[danShumway]

> DoH does absolutely nothing that helps privacy since the destination IP address is always clear

There are multiple situations where destination IPs are shared across multiple websites, and DNS blacklisting is a common censorship technique in multiple firewalls and ISP blacklists.

This take is just completely wrong. Of course DNS records should be handled via HTTPS, of course it's a bad idea to do DNS via plaintext. This shouldn't be complicated, why are we still fighting over whether or not encrypting personal data in transit is a good idea?

I have seen more people on Hackernews than anywhere else on the entire web bash HTTPS encryption, and I genuinely do not understand how this forum, of all places, can be home to such a bad security take. Stop designing and advocating for Internet protocols to be monster-in-the-middled!

[unixsheikh]

Yeah, let's start feeding our mail, ftp, ntp, and everything else over HTTPS as well now we're at it!

DoH is DNS done completely wrong. It's the worst patch solution to a problem that should have been solved correctly long ago!

[danShumway]

> Yeah, let's start feeding our mail, ftp, ntp, and everything else over HTTPS as well now we're at it!

...yes?

Holy crud, this is practically the most basic principle in security. If you don't want somebody to read it, encrypt it. This is exactly why we don't use email, unencrypted ftp, or SMS for anything that needs security or privacy. Don't send important information over plaintext!!

[unixsheikh]

I think you misunderstand. Of course everything needs to be encrypted. However, feeding everything through HTTPS is WRONG! This is basic computer and network engineering. If you want to encrypt DNS, fine encrypt DNS, but flipping leave the HTTPS protocol out of it!

Furthermore, the destination IP address is ALWAYS in clear text when you use HTTPS. Which demonstrates exactly why this is so wrong.

DoH - is fake privacy, it's nothing more than extra sugar on Cloudflares spying cake - and more funding for Mozilla.

Wake up.

[danShumway]

If you don't encrypt the DNS lookup, it doesn't matter whether or not you're hiding the IP address. And it's just false in general that DoH doesn't improve privacy today, even with the current IP situation.

I mentioned this above, but there are plenty of shared hosting servers that don't have unique IP addresses for every domain. This is not an uncommon thing, and it's one of the reasons why DNS blocking is so common in firewalls, even at the ISP/nation-state level. DoH will also obscure the vast majority of subdomains for a given domain, which, again, are often sharing IPs with each other.

Aside from that, DNS leaking is also very common when inexperienced users set up VPNs, and DoH basically gets rid of plaintext DNS leaks entirely.

Look, would it be nice to get rid of IP addresses? Yes. Does anybody have a scalable solution for getting rid of IP addresses that can be deployed today? No. The closest we have is the Tor network, which is not fast enough or robust enough to handle everyone on the Internet. I have very little sympathy for the argument that because SNI encryption isn't completely rolled out yet and because everyone isn't on Tor that we should ignore solveable security/privacy problems in the meantime.

There are multiple privacy issues with the way we currently connect to websites, and DoH solves one of those issues with very little if any downside. It's worth doing.

> This is basic computer and network engineering. If you want to encrypt DNS, fine encrypt DNS, but flipping leave the HTTPS protocol out of it!

Why? Why not use a single protocol that's widely tested and trusted by security experts? I mean, we didn't come up with a brand new encryption strategy for FTP, we made FTPS.

Why on earth would we want to use 5 different encryption protocols in the browser? That's just pointlessly adding attack surface. What's wrong with HTTPS that means it's a bad fit for encrypting a DNS query? A DNS query is essentially at its core an HTTP request to a remote server, and HTTPS is already very good at encrypting HTTP requests. There's no need to reinvent the wheel here.

By and large, I have not seen any real criticism of using HTTPS for DNS from security experts based on the technology itself -- they all seem to think the technology is fine. Virtually all of the current criticism from industry is coming from corporate players and ISPs who are mad that they won't be able to monitor DNS queries any more. And the fact that they're mad about that is strong evidence that DoH does provide a security gain. Corporations and ISPs would not be complaining about a privacy feature with no benefit to consumer privacy.

