[Santosh83]

How is DoH a net loss to decentralization (by moving to a few major cloud providers) when DoH is merely encrypting the information to prevent MitM spying? Surely nothing stops your favourite ISP or any other local startup from providing DoH services right? Presumably the DNS servers will still talk to each other on the backend over plain text, but if a DoH front-end can be provided by ANY DNS service then how can it be accused of centralising the Internet?

[vetinari]

> How is DoH a net loss to decentralization (by moving to a few major cloud providers) when DoH is merely encrypting the information to prevent MitM spying?

It is not merely encrypting the information. Hand-in-hand comes running the resolvers (which, as you noted everyone can) and having all the DNS-using software use them.

Which is much bigger problem, that causes the centralization. Applications are coming today hard-coded for a specific resolver. Configuring it is application-specific and not-automatable, and certainly not automatable in generic manner for all applications. I.e. as a network operator you cannot say that everyone should be using this or that resolver, as you can with the plain old 53/udp DNS and DHCP.

Users are not going to reconfigure each and every application every time they change their network. They will leave it at the default value. The net effect is that the centralization will just happen.

[zamadatix]

Applications can choose to ignore the system resolver regardless if it's over UDP or HTTPS. DoH/DoT is showing up in operating system resolvers just not as fast as apps like browsers were willing/able to add it. Standard DHCP options for defining DoH details are still missing though (I think, haven't checked in a while)

[vetinari]

> Applications can choose to ignore the system resolver regardless if it's over UDP or HTTPS.

They can, but up until Firefox legitimized this practice, they didn't, maybe except some malware.

> DoH/DoT is showing up in operating system resolvers just not as fast as apps like browsers were willing/able to add it.

The browsers were so fast, that they skipped the discussion about ramification of this change with the rest of community and just abused their position. One might even wonder, why.

Does not make for good relations in future.

> Standard DHCP options for defining DoH details are still missing though

Yup. Here, browsers are not using their position to finish their push, so maybe the situation is acceptable for them.

[zamadatix]

On one hand you say browsers are to blame because they went too far too fast bypassing the OS DNS and on the other you say browsers are to blame because they didn't go far and fast enough bypassing the OS DHCP client.

Again are your arguments actually about DoH causing centralization or are you just talking about browsers causing positioning centralization irrespective of the technology?

[vetinari]

> On one hand you say browsers are to blame because they went too far too fast bypassing the OS DNS

Yup, they shouldn't have do this.

> On one hand you say browsers are to blame because they went too far too fast bypassing the OS DNS

No. I'm saying, that once they did what they did, they should have finish the job. They left it unifished.

> Again are your arguments actually about DoH causing centralization or are you just talking about browsers causing positioning centralization irrespective of the technology?

My point is that the way DoH was implemented is causing centralization. DoH could be implemented without causing this effect.

[kreetx]

I think what the parent is saying is that unencrypted DNS queries you can intercept, with DoH you couldn't do that anymore.

[swiley]

Because I as a user have a hard time configuring my computer to use a different resolver.