[kuschku]

And that's why DNS over HTTPS was created in the first place, to get rid of ad blocking on Chromecast and Android.

On Android now Proxies don't apply anymore to apps like YouTube, and as these apps also use DoH, there's no way to block ads anymore.

All talk of "security" and "privacy" is false, as always it was all about profit. I honestly wonder if the people at Google working on DoH even knew why management supported their project, or if they genuinely believed they did something good while management secretly realised the potential profits from DoH

[dbrgn]

Well, it's not like they were forced to do name resolution over DNS before... They could just as well deploy their own custom name resolvers and talk to them via IP from applications like YouTube for Android.

The scenario you're describing (DNS-level blocks) could always be circumvented.

On the other hand, if you live in the US and don't override the ISP's name servers, most probably they will spy on you and sometimes even do things like injecting ads into third party websites. This was the thing DoH was meant to solve.

[kuschku]

> They could just as well deploy their own custom name resolvers and talk to them via IP from applications like YouTube for Android.

The Chromecast has 8.8.8.8 hardcoded, but recently an ISP started integrating ad-blocking via DNS filtering (with 8.8.8.8 MitM) in their ISP routers. That case actually went to court.

It'll always be possible to do the filtering as prosumer, but the current state of the art of "it just works" ad blockers is something Google is fighting against (also see Manifest v3)

[judge2020]

Your response to the first scenario didn’t invalidate it - Google could have made a https://dns.google.com endpoint in 2013 before DOH and only allowed the Chromecast to work if it could get dns responses from there.

[kuschku]

Yeah but that would require developers intentionally building an anti-adblock solution, while funding a solution like DoH allows Google to save face

[johncolanduoni]

What percentage of Google's users do you think have a pi hole? I buy that their changes to ad blockers in Chromium are motivated by this kind of logic, since they are used by a material number of people. But for DoH it just doesn't add up, it's such a fringe case. It's also worth noting that DoH was spearheaded by Mozilla, Google just got on the ship at the next port.

Not every thing that big corporations say they do for security reasons or whatever is a cynical ploy. Do you think they're experimenting with post quantum cryptography in Chrome Canary in preparation to drop a 50k qubit quantum computer on the market sometime soon?

[kuschku]

Some ISPs started integrating pi-hole functionality into their ISP routers, and that actually went to court.

On Android, some of the most popular apps are fake-VPNs which just register your own device as VPN with itself so they can filter ads.

This isn't about the pi-hole, this is about ad blocking becoming "too easy". You can always block DoH. But no ISP can include such a blocker by default easily anymore.

[jannes]

Wait, how do you block DoH without blocking other HTTPS traffic?

Do you have to block every known DoH server? Looking at Google's DoH certificate they list quite a few hostnames and IPs as Subject Alt Names:

    dns.google
    *.dns.google.com
    8888.google
    dns.google.com
    dns64.dns.google
    2001:4860:4860::64
    2001:4860:4860::6464
    2001:4860:4860::8844
    2001:4860:4860::8888
    8.8.4.4
    8.8.8.8

Issued by Google Trust Services...

[kevin_thibedeau]

Google is digging as many moats as they can without triggering antitrust scrutiny. They have to plan for the future, not the here and now.