[snvzz]

This is a nice workaround for those stuck under censorship regimes such as the UK, South Korea, Turkey, India or China.

Now, Encrypted DNS (thanks to DNS over TLS/HTTPS) and HTTPS (thanks to Let's Encrypt and HSTS) are getting deployed somewhat widely.

The next step is encrypted SNI[0], and it'll get this much harder to do any meaningful DPI, for censorship or else.

[0]: https://en.wikipedia.org/wiki/Server_Name_Indication#Securit...

[nimbius]

there are two edges to this sword.

DoH also means breaking stuff like pihole and other ad filtering. It means you trust companies like google who base their revenue off ads, or cloudflare who have censored content numerous times in the past, to serve you DNS.

its also kind of pointless if the state knows youre using it outside of a tunnel...they can just watch your next packets to see where you decided to go.

[jchw]

Quick thought. If software wanted to, could they not, today, bypass your DNS resolvers anyways? Choosing to use DoH on software where you control the DNS resolution seems like an unambiguous win. FWIW, the Chromium implementation of DoH upgrading only upgrades you to DoH if your configured DNS provider is known to support it via a hardcoded list.

In theory, you could have Pihole resolve using a DoH resolver and your devices resolve using Pihole and have the best of everything.

(Disclaimer: Google employee, not working on ads or Chromium or DNS.)

[bravoetch]

Also in practice. It's one of the check-boxes in the pi-hole settings.

[recursive]

This is a fundamental flaw of content blocking based on host name. It often happens to work, but there's no rule that says that it has to, and really no good reason why it should be guaranteed to.

[m463]

Isn't there a way to use pihole as your DNS server and let it use DoH?

That way you could do DNS to pihole, do the filtering and let it use DoH to the outside world.

[snvzz]

>DoH also means breaking stuff like pihole and other ad filtering.

No, it doesn't.

e.g. I run DoH behind my home's dns cache server.

>its also kind of pointless if the state knows youre using it outside of a tunnel...they can just watch your next packets to see where you decided to go.

This is where HTTPS and eSNI further help.

[ignoramous]

> e.g. I run DoH behind my home's dns cache server.

I think GP is referring to the fact that apps can now bypass network / os wide dns stub / recursive resolvers undetected with DoH.

> This is where HTTPS and eSNI further help.

I believe TLS v1.3 specifically has anti-censorship and anti-surveillance properties baked in: https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/

[kohtatsu]

They could have had their own resolver before, or even hard coded IPs.

Using software that doesn't respect you is the problem.

[seized]

Firewalls can redirect port 53 to another IP. That prevents things from hard coding to a specific IP.

https://forum.opnsense.org/index.php?topic=9245.0

[kohtatsu]

Euh, it prevents a custom resolver sure, but hard-coded IPs bypass the need for DNS completely.

[godelski]

> cloudflare who have censored content numerous times in the past

Besides Stormfront[0], what else did they censor?

[0] https://en.wikipedia.org/wiki/Stormfront_%28website%29

[abiogenesis]

I wouldn't call that censoring either. They just rejected to provide any services for them.

[natmaka]

Indeed, "deplatforming" isn't equivalent to "censoring".

[spangry]

8chan

[ukd1]

pihole is a short term solution; it is the wrong long term one - it only works as these holes exist. blocking needs to be done in the browser, or your computer to be done more securely

[bravoetch]

Pi-hole helps for network devices where blocking on the device isn't possible. Examples in my household are the TV, which tries to connect to an obvious telemetry address, all my sonos devices (love em, hate em) the nest device, and the apps on all phones. I struggled to block those until the pi-hole made it easy.

[rubyfan]

does this just become an arms race where root certificates or some sort of device management tools are forced onto citizen devices?

[aasasd]

Kazakhstan just recently conducted an experiment with sending people an sms telling them to install a root cert. And Russia is making it mandatory to install not-yet-determined Russian software on all newly sold machines, which will quite probably soon include an FSB cert.

[mirimir]

Yes, it's a clever workaround. And requires no remote server.

I still prefer VPNs and Tor, but hey.