> it's nothing more than extra sugar on Cloudflares spying cake - and more funding for Mozilla

This is just blatant conspiracy. It's no harder for anyone to set up a DoH server than it is for them to set up a DNS server. There is nothing in DoH that gives Cloudflare more control over the web other than that they currently sponsor one of (if not the) most private DoH servers on the web today.

You can go into Firefox today and use any DoH server you want with zero consequence or downside. Chrome, by far the dominant browser on the web, does not use Cloudflare's DoH servers by default. There are reasons to be skeptical of Cloudflare in general, but if DoH in particular is a power grab by Cloudflare, then it's a pretty ineffective one.

[unixsheikh]

> Why? Why not use a single protocol that's widely tested and trusted by security experts? I mean, we didn't come up with a brand new encryption strategy for FTP, we made FTPS.

> Why on earth would we want to use 5 different encryption protocols in the browser? That's just pointlessly adding attack surface. What's wrong with HTTPS that means it's a bad fit for encrypting a DNS query? A DNS query is essentially at its core an HTTP request to a remote server, and HTTPS is already very good at encrypting HTTP requests. There's no need to reinvent the wheel here.

This is where you're wrong. A DNS request is far from the same as a HTTP request!

You don't seem to understand how the technology really works in the underlying protocol.

HTTPS is designed to encrypt HTTP traffic, it was never designed to be stuffed by other kinds of traffic. When you stuff DNS into HTTPS you not only get a destination IP in clear text, something you cannot get if you use DoT e.g.

Furthermore, DoH also completely ruins analysis and monitoring of DNS traffic for security purposes. Already DoH has been used in a worm to mask connections to its command-and-control server.

If you want to solve the obvious problems with DNS, you don't keep doing the same mistake over and over again by patching with the same half-baked solution.

DoH does not solve ANY of the issues it is set out to do! I have worked for a long time in the ISP industry, users gets tracked by source IP and destination IP mainly, and figuring out what particular website they have visited, even when the hosting provider has multiple websites running on the same IP, is so easy just by looking at a hash of the payload that it is ridiculous.

DoH is "fake privacy". Period.

[danShumway]

> HTTPS is designed to encrypt HTTP traffic, it was never designed to be stuffed by other kinds of traffic. When you stuff DNS into HTTPS you not only get a destination IP in clear text, something you cannot get if you use DoT e.g.

No, I don't see what you're getting at. DoH is an almost strict upgrade over DoT, specifically because DNS queries get mixed in with regular traffic so they can't be separated and analyzed on their own.

I stand by my point, the differences between DNS and HTTP are not large enough to justify the kind of separation you're advocating for. This is not such a fundamentally different technology that we need to use multiple separate systems to handle it, and people definitely shouldn't be advocating for DoT over DoH. The fact that DoT uses a dedicated port is a weakness, not a strength.

For you to argue that DoH is fake privacy, and then to advocate for DoT of all things as a superior alternative makes me skeptical of rest of your arguments. We don't want user DNS settings to be subject to the whims of network operators.

> Furthermore, DoH also completely ruins analysis and monitoring of DNS traffic for security purposes. Already DoH has been used in a worm to mask connections to its command-and-control server.

> DoH is "fake privacy". Period.

DoH can't be both fake privacy and masking worms/ruining traffic analysis at the same time. Either it works or it doesn't, pick a lane.

The fact that ISPs, governments, and network administrators are complaining about DoH is strong evidence that it is an improvement over the current system, because the whole point of DoH is to prevent 3rd-parties from doing traffic analysis and blocking on DNS queries without the user's permission for any reason at all.

ISPs would not be complaining about this if it didn't affect their tracking and blocking capabilities. Network admins would not be complaining about this if it didn't make their jobs harder. The fact that they are complaining about this means we're doing something right.