I know that both T-Mobile and Comcast have both ignored user selected non-DoH DNS settings by force in the past, either by DPIing port 53 traffic or static routing major public DNS servers toward their own resolvers.
I don’t really understand this perspective. “Sure, I’m using vulnerable technology, but nobody has exploited me lately that I know of” isn’t a statement that would get positive reception in any other netsec discussion.
yeah... it's not fear mongering when it's a thing that actually happens. Some ISPs collect and sell your data. I mean, they even paid congress to make it okay for them to do it. They sure can't be expected to keep their word
And you really believe that "every ISP" sells your data, only Cloudfare is not doing it ? You know, Apple was a "privacy oriented company" until some years ago.
Well... I said "some ISPs" sell your data, not "every ISP", but I wouldn't put it past any of them. Personally, I don't trust cloudflare, I don't like efforts to kill ad-blocking, and I don't like further consolidating people's DNS traffic into the hands of a smaller and smaller number of providers. I've got the feature disabled for now. I wish someone like EFF would set up a DNS server supporting DoT. I'd pay for the service!
ISPs don't have the best profit margins, especially ones in competitive markets..
If the big players are selling DNS data, I guarantee you there are companies out there approaching every other smaller ISP with a turnkey solution that makes it as easy as possible to do the same thing with some kind of revenue share model.
Not a lot of businesses would turn down extra money like that, when they know their big competitors are doing the same thing.
Unlike most ISPs, privacy and security are a core part of Cloudflare's brand and business model - at least at the moment - so it's in their own interest to actually not do this stuff.
Only time will tell whether or not they pull a "don't don't be evil" on us, but that's a different conversation. :-)
Cloudbleed and particularly Cloudflare's response to it (the way they publicly blamed Google) tells you everything you need to know about how trustworthy Cloudflare is. I personally use Google via DNS over TLS, not that it is a good option but I personally prefer that to the alternatives available near me. CenturyLink was intercepting DNS last I checked a few years ago.
It is much easier to replace Cloudflare if they violate your privacy than to replace your ISP if they violate it. That helps to keep Cloudflare honest.
I guarantee the ToS you agree to with your ISP gives them to right to do this kind of stuff, for "network stability and performance" reasons or some other reason.
I used to have Spectrum "community wifi" (their service for apartment buildings). They were doing this as of last year. They even spoofed responses from root servers, which utterly broke things like `dig +trace`.
No, you don't. I have only one choice of ISP, Comcast. Comcast sniffs all DNS traffic to this day. Their DNS is hard-coded into their routers. I know they sniff because I have gotten DMCA notices while using a VPN. I had to spend quite some time setting things up to my VPN provider's recommendations to be able to use their DNS. I haven't received a DCMA notice since.
And yes, I know a cheap router can easily fix this problem. I just haven't had the time..
Capturing and redirecting DNS traffic is not difficult. You can do it yourself to force smart devices with hard-coded DNS settings to go via a local resolver that filters ads/stalking, so I have no doubt there are ISPs doing it to their customers to keep control for the purposes of tracking and NXDOMAIN hijacking.
Not without DoH. If you just try to set a custom server to use for insecure DNS, it's trivial for your ISP to rewrite all of your insecure DNS queries to go to itself instead.
