It’s not a simple as “yeah, enable DNSEC validation” and “yeah, add configuration option
DNS_ENCRYPTION=true”, done, call it a day…
Then a specific server needs to be chosen. It’s okay if the user decides to use such a setup and manually sets it up. The user is free to decide to stop using their default ISP’s DNS server and choose a specific one hosted by a specific organisation.
But when considering to apply such a change by default for an operating system, which server (speak organization) should be configured by default to be used?
Cloudflare? That’s what Mozilla decided to use for Firefox. That might not be a decision to get applause for or at least it would need to be thoroughly thought through, discussed and documented.
- The policy question. Should Cloudflare (or replace the name Cloudflare with any other organization) have the power to resolve all the DNS for all users?
- The reliability question: What if it’s offline? Then DNS for all users will break at the same time.
- A randomly selected server?
Perhaps no server should be enabled by default and the user should have a wizard graphical utility that can easily change the DNS server, which starts at boot?
- Maybe, but easy to see that the development effort just got a lot higher.
- What about CLI version?
- Should the user really be bothered with a question such as “Do you want to keep using your ISPs DNS server or do you want to use iterative, encrypted (DoT), validating DNS using a DNS server from one of the following organizations?”
This isn’t trivial to decide and not even trivial to discuss as it required prior essential knowledge about DNS such as “recursive or iterative?”