This enables Cloudfare’s DOH servers - this is probably a good idea for embedded stuff.
My ISP for example resolves all unknown hostnames to their advertisement server - so a mistyped hostname in MQTT bridge name will result in “connection refused” errors, which are super confusing and misleading.
Were it configurable, I would agree. But the Cloudflare DNS servers can't be disabled nor redirected to local DNS servers because it uses DNS over TLS.
For a platform that describes itself as "puts local control and privacy first", forcing DNS queries to be sent to an external third party seems like the exact opposite of what should be done. For those running their own local DNS servers for local control and privacy, Home Assistant won't respect the DNS servers configured manually or via DHCP.
It is also worth noting that if Home Assistant loses internet connectivity or if the Cloudflare DNS servers are blocked, Home Assistant will slow to a halt because it constantly (many times a second) tries to connect to Cloudflare.
I think it is configurable though? Just edit the source file you linked to on your system disk. I don't use HA's os image, but this looks like a text file on the mutable partition that you can easily edit. If one knows enough to set up local DNS servers, surely they can do this as well.
Re "slow to a halt" issue, this sounds like a bug independent of the upstream server issue. If the internet is not working (because general connectivity is lost, or someone blocked the DNS server, whatever) then of course the internet-using parts will cease to work, but local network parts should still be working. The config file is pretty clear that it is not supposed to use DNS servers, cloudfare or any other ones, for the local network connections. If this is not the case, you should file a bug.
> I think it is configurable though? Just edit the source file you linked to on your system disk.
Unfortunately it is not :(. The change will get wiped any time HA is restarted.
> If the internet is not working (because general connectivity is lost, or someone blocked the DNS server, whatever) then of course the internet-using parts will cease to work, but local network parts should still be working.
Local network parts stop working as well. A DNS lookup for a non-existing local domain results in the query being sent to Cloudflare. This cannot be prevented.
> The config file is pretty clear that it is not supposed to use DNS servers, cloudfare or any other ones, for the local network connections. If this is not the case, you should file a bug.
If you look at the config file, SERVFAIL and NXDOMAIN responses are considered to be a "failure" and queries are sent to Cloudflare. This is a poor design decision, not a bug.
The discussion has since been carried to reddit and now HN.
GDPR violation might be happening here. I think it will be hard to convince a local regulartory body to act. The software itself isn't collecting/storing and I think one needs to argue first if Cloudflare's data protection is not suffienct enough. As I understand doing a quick read "Your DNS Resolver Information is anonymized at our [Cloudflare's] edge data centers.". If it's always edge data centers it's not clear if data is leaving the EU, etc.
Almost every question I asked was either ignored or got a response of "that is off topic". I gave up trying to write the PR, which was clearly what the maintainers wanted.
There are also bugs in the coredns config that are being ignored:
9 comments
[ 3.9 ms ] story [ 30.9 ms ] threadMy ISP for example resolves all unknown hostnames to their advertisement server - so a mistyped hostname in MQTT bridge name will result in “connection refused” errors, which are super confusing and misleading.
For a platform that describes itself as "puts local control and privacy first", forcing DNS queries to be sent to an external third party seems like the exact opposite of what should be done. For those running their own local DNS servers for local control and privacy, Home Assistant won't respect the DNS servers configured manually or via DHCP.
It is also worth noting that if Home Assistant loses internet connectivity or if the Cloudflare DNS servers are blocked, Home Assistant will slow to a halt because it constantly (many times a second) tries to connect to Cloudflare.
...In the abscence of signed firmware, burned in values in silicon, and other such remote attestation oriented BS, that is.
Re "slow to a halt" issue, this sounds like a bug independent of the upstream server issue. If the internet is not working (because general connectivity is lost, or someone blocked the DNS server, whatever) then of course the internet-using parts will cease to work, but local network parts should still be working. The config file is pretty clear that it is not supposed to use DNS servers, cloudfare or any other ones, for the local network connections. If this is not the case, you should file a bug.
Unfortunately it is not :(. The change will get wiped any time HA is restarted.
> If the internet is not working (because general connectivity is lost, or someone blocked the DNS server, whatever) then of course the internet-using parts will cease to work, but local network parts should still be working.
Local network parts stop working as well. A DNS lookup for a non-existing local domain results in the query being sent to Cloudflare. This cannot be prevented.
> The config file is pretty clear that it is not supposed to use DNS servers, cloudfare or any other ones, for the local network connections. If this is not the case, you should file a bug.
Many bug reports have been filed about this: https://github.com/home-assistant/plugin-dns/issues.
If you look at the config file, SERVFAIL and NXDOMAIN responses are considered to be a "failure" and queries are sent to Cloudflare. This is a poor design decision, not a bug.
The discussion has since been carried to reddit and now HN.
GDPR violation might be happening here. I think it will be hard to convince a local regulartory body to act. The software itself isn't collecting/storing and I think one needs to argue first if Cloudflare's data protection is not suffienct enough. As I understand doing a quick read "Your DNS Resolver Information is anonymized at our [Cloudflare's] edge data centers.". If it's always edge data centers it's not clear if data is leaving the EU, etc.
- https://github.com/home-assistant/plugin-dns/pull/56
- https://github.com/home-assistant/plugin-dns/pull/59
- https://github.com/home-assistant/plugin-dns/pull/61
Almost every question I asked was either ignored or got a response of "that is off topic". I gave up trying to write the PR, which was clearly what the maintainers wanted.
There are also bugs in the coredns config that are being ignored:
- https://github.com/home-assistant/plugin-dns/pull/55
- https://github.com/home-assistant/plugin-dns/pull/60