywhere you have any CDN.
Not going to happen.
In a real ISP I used to be involved with:
It was not technically challenging to adjust the route filters appropriately to advertise the client subnets correctly to allow for this, and customers using the ISPs DNS would transparently get the best experience with the least exposure of their DNS requests. It would be technically challenging to get this setup to work with or without Cloudflare in the ISPs DCs.
There is no real privacy improvement available here, because Mozilla's picture doesn't quite hold true. Due to the peering configuration, most DNS requrests to the large CDNs would not traverse the public internet, but would be routed across private peering connections (between the ISP and a root DNS operator, then between the ISP and it's CDN partner).
With DNS over HTTPS, now these requests may traverse the open internet, and be exposed to a 3rd-party (Cloudflare).
IMHO, for some use cases (e.g. public WiFi), this may be an improvement, but for either fixed-line or mobile-operator (e.g. 3G/LTE) internet access, this is a regression in terms of privacy (at least in my country).
In short, this move does make me wonder if Cloudflare recently made some large donation to Mozilla ... which makes me suspicious of both parties.
DNS over HTTPS in Firefox
* The country has 3 major public peering locations.
** Cloudflare has presence at 2
** Major CDNs have presence at 3
** Smaller CDNs have presence at 1 or 2
* The ISP had 3 DCs, not co-located with the peering locations
** The ISP had 1 major CDN at 3 DCs, this CDN was actually only present at the largest peering location
** The ISP had 2 major CDNs in 2 DCs that were not at any local peering locations, and didn't want to be advertised to this ISP's peers
** The ISP had 1 major CDN in 2 DCs that were present at local peering locations, and were ok being advertised to this ISP's peers, but wanted to avoid sending any of this ISPs customers to the deployment at the peering location (as it was resource constrained).