Damn, this is a good point. Just because of network architecture, ultimately somebody-- either the client or the network-- has to have the Final Word on where DNS requests go, and either way opens people up to attacks depending on the scenario. If the client has the Final Word, you can't stop your Chromecast from talking to 8.8.8.8; if the network has the Final Word, you can't trust DNS on foreign networks or use your own resolver.

> I don't know if it's possible to design a system that somehow always favors the rights of the individual.

This is why people keep objecting to technological solutions to social problems. Adblocking is a stopgap technological solution (although very effective at the moment); properly protecting the rights of the individual requires a social and legal process.

I disagree. Technical solutions are largely preferable. Political solutions are feeble and can be changed on a whim.

If the NSA has the capability to sniff vast amounts of network traffic, encrypting that traffic is a much stronger defense than telling the NSA they aren't allowed to deploy the capability for the time being.

If Chrome insists on using its own DNS or removing the adblocking API for add-ons, one can just use another browser like Firefox that has the desired technical capabilities. Managing DNS lookups and HTTP requests are not "stopgap" solutions, they are basic functionality that any one entity can't eradicate.