[dpenguin]

There are a lot of arguments about how DoH with TLS 1.3 will give us privacy etc by the proponents of DoH(not this article).. but it’s basically moving the trust from ISPs to CDNs. There are fewer major browsers and fewer major CDNs than ISPs, I suppose.. so not sure if it’s a good move.

[bityard]

> but it’s basically moving the trust from ISPs to CDNs.

Not just CDNs, ISPs can certainly operate their own DoH servers on their existing DNS infrastructure. If they want to continue selling their users' browsing data to marketing firms, that is what they will have to do.

This also moves trust to the browser and OS TLS certificate stores, which may be problematic depending on your opinion of whether or not you can trust every single one of the governments and organizations behind the hundreds of root CAs.

[kd913]

People can host their own DoH server themselves. If I can setup DoH and a VPN over one weekend with a Raspberry Pi, then others can do it too.

I am using DNSCryptProxy on a Pi and it fully supports DoH + eSNI even without cloudflare. Works perfectly with Firefox.

The service picks from 65 DoH servers based against the fastest ping time.

That was/is a lot better than before when in reality my only choice was my ISP DNS. In fact I just learned for the last few years that my ISP was hijacking all DNS requests anyway.

[Ericson2314]

Why can't the ISPs run DoH too?

I agree that due to social issues the problems are fairly real (ISPs ain't gonna do shit). But on a purely technical level DoH should be fine.

[gsich]

They can. But the problem lies with Browsers (looking especially at Firefox) just ignoring that. The technical aspects of DoH (or DoT) are fine.

[tialaramex]

Mozilla provides a clear policy for how you get your resolver onto their list. US ISPs (the DoH resolver is only enabled by default in the US) could obey that policy and apply to be added to the list.

But it seems like none of them have done that. Maybe the policy terms are objectionable? Let's see:

"Only aggregate data that does not identify individual users or requests may be retained beyond 24 hours."

But how will the poor ISP make extra money selling DNS query information?

"When a domain requested by the user is not present, the party operating the resolver should provide an accurate NXDOMAIN response and must not modify the response or provide inaccurate responses that direct the user to alternative content."

An ISP that obeys this can't put up advertising banners or sell search engine redirects when you typo a name - they'll have to actually earn money providing Internet service instead.

[gsich]

Mozilla can't verify that the providers behave. Apart from the obvious NXDOMAIN answers (not many providers will do so).

Also it is questionable why a free service would be better then a paid one. If one assumes that the ISP is evil, DNS providers are not suddenly less evil.

[tialaramex]

As with its Trust Store Mozilla operates in public. If you believe that providers aren't behaving you can and should present evidence to the community.

Mozilla isn't suggesting you choose services based on how cheap they are, but on whether they implement these policies.

NextDNS, who are on Mozilla's list, offer a paid service if you want advertising filters or porn filtering or whatever but if you're damn sure you "get what you pay for" then pay them their subscription fee and don't switch on any filters.

[gsich]

>Mozilla isn't suggesting you choose services based on how cheap they are, but on whether they implement these policies.

Mozilla doesn't know if they do. They can't verify it. So if Mozilla says "Cloudflare and Nextdns adhere to our policies" it's not verifiable by me and neither by them. I don't see a "trust but verify"-implementation. This is my gripe with this behaviour.