[throwaway2048]

doesn't stop dns over https, which stuff like chromecast employs

[kuschku]

And that's why DNS over HTTPS was created in the first place, to get rid of ad blocking on Chromecast and Android.

On Android now Proxies don't apply anymore to apps like YouTube, and as these apps also use DoH, there's no way to block ads anymore.

All talk of "security" and "privacy" is false, as always it was all about profit. I honestly wonder if the people at Google working on DoH even knew why management supported their project, or if they genuinely believed they did something good while management secretly realised the potential profits from DoH

[dbrgn]

Well, it's not like they were forced to do name resolution over DNS before... They could just as well deploy their own custom name resolvers and talk to them via IP from applications like YouTube for Android.

The scenario you're describing (DNS-level blocks) could always be circumvented.

On the other hand, if you live in the US and don't override the ISP's name servers, most probably they will spy on you and sometimes even do things like injecting ads into third party websites. This was the thing DoH was meant to solve.

[kuschku]

> They could just as well deploy their own custom name resolvers and talk to them via IP from applications like YouTube for Android.

The Chromecast has 8.8.8.8 hardcoded, but recently an ISP started integrating ad-blocking via DNS filtering (with 8.8.8.8 MitM) in their ISP routers. That case actually went to court.

It'll always be possible to do the filtering as prosumer, but the current state of the art of "it just works" ad blockers is something Google is fighting against (also see Manifest v3)

[judge2020]

Your response to the first scenario didn’t invalidate it - Google could have made a https://dns.google.com endpoint in 2013 before DOH and only allowed the Chromecast to work if it could get dns responses from there.

[kuschku]

Yeah but that would require developers intentionally building an anti-adblock solution, while funding a solution like DoH allows Google to save face

[johncolanduoni]

What percentage of Google's users do you think have a pi hole? I buy that their changes to ad blockers in Chromium are motivated by this kind of logic, since they are used by a material number of people. But for DoH it just doesn't add up, it's such a fringe case. It's also worth noting that DoH was spearheaded by Mozilla, Google just got on the ship at the next port.

Not every thing that big corporations say they do for security reasons or whatever is a cynical ploy. Do you think they're experimenting with post quantum cryptography in Chrome Canary in preparation to drop a 50k qubit quantum computer on the market sometime soon?

[kuschku]

Some ISPs started integrating pi-hole functionality into their ISP routers, and that actually went to court.

On Android, some of the most popular apps are fake-VPNs which just register your own device as VPN with itself so they can filter ads.

This isn't about the pi-hole, this is about ad blocking becoming "too easy". You can always block DoH. But no ISP can include such a blocker by default easily anymore.

[jannes]

Wait, how do you block DoH without blocking other HTTPS traffic?

Do you have to block every known DoH server? Looking at Google's DoH certificate they list quite a few hostnames and IPs as Subject Alt Names:

    dns.google
    *.dns.google.com
    8888.google
    dns.google.com
    dns64.dns.google
    2001:4860:4860::64
    2001:4860:4860::6464
    2001:4860:4860::8844
    2001:4860:4860::8888
    8.8.4.4
    8.8.8.8

Issued by Google Trust Services...

[kevin_thibedeau]

Google is digging as many moats as they can without triggering antitrust scrutiny. They have to plan for the future, not the here and now.

[1vuio0pswjnm7]

One could redirect any traffic destined for the IP of the DOH server to one's own DOH server on localhost.

[OJFord]

Unlike DNS over TLS, and plain old DNS, the only way to 'redirect any traffic' is to have a blocklist of known DoH hosts, since it's just HTTPS, port 443, traffic, you can't tell if it's your page load or a DNS query.

[1vuio0pswjnm7]

As of today, how many DOH servers are running from IP addresses also used for serving websites. In the testing I have done with publicly advertised DOH servers, generally, the IPs are only used for DoH (sometimes DoT, too). Of course this could change.

The localhost forward proxy I use can distinguish DoH requests from other HTTP requests because the DoH query URL structures used are mostly the same; they follow RFC8484. As of today, it is easy to probe IP addresses for listening DoH servers. The list of "known DoH hosts" is still quite small. Of course this could change.

To be clear, I am defintely not a proponent of applications ignoring user system-wide DNS settings and using DoH to obscure that fact. I have long run localhost root and DNS for myself and have no need for third party DNS, whether ISP or open resolvers.

However, as an end user I see no reason to trust any outgoing HTTPS traffic from applications authored by folks who are agreeable to online advertising as a business model.

The greatest threat I face is online advertising, not DNS lookups associated with malware. With DoH, HTTPS traffic could contain an unwanted DNS request, but prior to DoH it could also contain data to be used for tracking and advertising purposes. I felt the need to start monitoring/MITM'ing the HTTPS traffic on the private networks I control long before anyone proposed DoH. I would guess many corporations and other organisations do the same.

[w3ll_w3ll_w3ll]

Not if the resolver is validating the tls certificate. That's the point of doh, make impossible to intercept dns query.

[jannes]

MitM is not possible with DOH if the client checks for a valid certificate.