> The actual argument you're making here is that a single company owning all the data is a better situation than anybody being able to see that information.

Sure, but "CloudFlare can see my data but my ISP can't" is strictly better from a privacy perspective than "CloudFlare and my ISP can both see my data".

> Why should their workflow be broken

My point is their workflow doesn't actually have to be broken.

> so that the dns info gathered by CloudFlare is more valuable to CloudFlare.

Huh?

> The argument is that doh through privately owned servers is bad

How is it any worse than insecure DNS through privately owned servers, which basically everyone uses today?

> DoH is, by definition, more centralized than DNS servers unless all DNS servers implement some form of doh.

Is IPv6 also by definition more centralized than IPv4, since not all IPv4 servers implement some form of IPv6?

> In which case you're not using doh and you're just updating dns to support encryption.

What are you saying is the difference between those two things? And don't forget there's a huge anti-censorship benefit, even if you don't care about privacy at all.

> making that data more valuable to the private entities holding it.

Wait, are you arguing that reducing the number of entities that can access our data is a bad thing, since then our data will be more valuable to the ones who still can? That seems completely backwards.

> Sure, but "CloudFlare can see my data but my ISP can't" is strictly better from a privacy perspective than "CloudFlare and my ISP can both see my data".

But that's not really the trade-off here, it's about sharing data with Cloudflare that would not necessarily end up there if you were using services from your local ISP. Whether this is a good idea is more complicated. It depends on how ISPs are regulated and what they actually do with user data. Cloudflare's services, being optional in nature (the website operator or the end user chooses to use them, but not necessarily both at the same time), are likely to be less constrained by law, particularly if you are not a resident of California.

Or put differently, it's far easier to say “you shouldn't have used Cloudflare if you don't agree with their business practices” than “you shouldn't have browsed the public Internet if you don't agree with your ISP's business practices”.

This gets into my third category now. There are a ton of choices for DoH servers, and I doubt there's anyone who would consider all of them to have unacceptable privacy policies/practices, while also considering it okay from a privacy standpoint to use their ISP's DNS servers.

1) It's not a given that a single panopticon is better than more than one. In my opinion "anybody can see the data" is a better scenario than "CloudFlare can monetize the data".

2) I don't see why the workflow should be at risk of breaking if there's no good reason to introduce the new tool. Sure it's possible that requiring an animal sacrifice doesn't have to break their workflow, but why are we doing it in the first place?

3) Fully adopted IPV6 is less centralized than IPv4 since the larger address space allows for centralized layers(like nat) to be removed. IPv6 gateways in an ipv4 network would be more centralized since they would require traffic from many sources to be proxied through a single source.

In the same vein, DoH that proxies many connection through a single source would be more centralized than not proxying those connections.

The difference between DoH and updating DNS to support encryption is that the latter doesn't allow for a "CloudFlare" to exist on top of existing DNS infastructure which has exclusive access to unencrypted DNS data.

> Wait, are you arguing that reducing the number of entities that can access our data is a bad thing

It's a bit more nuanced than that. Adding doh proxies on top of existing DNS infasructure increases the number of entities that are required to access your data while decreasing the number that has access to the data to "number thats needed to function + the proxy".

I'm arguing that the number of entities that have access to the data should be "number required to function" or "everyone", "number required to function plus the proxy" only benefits the proxy because they have exclusive access to data. Data is worth money the less people have access to it, so a solution that sends data through a proxy is rife for exploitation and not the best solution.

I’m kinda lost here. Aren’t cloudflare’s dns servers available on 1.1.1.1 with the old protocol and no DoH required? I don’t understand, therefore, what you mean about some imagined dns-with-encryption not allowing cloudflare to exist. Surely it would allow similar things to regular dns? Maybe I just don’t understand what you are imagining when you write “encrypted dns”.