| > HTTPS is designed to encrypt HTTP traffic, it was never designed to be stuffed by other kinds of traffic. When you stuff DNS into HTTPS you not only get a destination IP in clear text, something you cannot get if you use DoT e.g. No, I don't see what you're getting at. DoH is an almost strict upgrade over DoT, specifically because DNS queries get mixed in with regular traffic so they can't be separated and analyzed on their own. I stand by my point, the differences between DNS and HTTP are not large enough to justify the kind of separation you're advocating for. This is not such a fundamentally different technology that we need to use multiple separate systems to handle it, and people definitely shouldn't be advocating for DoT over DoH. The fact that DoT uses a dedicated port is a weakness, not a strength. For you to argue that DoH is fake privacy, and then to advocate for DoT of all things as a superior alternative makes me skeptical of rest of your arguments. We don't want user DNS settings to be subject to the whims of network operators. > Furthermore, DoH also completely ruins analysis and monitoring of DNS traffic for security purposes. Already DoH has been used in a worm to mask connections to its command-and-control server. > DoH is "fake privacy". Period. DoH can't be both fake privacy and masking worms/ruining traffic analysis at the same time. Either it works or it doesn't, pick a lane. The fact that ISPs, governments, and network administrators are complaining about DoH is strong evidence that it is an improvement over the current system, because the whole point of DoH is to prevent 3rd-parties from doing traffic analysis and blocking on DNS queries without the user's permission for any reason at all. ISPs would not be complaining about this if it didn't affect their tracking and blocking capabilities. Network admins would not be complaining about this if it didn't make their jobs harder. The fact that they are complaining about this means we're doing something right. |