Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Terrible decision IMO. To default to application level DNS that then defaults to a large centralized DNS provider is the opposite of supporting an open and decentralized internet.

This should be an optional feature that is Opt in. Instead a quick banner appears when you start Firefox and if you don't quickly hit disable … it enables this by default.

disappointing behavior by Mozilla



I’m not sure how this is significantly worse than the DNS status quo despite being more centralized.

Traditional DNS is very easy for everybody and anybody to snoop and tamper with, including your ISP, the government, the resolver and anybody else with a chunk of network infrastructure on your path. DoH is very hard for anybody but the resolver to snoop or tamper with. The resolvers commit to not selling data and not retaining logs for more than 24h. Of course a court order will take precedence, but we’ve gone from “anybody who cares can see and tamper with your DNS queries” to “just your resolver can see and tamper with your DNS queries, and they’re audited so that'll probably only happen under court order”.

All else held equal the increased centralization would make DoH a step backwards - but all else isn’t held equal, and traditional DNS is such a bad protocol that most of the advantages of its decentralization don’t actually manifest. And it’s not like the DNS protocol weaknesses are hypothetical - they’re used en masse by regimes and corporations around the world. With that in mind, I’d say default-on is a reasonable decision.


DNS is heavily abused by network operators for censorship and surveillance purposes. IMO, a slightly more centralized Internet is a good tradeoff to make that impossible. And if the current DoH provider ever does abuse their position, it'd be easy for Mozilla to switch to a new provider.


Used to be you could mostly avoid such censorship by pointing a local resolver at the dns roots (or alternate roots..).

I suppose you can run your own dns resolver for dot - but there seems to be much poorer support for network level configuration (like DHCP)?

I'd like my android TV, my TV, my phone and my computers and my guests to use my local settings - automatically. Now every device need manual setup for every network?


Running your own local resolver doesn't help. Your ISP will just hijack the packets on the way to and from the authoritative servers, since they're in cleartext.


Intercept, yes, hijack no (with dnssec)?

At least if you run a VPN on the local recursive resolver, or a dnscrypt proxy - giving you some choice over who you trust - your ISP won't be able to see the content of the lookups. And all local clients can just use DNS.

But as long as root DNS is only signed, not encrypted, someone will see your lookups...


> Intercept, yes, hijack no (with dnssec)?

DNSSEC doesn't help with censorship. It means that your ISP can't send a fake response without you knowing it's fake, but they've accomplished their goal as long as they keep you from getting the real response.

> or a dnscrypt proxy

DNSCrypt traffic is obviously not HTTPS, even when run over TCP/443, so a malicious ISP could easily block it.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: