> DNS requests are routinely intercepted and monitored by ISPs in many countries, with the information available to the security services, who have very few restrictions on what they are allowed to do with this data. This is especially true in the country the author appears to be based (Germany).
Author is based in Switzerland.
But since you mentioned Germany - German security services have no legal authority to indiscriminately monitor internet traffic, particularly not inside the country. They got into trouble with parliament the last time they got caught doing it.
For ISPs, there's no business value in intercepting or logging customer traffic. They're not allowed to use such data themselves, like for advertising purposes. At "large ISP" scale (tens to hundreds of gigabits), equipment that can intercept DNS queries at line rate is very expensive and adds a lot of infrastructure complexity. ISPs operate on thin margins and have zero incentive to deploy such equipment or otherwise mess with traffic.
They're legally mandated to store some metadata like IP address assignments and flow/CGNAT data for a limited period of time and aren't terribly happy about it, at the very least because it's expensive to collect and store it with no benefit. Deutsche Telekom has recently sued the government about it and won[1]. The so-called "Vorratsdatenspeicherung" is a recurrent topic in German politics with conservative governments introducing it, and then having to scrap it when it gets challenged in court by civil rights groups and/or companies[2].
In either case, DNS request data is NOT metadata and would never be inspected and stored unless there's a specific warrant.
Deutsche Telekom once redirected NXDOMAIN responses to an OpenDNS-like landing page with suggestions ("Navigationshilfe") and had to stop doing it when people complained to authorities[3].
Exporting and analyzing sampled packet headers or flows is pretty cheap and a standard feature with carrier-grade routing equipment (NetFlow/IPFIX and/or sFlow). IP assignments are basic accounting data that every ISP has.
Inspecting packet contents is very different and requires plenty of expensive extra equipment and/or complicated network engineering to redirect traffic to a centralized analyzer, which increases latency. It's only done if necessary, like temporary rerouting for ingress DDoS mitigation.
(source: worked in the industry)
> Masses off unfounded FUD - the article deliberately buries that it's trivial to change your DoH provider if you're silly enough to believe that CF is actively logging DoH requests and selling them (CF is involved with serving vast swathes of the internet anyway - if they wanted to go down this route they have far more lucrative avenues open than selling DNS requests by IP).
Personally, I do trust CloudFlare and understand Mozilla's choice, but I do agree with the centralization concerns. It's a difficult set of tradeoffs, and characterizing the author's concerns as "unfounded FUD" is not fair.
Author is based in Switzerland.
But since you mentioned Germany - German security services have no legal authority to indiscriminately monitor internet traffic, particularly not inside the country. They got into trouble with parliament the last time they got caught doing it.
For ISPs, there's no business value in intercepting or logging customer traffic. They're not allowed to use such data themselves, like for advertising purposes. At "large ISP" scale (tens to hundreds of gigabits), equipment that can intercept DNS queries at line rate is very expensive and adds a lot of infrastructure complexity. ISPs operate on thin margins and have zero incentive to deploy such equipment or otherwise mess with traffic.
They're legally mandated to store some metadata like IP address assignments and flow/CGNAT data for a limited period of time and aren't terribly happy about it, at the very least because it's expensive to collect and store it with no benefit. Deutsche Telekom has recently sued the government about it and won[1]. The so-called "Vorratsdatenspeicherung" is a recurrent topic in German politics with conservative governments introducing it, and then having to scrap it when it gets challenged in court by civil rights groups and/or companies[2].
In either case, DNS request data is NOT metadata and would never be inspected and stored unless there's a specific warrant.
Deutsche Telekom once redirected NXDOMAIN responses to an OpenDNS-like landing page with suggestions ("Navigationshilfe") and had to stop doing it when people complained to authorities[3].
Exporting and analyzing sampled packet headers or flows is pretty cheap and a standard feature with carrier-grade routing equipment (NetFlow/IPFIX and/or sFlow). IP assignments are basic accounting data that every ISP has.
Inspecting packet contents is very different and requires plenty of expensive extra equipment and/or complicated network engineering to redirect traffic to a centralized analyzer, which increases latency. It's only done if necessary, like temporary rerouting for ingress DDoS mitigation.
(source: worked in the industry)
> Masses off unfounded FUD - the article deliberately buries that it's trivial to change your DoH provider if you're silly enough to believe that CF is actively logging DoH requests and selling them (CF is involved with serving vast swathes of the internet anyway - if they wanted to go down this route they have far more lucrative avenues open than selling DNS requests by IP).
Personally, I do trust CloudFlare and understand Mozilla's choice, but I do agree with the centralization concerns. It's a difficult set of tradeoffs, and characterizing the author's concerns as "unfounded FUD" is not fair.
[1]: https://web.archive.org/web/20180511081552/http://www.vg-koe...
[2]: https://de.wikipedia.org/wiki/Vorratsdatenspeicherung
[3]: https://www.golem.de/news/t-online-navigationshilfe-telekom-...