Re: Huh?
Let me just explain how I recently found Googles setting to be less than perfectly transparent:
I have pihole set up. Nevertheless, I recently found that running the same site in both Firefox and Chromium produced different ad blocking results.
- On Firefox, Pihole successfully blocked ads (ads which are not embedded).
- On Chromium, those same ads were not blocked.
(I don't use ad blocker extensions on either Browser).
For a specific example site known the include 3rd party ads: "Why Using an Ad Blocker Is Stealing (Op-Ed) Opinion" on Tom's Hardware (recently referenced by another Reg reader).
Chromium has a setting under Security (not under Privacy): Use secure DNS. Make it harder for people with access to your internet traffic to see which sites you visit. Chromium uses a secure connection to look up a site's IP address in the DNS (Domain Name System).
Google gives the following argument as to why DoH is good for you: Motivation: Most DNS resolution today occurs over an unencrypted channel. This is bad for privacy and for security reasons. Anyone who is on-path can eavesdrop on your browsing habits or even tamper with the resolution to have you navigate to a phishing website or an “access blocked” page for censored sites (see https://tools.ietf.org/html/rfc7626#section-3 for examples).
Nevertheless, I checked the DoH setting and found it was ON, despite having long ago turned it OFF because it prevents PiHole from working to block ads. So I turned DoH off AGAIN and even rebooted the system. Still the ads on Chromium were NOT blocked. No problem - it's DNS cache, I thought. So I brought up "chrome://net-internals/#dns" and pressed the "Clear Host Cache" button. Still the ads were not getting blocked. So I rebooted the system to clear the Chromium cache - Still the ads were not getting blocked :(
Finally I added "dns.google" to the PiHole blacklist, and rebooted the system again and FINALLY the ads in Chromium were blocked :) "dns.google" is the endpoint for Googles DoH.
So it appears that Chromium is programmed to use DoH with endpoint dns.google for ads (at least if the ads are otherwise blocked), even when Chromium is set not to use DoH. AND the clear DNS cache setting doesn't actually clear the DNS cache, at least not for ads.
So sure - many of the "privacy" settings are even working today as expected, and so of course we should thank Google for their kindness. But we should also follow Russian proverb "doveryai, no proveryai (доверяй, но проверяй)" which means "Trust, but verify" - at regular intervals. It is a cold, cold warld out there.