> The EU might be doing a better job here-- but is this suggesting that I trust my US ISP's DNS servers?
That's the false dichotomy. You shouldn't use either one.
The issue is that if you've already made your choice, e.g. by having your DHCP server give out the DNS you actually want to use or configuring it in your operating system, then having Mozilla default to ignoring your choice and overwriting it with Cloudflare is wrong.
And it would be one thing if it was something like people selling internet gateway devices that do this by default -- that's a great idea because it gets you away from the ISP's DNS by default but still provides a single place to set it the way you want it, and still allows the owner of an individual device to override it device-wide if desired.
Putting it in individual applications is the opposite. It means you have a full time job just changing it back to the way you want it in every application on every device, and even then you're liable to miss some.
> It means you have a full time job just changing it back to the way you want it in every application on every device, and even then you're liable to miss some.
Hopefully not. Firefox has some techniques for disabling DoH that rely on computer or network-wide changes. If other applications also adopt these or similar techniques, you'd only have to make the change in one place to turn it off for every application running on any computer on a network.
Specifically, as I understand it, Firefox disables DoH if
1) Windows Group Policy is used to manage a computer
> 1) Windows Group Policy is used to manage a computer
This is solving the problem only where it least matters. If you're using Group Policy then you can configure DNS using Group Policy anyway, so any default there is already easy to override. Where the default really matters is on the devices where the only central management is DHCP, because those are the devices that require manual interaction to fix an application that defaults to ignoring the DHCP configuration.
> 2) A canary domain is blocked
That could work, but what happens when the ISPs start blocking the canary domain? The FAQ says they'll monitor it but that doesn't tell you how they'll address it when it happens.
> but what happens when the ISPs start blocking the canary domain?
Put your own DNS server in front of it that resolves the canary domain, I guess.
The absurdity of rolling a DNS server solely to unblock a domain blocked by an upstream DNS server specifically so that an application can resolve that domain and consequently not actually use your DNS server is not lost on me.
Though obviously if you've got your own DNS server in front of the ISP's then you could just configure that to resolve names however you like. Which would then typically cause it to accurately resolve the canary domain by default and thereby cause the application to not use it. Hmm.
That's the false dichotomy. You shouldn't use either one.
The issue is that if you've already made your choice, e.g. by having your DHCP server give out the DNS you actually want to use or configuring it in your operating system, then having Mozilla default to ignoring your choice and overwriting it with Cloudflare is wrong.
And it would be one thing if it was something like people selling internet gateway devices that do this by default -- that's a great idea because it gets you away from the ISP's DNS by default but still provides a single place to set it the way you want it, and still allows the owner of an individual device to override it device-wide if desired.
Putting it in individual applications is the opposite. It means you have a full time job just changing it back to the way you want it in every application on every device, and even then you're liable to miss some.