An update is that on Reddit a Firefox employee has responded on my crosspost to reddit: <a href="https://www.reddit.com/r/firefox/comments/9cx8hk/on_firefox_moving_dns_to_a_third_party/" rel="nofollow">https://www.reddit.com/r/firefox/comments/9cx8hk/on_firefox_...</a><p>Clarifying that this is just an A/B test and there are no plans to continue using CloudFlare for all users.
This seems well-intentioned but incredibly dangerous. There's no promise CF can make that justifies trusting them to receive a stream of every request from every FF browser, with all this trackable metadata.<p>In particular, I think it would be unsurprising if CF's lines were tapped upstream. CF and Mozilla staff have a history of treating TLS as if it protects all content, rather than as a tool for keeping narrowly defined secrets. I explain further at <a href="https://weblog.evenmere.org/posts/2014-05-16-tls-is-not-for-privacy.html" rel="nofollow">https://weblog.evenmere.org/posts/2014-05-16-tls-is-not-for-...</a> .
This is just like when Facebook wanted to handle all of your iOS traffic via a VPN app for "secure Internet" reasons. "Trust us, you have nothing to worry about, your traffic is safe with us" and then they were caught analyzing traffic data of all apps other than Messenger or Facebook. Yeah. "Trust"
Given that my ISP currently tracks DNS and blocks whatever they feel like at that level, I actually think this is a good move.<p>The measure I'm looking at is that of sensible defaults: is this default more sensible for a majority of the user base than the existing default? For anyone outside the rule of GDPR using a regular ISP, this option is far better. The joint privacy policy Mozilla + Cloudflare is much better than a regular ISP.<p>And given that we all go and change the DNS of every computer we and our extended families own to 8.8.8.8, 8.8.4.4 or 1.1.1.1, I don't see why we'd think Mozilla doing it by default is a bad thing.
A friend of mine has a simple static hobby website on his own .net domain. It isn't reachable through CloudFlare DNS. This has been true for over two months. Google DNS can see it, as can my ISP's.<p>I recently noticed that his self-hosted email is sometimes being flagged as spam because it lacks spf.<p>Is CloudFlare filtering their DNS results, maybe against a spam blacklist?
Cloudflare's 1.1.1.1 DNS already censors torrent/piracy focused domains, for example rarbg and thepiratebay.<p>On the other hand, they resolve websites which are considered illegal in my country, which would normally be censored by my ISP (e.g. not approved betting websites).
The big issue with Mozilla, is that they are dependent on outside revenue (which for the most part ultimately comes from advertising). A big chunk of their revenue comes from Google. If CloudFlare were to offer Mozilla a lot of money to use CloudFlare DNS, they would likely do it.