The vast majority of people will not see EDE errors. Even when they are set there is no guarantee that downstream resolvers have it enabled. The default in Unbound is disabled and people rarely check logs. Even if someone is using DoH their browser would have to translate the specific text to the user if it received such an error. Here [1] are some notes on the support of EDE around the internet.
As a side note I do not see that error for that domain. I get an A record which belongs to Cloudflare. Cloudflare could just as easily drop that domain into an account that displays the censored error message as text/plain to the user and close the connection.
- yes, the error has to bubble up to the user. i'm surprised the browser doesn't do this. i imagined EDE was plumbed into the browser becuase yeah -- no value for this otherwise and with PDNS we need such plumbing
- no, cloudflare does not hijack. they implement the court order for domains already under their management. this is no more hijacking than altering the DNS reply is hijacking, in fact less so since they only touch domains that they already serve. (BTW i am very much anti-cloudflare.)
BlahDNS is nice, it's privately operated so uptime is not a guarantee but I have not had problems in years. Other than that, both Njalla and Mullvad provide DoH services, they are pretty reputable in regards to user privacy
There's a box labelled "Submit a correction or tip" at the bottom of the original article. Filling that in might have been better time spent than writing a blog post.
Readit News
As a side note I do not see that error for that domain. I get an A record which belongs to Cloudflare. Cloudflare could just as easily drop that domain into an account that displays the censored error message as text/plain to the user and close the connection.
[1] - https://blog.apnic.net/2023/09/28/extended-dns-errors-unlock...it's not as if that's hard. unfortunately chrome has sat on this for years. dunno about other browsers.
https://issues.chromium.org/issues/40912798
Of course CloudFlare hijacking the domain and sending traffic to a page they host isn't a great solution either...
in no way supporting the act itself of dns blocking
- yes, the error has to bubble up to the user. i'm surprised the browser doesn't do this. i imagined EDE was plumbed into the browser becuase yeah -- no value for this otherwise and with PDNS we need such plumbing
- no, cloudflare does not hijack. they implement the court order for domains already under their management. this is no more hijacking than altering the DNS reply is hijacking, in fact less so since they only touch domains that they already serve. (BTW i am very much anti-cloudflare.)
Writing a follow up post is certainly valuable for raising awareness to anyone who had already read the original erroneous article.