It would only be a difficulty for intercepting devices like PiHoles (and I don't think it's an insurmountable difficulty either, if you control both the Pi and the computer). It wouldn't affect browser-based adblockers, which is how the majority of adblocking is already done, because browsers already have access to the unencrypted request.
That would be my point too. DNS-based content blocking is very ineffective and can be outsmarted very easily.
DNS filters might be very easy to set up but if they become more major they can be outsmarted very easily - what if Google starts serving ads from www.google.com, would you block that domain name too? Browser extensions can block content far more precisely.
And smart TVs and such stuff could easily switch resolvers and just not use your Pihole's DNS resolver - that would work even without DoH as long as you don't intercept traffic on your router. E.g. Fire TV already adds Google DNS as an additional DNS server (you can't change that). Chromecast only uses Google DNS (AFAIK you can't change that either). I guess the only viable option here is just not to buy those products.
If your (on-LAN or otherwise under-your-control) DNS server talks DNS-over-HTTPS, Mozilla can just talk directly to it. That's the point. The browser-specific option can be used where that's not viable or reliable (mobile devices, third-party networks).
And devices are handed DNS servers (with the option to opt out) via DHCP when they connect to the LAN.
Okay, and if malware uses DoH to figure out how to connect to its C&C server, how do I stop that DoH request (given it looks like any other HTTPS request)?
If Cloudflare starts serving DNS traffic from HTTPS on its CDN, the malware can use Cloudflare for DNS. Am I supposed to block all of Cloudflare's IPs because they can be used to circumvent DNS query monitoring?
That's a separate threat model. DoH addresses surveillance, censorship, and injection by ISPs.
One DNSmasq already addresses in part through various asblock and malware-blocking DNS blacklists. I'm using one such that updates hourly or better. Requests to or for specific domains my be blocked (and are).
Keep in mind that by using DNSmasq at a centralised LAN server, you now have a single point of control to defend against such threats, rather than relying on multiple device- and application-specific points of control. Though software (such as browsers) offerring its own defences against such threats is in no way hindered.
You can further, and more appropriately IMO, defend against such threats at the firewall level, by blocking network space (rather than domains) and ports associated with malware. At the OS level, firewalls such as Little Snitch monitor and block traffic at the application / process and user level, and may detect, alert on, and/or block such malware.
> * That's a separate threat model. DoH addresses surveillance, censorship, and injection by ISPs.*
As does DNS-over-TLS. Though since it has an official IANA port, this can be blocked.
> You can further, and more appropriately IMO, defend against such threats at the firewall level, by blocking network space (rather than domains) and ports associated with malware.
And if malware leverages Cloudflare, am I supposed to block that? The ports associated with malware may be HTTPS.
It depends on the malware. If it's self-contained and only goes around encrypting things and then prints a message to send money to a pre-defined particular Bit Coin address, then it won't matter.
If it needs to phone home or otherwise contact an outside address (excluding hard-coded IP addresses), then presumably it needs it needs to do a DNS look-up at some point.
Many botnets use pseudo-random DNS domains, and when the generation algorithm was figured out, people were able to get control of it:
Internet of Shit devices, Smart TVs and etc. would be unaffected by DNS-level adblocking. But to be fair, one shouldn't support such awful business practices by buying such devices anyways.
Everything? Horrible user experience, privacy concerns, malware aplenty, and if it's a device I'm buying it's pretty sketchy behavior throwing ads in it, since I'm not going to know that before buying it or be able to do anything about it.
You have no evidence that the devices would be more expensive. Your only evidence is that the companies would receive less income all else being equal. But what is the evidence that the trade off is your eyeballs instead of your dollars? And if the tv is perfect except for the ads, where do you get the more expensive, ad free version?
You can buy "dumb panels" but they apparently cost more. Some of that is that they're rated for rougher conditions being mounted in public places though. And why can't you respond to me?
I would presume that, like with DNS over DNS¹, a resolver could check /etc/hosts first prior to attempting to resolve over the network; do proposed DoH resolvers not do that?
Worse comes to worse, you could always run your own local resolver.
¹or whatever we're calling the original protocol now
DoH bypasses the normal resolver, and gives control over resolution to the browser. Not a big deal if your browser is from Mozilla. A little more concerning if your browser is from google.
That's how it's done now, because browsers want to push the tech when nobody else has yet bothered; but it would make a lot more sense in the long term for DNS to stay an OS-level concern, so I would expect DoH to be implemented by the OS DNS resolvers.
At the moment you can make a tv that resolves dns using 8.8.8.8 and looks at fancy.ads to display an add in the tv guide/web browser/youtube app/whatever. But I can make my router direct any dns request back to itself and filter fancy.ads so that it never resolves to anything useful.
DNS over HTTPS means that you can make a tv that resolves dns using https://8.8.8.8 and looks at fancy.ads. But I can't mitm it because I don't have a suitable trusted certificate to respond to that request. So either the request to fancy.ads gets dropped and the request to online.movies.example.com gets dropped so I can't use my smart tv for its intended purpose. Or both get through.
Obviously things are different if the service uses standard OS level configuration so I can tell it to resolve dns using https://my.adblocked.dns or /etc/hosts. But nothing obliges any particular system to do that.
If the TV manufacturer wanted to implement this mechanism, they wouldn't need DoH to do it. They could just put the ads right on online.movies.example.com and use TLS there. Any kind of ad-blocking mechanism based on DNS is trivially bypassable.
Suggesting that we should weaken encryption/privacy because some people plan to use it in ways that we don't like is just not a viable option. It's exactly the argument that governments are trying to use to mandate backdoors in our chat services. With encryption, it's all or nothing.
The solution is to do as most goverments do [0]: sniff the SNI header during TLS handshakes and drop the connection if the domain matches your blocklist(s)//regex filters.
I can't reply to my children, so I'm replying to myself instead.
Uponcoffee suggests inspecting the SNI header to drop the TLS handshake. So the DNS resolves fine, but when they try to connect to https://fancy.ads, that request is tampered with and fails. As far as I know, that depends on a bug in TLS which will be fixed in some future version, so that inspecting such a request becomes impossible.
NegativeLatency suggests installing an alternative certificate. This would presumably work if I have root access to my smart device. Maybe I can get access to root on my smart tv, I'm not sure, I don't use smart tvs.
But random people can't get access to root on their phone. It will break their banking apps. I can install an adblocker on my phone and accept the consequences of my actions. I'm not sure what the tradeoff between adblocking and banking apps is, even for me. I would probably want to write my own browser based app to let me log into my bank from an separated web browser - if I'm trying to log into my bank when I'm standing in the queue I don't want to piss fart around with stupid browser tabs.
I certainly can't tell my coworker "yeah I'll just install this ad blocker on your phone, it'll block some analytics too so your privacy will be a little more respected" if the only way to do it is to break their banking apps.
I mean, okay, the ads aren't unblockable. But we are at the point where I have to make a trade off between letting you run whatever code you want on my phone, and letting you not run any code at all on my phone. Capitalism depends on negotiation to work. If it's just "I'm a big company, use my service or don't", capitalism stops working.