The reason I force DNS over UDP to my own DNS resolver is not so that chinese-internet-of-shitty-insecure-device (which I don't own) cannot phone home: I do it so that I'm in control of what the browsers can access over HTTPS (my browsers are all HTTPS-only).
> or not software written by someone else chooses to use the OS networking stack or even respect your desires when it comes to name resolution
Then meet firewalls. The users accounts running browsers on my setup can access HTTPS over port 443 and query UDP to my local DNS resolver. A webapp (i.e. a software written by someone else) is not bypassing that "networking stack" that easily.
Regarding name resolution: except some very rare cases where https shall work directly with IP addresses, a browser using https only will only work for domains that have valid certificates. Which is why blocking hundreds of thousands --or millions-- of domains at the DNS level is so effective.
And if there are known fixed https://IP_address addresses with valid certificate that are nefarious, they're trivial to block with a firewall anyway.
I'm in control of my LAN, my router, and my machines and webapps written by others either respect HTTPS or get the middle finger from my firewall(s). Not https over port 443? No network for you.
Reading all your nitpicking posts you make it sound like firewalls and local DNS intercepting and blocking DNS requests aren't effective. But in practice it is hugely effective.
The knowledge of what ip address correlates to some hostname is just data like any other data. There is nothing magically specially different about it, and no way to differentiate it from any other random data that every single process processes.
It's a meaninless wish for something that you can't have, that we all agree would be nice, but is silly to expect.
An app can simply include it's own hard coded list of ips if it wants, or some totally home grown method for resolving a name to a number from any source. It's just key=value like all the infinite other data that every app processes. normal dns and doh are nothing but standards and conveniences, they don't actually control or dictate anything.
You wish apps couldn't do that? So what? Do you also want a pony?
I'd say the same for this unnecessary ad hominem.
> The knowledge of what ip address correlates to some hostname is just data like any other data. There is nothing magically specially different about it, and no way to differentiate it from any other random data that every single process processes.
This is a basic truth that has no bearing on what I said above.
> It's a meaninless wish for something that you can't have, that we all agree would be nice, but is silly to expect.
It's how it worked for personal computing almost since it became popular in the 90s.
Most apps would use the OS set DNS setting. Apps choosing to ignore that and do their own queries is a much more recent thing.
> An app can simply include it's own hard coded list of ips if it wants, or some totally home grown method for resolving a name to a number from any source.
Yes. This also has no bearing on my point.
> You wish apps couldn't do that? So what? Do you also want a pony?
Wishing apps are not hostile to user intentions is not a fantastical or ignorant desire. Just because apps can be hostile to user intentions does not mean we should accept that as normal or advocate for it.
edit: Unless, naturally, I am no longer an admin and any control I have over my hardware is merely an illusion.
It doesn't matter how much you might want otherwise. It doesn't matter how important and virtuous the reason you want it is. Even invoking the mighty untouchable power of "my daughter" does not change such a simple fact of life.
