> ... but in practice almost all Firefox users will end up using one of the very few designated Mozilla TRRs. That's an increase in centralization, as measured on the ground. Social and behavioral effects count.

If we're going to go down this road and talk about defaults as they exist on the ground, then the reality is that most nontechnical users should be using Cloudflare's DoH resolver at the moment. Are there concerns about centralization? Yeah, of course. I'm as worried as anyone else about Cloudflare controlling the Internet, they are fundamentally a dangerous company. Being big, on its own, makes Cloudflare untrustworthy. But I'm also looking at Cloudflare's actions in the real world today, and they still have a better privacy record and are currently more trustworthy than any ISP in the US. Choosing them as a default in the US was the correct choice for Mozilla to make if you care about people's actual privacy in the real world today.

Mozilla's defaults here are also not set in stone. As network operators catch up with the technologies they've been ignoring, we'll get better OS and network integration for DoH settings. And as more providers start offering DoH, the defaults can change. Cloudflare is the default right now not because of a conspiracy but because regardless of how nervous they make us, and regardless of whether it's a good idea in theory in the future to have so much traffic routed through them, currently on the ground right now they are the best choice for most nontechnical users.

Additionally, currently on the ground there are few companies that are doing more than Cloudflare to decentralize DoH and improve its technical privacy guarantees instead of just asking people to trust them. Oblivious DoH[0] is an interesting proposal in that direction, there's also a decent amount of work (which Cloudflare is supportive of) going into research about by-default splitting DoH requests across multiple entities, so no single provider would get all of your queries. There are some obvious issues there to overcome regarding privacy, but it's still a somewhat promising proposal.

From a technical perspective, there is nothing about DoH that is centralized, and no part of the technology would force it to be centralized. There's no consumer lock-in, and there's no browser lock-in. Configuring DoH is not an "arcane configuration", it's just as easy as any DNS setup in your browser, even easier because there's less network interference and it's easier to debug.

But from a practical perspective right now on the ground, while I share concerns about Cloudflare overall and while I share concerns that Cloudflare consolidating power is problematic, I don't think it's accurate or reasonable to claim that DoH is a power grab. By default, Cloudflare isn't the provider in Canada. In the US, they have temporarily been chosen by the default by Mozilla because they are currently offering the best service. But anyone else could step into that position if they care to, there's no blocking or gatekeeping going on.

And frankly, if the only reason that DNS is decentralized is because most people's devices don't use a consistent resolver and just naively trust whatever network is were on, if the only reason why DNS is decentralized is because everyone's ISP sets it in the background without their knowledge, then in my opinion that's just a ridiculous way to guarantee provider diversity, and we should absolutely overhaul that system. Any system where my DNS provider changes behind my back when I connect to the wifi at a coffee shop is broken, and that is the experience that most nontechnical users have with DNS today. It is frighteningly insecure.

> You can't claim one minute that "we're doing this to take care of naive users who can't protect themselves", and the next minute that "users can set up any arcane configuration they want".

I don't think I do claim this. What I claim is that Cloudflare is an obvious default for nontechnical users, and I claim that DNS is susceptible to all of the same centralization concerns as DoH, and I cliam that changing a DoH provider in Firefox for most end users is no more difficult than it would be to change a DNS provider.

Most users won't change their DNS provider, which is why it makes sense to use a secure default rather than to let every random network in the wild decide. But if you are the type of person who wasn't just trusting network DNS, then DoH is not going to be a problem for you. It especially won't be a problem for you once OS manufacturers start allowing system-wide configs.

> If you suddenly take away the ISPs' visibility into many people's DNS, then the ISPs get a reason to care.

I buy this theory, I think you're very likely correct. But I don't think it's a compelling argument. If what you're saying is correct, then literally any privacy initiative that threatened ISPs in any way would be blocked. What's the takeaway from that, we should abandon efforts that threaten ISPs?

We are seeing a large amount of pushback from ISPs, from network operators, and from governments themselves over DoH. This does not suggest that the proposal is dead on arrival, or that it's just going to be globally blocked. If DoH didn't have teeth, we would not be seeing this reaction.

So what your argument is saying is that DNS skated under the radar largely because it wasn't helping anyone, and ISPs didn't feel threatened by it. But I'd rather throw my weight behind a technology that they do feel threatened by, rather than behind one that they don't care about. A world where we have to fight about DoH being blocked is still strictly better than a world where we don't have to fight because there's nothing to fight over and the majority of people are using a system that is trivially attackable.

[0]: https://blog.cloudflare.com/oblivious-dns/

For the record, I share your cautious confidence in Cloudflare. For an entity of its size, Cloudflare has been amazingly good both at being transparent and at actively finding ways that people don't have to extend any trust. Cloudflare even suggested real cryptographically blinded tokens as an alternative to CAPTCHAs (and saw it shot down by people who didn't understand the crypto, and were sure it was some kind of trap...).

Cloudflare could easily go bad in the future, but has been refreshingly good so far.

But most of the risks "native" to large commercial entities seem to have been using DNS queries to target advertising. That sucks, but it's not my top concern. I'm more worried about outside pressure to censor the Internet, which is more of a non-native risk. From my point of view, censorship is a bigger worry than targeted advertising. It can happen here, and it's already happening in a lot of "theres".

If some major government, or coalition of governments, or even major private pressure group, wants disappear something from the DNS, and there are only 15 or 20 TRRs, then it's a lot easier to lean on those TRRs than it would be to lean on hundreds of ISPs. In any given case, it may also be easier than leaning on the registrars.

Heck, since there's a centralized Mozilla policy for who gets to be a TRR, they can just lean on Mozilla. Maybe it won't matter because Chrome will have more market share or whatever, but it doesn't seem quite right for Mozilla to rely on that.

Even if Cloudflare happens to be much better about resisting filtering pressure than most ISPs, and stays that way, there's still only one Cloudflare that has to be subverted. And there's going to be pressure on Mozilla to include TRRs that might not even be as safe as Cloudflare.

You can already see the pressure to bake censorability into the TRR system. Look at the comments on the Mozilla consultation. You have a lot of people talking about how TRRs need to be able to (secretly!) respond to government blocking requests. You even have what looks like a coordinated push from UK commenters to protect secret non-government blocking at TRRs.

Yeah, we'll all disagree about whether X or Y should be censorable. Most people can name something that they think should be censored, and I think that a lot of people's lists are getting bigger rather than smaller. But once you start creating infrastructure for filtering, everybody comes out of the woodwork and starts trying to get their particular filtering priorities. It's hard for a centralized system to resist them.

The real answer is probably to switch to something a lot more decentralized and anarchic than the DNS can ever be. After all, in the end, there's only one ICANN. But that will take a very long time, if it ever happens at all. In the meantime, it seems really unsafe to concentrate power over the DNS in a limited number of pressure points.