As a cynic I would say this is an attempt by Google and Cloudflare to collect DNS data. Why else would they provide this service for free?
Both Google's [1] and Cloudflare's [2] DNS privacy policy prohibits them from storing personally identifiable information or from correlating DNS information with other Google data coming from the same IP/account but it does allow them to store information about which domains are popular, from which locations and from which type of device.
TLS (and therefore HTTPS) provides a very useful fingerprint based on accepted cipher suites, extensions, compression methods...
> Why else would they provide this service for free?
Cloudflare runs the largest authoritative DNS server for their customers. The best way to make the DNS server faster is to make users query it directly.
1.1.1.1 runs on our existing hardware deployed around the world, it costs us very little. When you use it it improves performance for the 8 million or so sites we sit in front of, that's our actual business.
DNS is not the bottleneck for page load speeds, especially now that 99% of the internet has images or video (even if the images are not a main focus of the webpage, such as a news article's image header)
Running websites and selling users' data brings you more profit than just running websites. With DNS Cloudflare can also learn what non-Cloudflare websites users are visiting and when.
Why would cloudflare do that? It's not in their business model and "it makes more money" is hardly a thing that motivates corporations all the time, otherwise google and facebook would be offering subscription services at 20$/year to get ad- and track-free.
Why would cloudflare even want to know what websites you visit? They don't operate an adnetwork, they operate a CDN. At best they could use it to pre-cache websites in regions before demand rises. But they can already do that without DNS...
You are given advice on how to safely cross a four-way intersection by two companies.
One is an insurance company specialised in people being run over by semi trucks at four way intersections.
The other is a contractor that designs, builds and maintains four way intersections for the government and private entities.
Of course, yes, the later could collude with the former to make extra money.
But it's also not their business model. They build intersections, people pay them to make those safe and reliable. People do not pay them to collude with shady insurance companies which try to kill people by semi truck.
People would actively not pay them if they did that.
Same with Cloudflare. If CF sold data to ad networks, a lot of websites would simply jump ship and use one of the other CDNs with free offerings. People pay CF a shitload of money for ensuring the connection is private and safe (notably banks, governments, etc.)
Your analogy is bad because it describes behavior which is illegal. If you want to make as much money as possible, you might avoid decisions like the one you present which will cost you more money when it is exposed.
It's not a bad analogy because it's illegal, it's a good analogy because it leads to people understanding what is happening here by simplifying in something people encounter regularly and understand somewhat.
See recent behavior of Wells Fargo before you dismiss this. They have built the largest consumer bank on practices that were not legal. Even after some of those practices have been exposed they are #1. Millions of people with multiple semi-truck tire marks on their bodies still bank with them.
I'm not saying that every for-profit company will abide by the law, but that they may have an inclination to do so because penalties would reduce their profits. So the comparison you are trying to make is not quite the same since there's a condition where a for-profit company might still do something ethically wrong (but legal) to make money, but avoid illegal behavior that would also make money (but cost them more if caught). For a recent example of this: facebook.
It doesn't mean, take the shortest route toward the stack of money in sight.
If CloudFlare started selling DNS info when they have emphasized that their DNS service is caring for privacy, people apparently stop using their resolver and given the impression that they can lie, it can also hurt their main business.
Cloudflare itself never made sense to me. What possible incentive do they have to stop their primary purpose (DDoS protection) - They have value in promoting the behavior.
Whats worse, is everyone and their dog is using them. What happens when they push a bad config to their core routers, or foobar their anycast?
It probably doesn't make sense because you misunderstand their primary purpose. It's not DDoS protection. Cloudflare has a pretty wide-spanning platform of products and services, but if you had to pick one out as their "primary", it would be their CDN product. The DDoS protection is just more visible because of the nature of the product (a good CDN will never make you aware it even exists), and because mitigating DDoS attacks makes for good news headlines.
Even if DDoS was their main business driver, what you're saying is similar to "doctors don't make any sense to me. what possible incentive do they have for keeping people healthy? they have incentive for promoting bad health."
As someone who works in security, believe me, there are plenty of cyber attackers out there that will easily keep companies like Cloudflare in business, no "promotion" of bad behavior required.
It costs money to do the things they do. If there's no profit, the service has to beg for money, or die for lack of resources. CloudFlare is not a charity, and if it was one, it would be ineffectual because their services are too behind-the-scenes and technical to get a donor base wide enough to support them. Profit is not necessarily an anathema to doing the right thing, and if you can align your interests with your cash flow, you can do the right thing without begging for money, which imho is even better than doing the right thing but having to subsist on the money generated by profitable enterprises that aren't as noble (donated either directly, or by their employees). But of course, aligning those interests is a challenge.
As an ISP, I'm skeptical of the motivations of big CDNs and Google in general, but it's becoming an ietf standard. I run recursive resolvers for clients numbering in the hundreds of thousands, with an ACL that allows only our ARIN IP blocks to query them.
It is not hard to put a dns-over-https frontend in place for my clients which pulls queries from my own trusted bind9 servers.
For people who know how, why not just run this stuff locally? Setup your own recursive resolver on an openwrt router? Or maybe in a hosted VM close to where you live?
I know Google and CF claim they don't track this DNS information, but why even use them when you can run your own. Keep in mind CF did have a software bug that spewed SSL traffic and passwords all over the Internet[1], and they took down a website once because their CEO didn't like it[2].
When you simply run a packaged router at home that doesn't have the ability to do its own resolver, then you have to host it somewhere but since DNS can't do authentication, it's hard to keep it private.
I'd like to know a way to host your own resolver but keep it private even when you're on mobile IP.
I share some controversial opinions on here semi-anonymously and wouldn't want my personal positions on certain topics to be confused with an official position held by the companies I contract for. I can say that it's not a huge one, it's a mid sized regional ISP.
Whenever Mozilla puts out one of their nerd cartoons, I instinctively look over my shoulders and tighten my sphincter. Of course, it's always nice to know the reason behind a reflex.
Both Google's [1] and Cloudflare's [2] DNS privacy policy prohibits them from storing personally identifiable information or from correlating DNS information with other Google data coming from the same IP/account but it does allow them to store information about which domains are popular, from which locations and from which type of device.
TLS (and therefore HTTPS) provides a very useful fingerprint based on accepted cipher suites, extensions, compression methods...
[1] https://developers.google.com/speed/public-dns/privacy
[2] https://developers.cloudflare.com/1.1.1.1/commitment-to-priv...
[3] https://devcentral.f5.com/articles/tls-fingerprinting-a-meth...