Can someone at Sonic state officially whether our DNS servers implement the EDNS Client Subnet extension, and if so, how many bits of our network addresses are exposed?
With Firefox about to switch most users over to DNS over HTTPS by default, thereby sending our domain name lookups to CloudFlare instead of Sonic unless we act to prevent it, I find myself answering more questions lately about whether this is a good thing.
My first thought was that it's a terrible idea, not only because Mozilla is pushing a privacy-sensitive configuration change onto users without getting explicit permission, but also because the change seemed to merely shift the exposure from our ISP to another party (which could be less trustworthy) rather than actually reducing exposure. However, Mozilla justifies it in part by claiming that traditional DNS reveals most of our IP addresses to every authoritative server and intermediate network involved in every recursive DNS lookup. They are apparently referring to EDNS Client Subnet, which is new to me, and brings me to the question I asked above.
IMHO, this information is relevant to Sonic's mission, and should be easy for customers to find. Perhaps even include a link to it alongside the data retention statement in the privacy policy.
For anyone reading along who wants to disable DoH in Firefox, you can do so before it becomes the default, by setting network.trr.mode to 5.
With Firefox about to switch most users over to DNS over HTTPS by default, thereby sending our domain name lookups to CloudFlare instead of Sonic unless we act to prevent it, I find myself answering more questions lately about whether this is a good thing.
My first thought was that it's a terrible idea, not only because Mozilla is pushing a privacy-sensitive configuration change onto users without getting explicit permission, but also because the change seemed to merely shift the exposure from our ISP to another party (which could be less trustworthy) rather than actually reducing exposure. However, Mozilla justifies it in part by claiming that traditional DNS reveals most of our IP addresses to every authoritative server and intermediate network involved in every recursive DNS lookup. They are apparently referring to EDNS Client Subnet, which is new to me, and brings me to the question I asked above.
IMHO, this information is relevant to Sonic's mission, and should be easy for customers to find. Perhaps even include a link to it alongside the data retention statement in the privacy policy.
For anyone reading along who wants to disable DoH in Firefox, you can do so before it becomes the default, by setting network.trr.mode to 5.