|
How does DoH make any of this worse than straight UDP/53 DNS? You seem to be manufacturing a hypothetical threat that isn't actually impacted by DoH, to no clear end. Malware already exploits specific IP spaces (DUL, datacentres, AWS), and ports (20, 22, 25, 53, 80, 443, ...), as well as vectors such as adtech networks, IFRAME, and XHR. Those are blocked as best as possible, leveraging numerous signature, to varying degrees of effectiveness. Methods are not perfect. But if they on net reduce or manage risks more effectively, they're a net win. Again, DoH, either in the browser or at the LAN level, addresses a specific set of known risks. And I'm not seeing the caveats you're suggesting as either more severe or non-mitigable. |