why should DNS be handled at the system layer and not by applications? There's zero controls in place to stop this so I don't see why it's assumed that every application developer will want to use system defaults and not override it.
And users get to decide which applications to install. Tunneling has been a thing for decades; likewise for malicious programs. Vigilance when installing programs on a networked device has always been and remains necessary.
But it’s not under the users control if they install an app- there’s nothing hard that prevents the abuse. Now if the OS had a system wide / network level proxy that checks the correct DNS calls are getting made and overrides with a user chosen default, then you’d have something.
