Hacker News new | past | comments | ask | show | jobs | submit login

I do the same, but I read that that is also sending your IP all around the internet, which can have repercussions? The alternative is to not use a recursive resolver, but just punt to one of the "safer" ones such as 1.1.1.1?

edit: downvoting honest questions?




What, exactly, does "sending your IP all around the internet" even mean?


Meaning, if you don't want people to know you are searching for snm.donkeyporn.com than going out to the nameserver that donkeyporn is using is not exactly keeping the information private.


In practice with 1.1.1.1 you're trading the parties who know about your access from:

Donkeyporn's DNS provider, com's DNS provider (0.1% chance it's not already cached), your ISP, transit providers, donkeyporn's ISP, donkeyporn service

To: cloudflare, your ISP, transit providers, donkeyporn's ISP, donkeyporn service

It's not a huge change and it's really about whether you trust CloudFlare more than the service donkeyporn has chosen.


I though correctly switching to cloudflare should just be me -> cloudflare via an encrypted channel?


If you're talking about clouflare warp, then yes... kind of. If you mean only the DNS, them no, there are still many connections matching you to the destination.


Worth noting that until Encrypted SNI is universally used, you probably transmit snm.donkeyporn.com in the clear when your browser does the initial TLS exchange anyway.

I personally feel that concentrating all the information of "what DNS names are people looking up" into the hands of a few parties (e.g. CloudFlare) makes it much easier to collect and analyze this information.


You are correct that if you run your own resolver, then all the DNS traffic from your resolver to other nameservers is in cleartext. DoH and DoT only get used by forwarders.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: