Fedora and fallback DNS servers

Posted Feb 26, 2021 4:36 UTC (Fri) by pizza (subscriber, #46)
In reply to: Fedora and fallback DNS servers by wahern
Parent article: Fedora and fallback DNS servers

> Some jurisdictions do prohibit ISPs from selling user data.

Sure, some do. Many more don't.

Meanwhile, Google (and for that matter, Cloudfare) has never "sold user data".

(Now Google sells _advertising_ that uses that data to improve targeting. But so have my last two ISPs)

And your ISP has some pretty detailed user activity data that many jurisdictions mandate be collected and retained, for "law enforcement" purposes. This sort of thing was a prime reason for the https-everywhere push. (Which led to even more intrusive middleboxes, which led browsers to pin certificates to catch data interception, and so forth...)

> Google and Cloudflare want you to use their DNS services because it not only makes them more money, it promises even greater dividends down the road as more people become reliant on them. That's true today and it will remain true for the foreseeable future.

...And also because plenty of middlemen routinely muck with end-users' DNS queries (and anything else that can be intercepted) leading to all manner of shenanigans, from relatively benign (data collection), somewhat skeevy (injecting advertising), to outright hostile (MITM attacks, credential harvesting)

(TBH I'd be quite surprised if Google and/or Cloudfare make any money off of their public DNS resolver, much less enough to offset the cost of providing/maintaining the service..)

> Anyhow, if convenience is your primary objective, the solution is easy: just run a local recursing resolver.

Um, how is installing and appropriately configuring an additional software packages "convenient" or "easy"?

If "convenience" is truly the primary objective, then systemd-resolved's upstream behaviour is ideal, as it will use whatever your ISP/etc hands you and only fall back to well-known public services if what you were handed doesn't work (or is nonexistent) for whatever reason.

(And I say that as someone who has private recursive resolvers set up for all of the networks I'm responsible for. And who has long made sure that "internal" DNS zones are publicly resolvable due to corporate VPN clients overriding local resolver settings..)

to post comments

Fedora and fallback DNS servers

Posted Feb 26, 2021 10:40 UTC (Fri) by smurf (subscriber, #17840) [Link]

> (TBH I'd be quite surprised if Google and/or Cloudfare make any money off of their public DNS resolver, much less enough to offset the cost of providing/maintaining the service..)

The systems running the public DNS resolvers are there anyway, they provide search / content acceleration. Data gained from them helps identify malicious users (if suddenly 100k random queries for random123.s0me0bscured0ma1n.com show up, something fishy may be going on) which helps both secure and/or run their other services. So I strongly suspect that their effect is net positive.

Fedora and fallback DNS servers

Posted Feb 27, 2021 6:40 UTC (Sat) by tialaramex (subscriber, #21167) [Link]

Both Google and Cloudflare have reasoned that their profitability is inherently tied to the Internet. If they make the Internet work better, they get more profits. Certainly we can trivially analyse the most superficial version of this thinking as correct - if the Internet somehow goes away Google and Cloudflare are ruined.

For now this aligns their interests and mine very well. In principle the Network might some day be transitioning to a successor technology and we could imagine Google and Cloudflare, if they still existed when that happens, fighting this change, like a 1990s telco (profiting from the previous iteration of the Network the global PSTN) trying to stop the Internet rather than going with the flow, but if that happens it would be in the distant future and I expect to be long dead.

Anyway, under this rationale offering public DNS unbreaks the Internet for some non-trivial fraction of users, which in turn drives up your profitability.

For Cloudflare in particular there's an extra bonus, the 1.1.1.1 server gets to choose which of several valid answers to give in response to queries and so it can choose answers for Cloudflare services that reduce RTT between origin and server since it knows where they both are.

Historically there was effort to help other servers do this in DNS, by telling them the first few octets of the asking client's IP address. EDNS Client Subnet. Unfortunately of course as we see in this thread, people consider their IP address private information and don't want it leaked. So Cloudflare does not use EDNS Client Subnet at all.