[nykolasz]

Yep. What happens when Chrome adds DoH support? And Safari?

And whatever Gaming app the kids download? Suddenly it will become impossible to manage and maintain.

Not even talking about the troubleshooting nightmare.

DNS should be a system-level setting, not an App-level setting.

[tlrobinson]

How far off are we from DoH being supported by common operating systems, DHCP, etc?

It would be nice if these apps could detect whether the system is using DoH and only fall back to their own DoH resolver in the case they're using "legacy" DNS.

[coldacid]

Honestly, all these apps shouldn't even bother detecting for DoH or not. If people want to use DoH they can set up their own local resolver and configure their network for it (and for folks on Windows, that could even be packaged third-party).

[tlrobinson]

The reason browsers are interested in including DoH is to protect users who don't even know this is a problem, and definitely aren't going to set up their own resolver.

[pwnna]

What's the point of using DoH over the local network? We can generally assume the local network is "secure".

If I want to use DoH when sending DNS queries to the outside world, I can setup my own forwarder to forward DNS queries via DoH.

[tlrobinson]

That's not always a safe assumption, e.x. public WiFi.

[josteink]

> How far off are we from DoH being supported by common operating systems, DHCP, etc?

To my knowledge none. Nobody is doing this, because it subverts how DNS is supposed to operate.

> It would be nice if these apps could detect whether the system is using DoH and only fall back to their own DoH resolver in the case they're using "legacy" DNS.

Yeah. Good luck diagnosing that when something stops working as expected.

[tialaramex]

> To my knowledge none. Nobody is doing this, because it subverts how DNS is supposed to operate.

Huh? Of course people do this, it's a standard way to do DNS that improves over older DNS wire protocols by offering better security properties. It's unfortunate that we had to involve HTTP in this, but needs must.

For example you can drop in an NSS replacement that uses DoH instead of conventional DNS for all your glibc software, or you can get software from a variety of sources that runs on UDP port 53 of your local machine like a normal DNS relay but uses DoH to someone trustworthy to deliver.

[josteink]

> DNS should be a system-level setting, not an App-level setting.

I would go even further: Any app trying to bypass the system-level network settings (like with DoH) should be considered malicious and possibly malware.

This is what spam-bots used to do back in the days. Now let’s add Firefox to the list.

[JohnFen]

> Any app trying to bypass the system-level network settings (like with DoH) should be considered malicious and possibly malware.

This is my point of view precisely.

[AnaniasAnanas]

Or trying to help the user "jailbreak" out of a restricted environment.