[bluejekyll]

No, that is not the entire point of DoH. That’s like saying the entire point of TLS is to prevent users from looking at the traffic being sent to a website.

DNS without DoH, DoT, or DoQ, is wide open to anyone snooping traffic in the raw, that’s not necessarily information you want to share with the world.

[autoexec]

Which (for people not handing all of their DNS traffic over to google anyway) usually just means that their ISP can see their DNS traffic which is kind of a moot point because your ISP can see the domains you go to even with DoH.

If somebody is on your local network capturing packets or they've cracked your wifi you've got bigger problems than your DNS leaking a list of domains. They'll also see the IP of every server you visit online anyway

The way DoH is implemented usually means that all of your DNS traffic is collected by some third party for-profit corporation like cloudflare anyway (who admittedly will already know most of the domains you visit anyway because of how often cloudflare's IP space is where DNS will point you).

There really aren't any good options for DNS and privacy, just a lot of compromises. Host your own. Or, if your ISP is trustworthy, you might be better off using what they provide. The DNS traffic between you and your ISP's servers should never leave their network.

[unethical_ban]

ISPs seeing the domains of user traffic is not a given. And DoH is a step toward mitigating that.

People were setting their DNS resolver to custom values before DoH.

I agree that DoH would ideally be enabled at the OS level, or that the browser flow would default to still checking host file before sending out the query.

[Sylamore]

Unless you are using an VPN, your ISP can see the IPs you are communicating with regardless of the hostnames associated with them and in turn resolve those back to hostnames or at least netblock owners.

[unethical_ban]

True, but n the cloud era, destination IPs don't mean what they used to. If peopel wash their blog with AWS or Cloudflare or Netlify, etc., dest. IP means little.

[tremon]

They're not talking about IP's. They're talking about SNI, which communicates the target hostname in the clear before the https session is established. ECH addresses that problem, but that is only recently starting to see wider use.

[chgs]

DoH is pushed by goggle et al to ensure you continue to provide your data to them.

The browser should respect the OS. The OS should respect the network (dhcp/slacc). If you want to override this then that should be an active choice by the user.

I am quite happy with my OS using normal dns (via WireGuard when out) to my dns server which blocks bad domains before they even reach my firewall, I don’t need DoH, although I have no problem with that as a concept.

What I don’t like is my browser taking away my choice and breaking the model. It should defer to the OS (and I can’t see any time I wouldn’t want it to defer to the OS)

[codedokode]

DoH is necessary because ISPs snoop on DNS traffic and meddle with it. DNS is sendig everything in clear text and has no protection from modification.

As for DoH, you can choose not to use it, or use your own DoH server. I see no problems with it.

[Xelbair]

The entire point of DoH is to take away control of DNS from the OS vendor to the browser.

There were other encrypted standards(dnscrypt for example) that didn't require you to do that, but the one that bypasses the OS was forced by adtech monopolist in charge.

[dspillett]

No, the point of DoH is to take control of DNS from ISPs (and related middlemen) and give it back to site/service owners (so their settings are not overridden for whatever reason) and the end-user (so their habits are not as easy to disrupt or track at the ISP level).

> but the one that bypasses the OS was forced by adtech monopolist in charge.

Assuming by “adtech monopolist in charge” you mean Google, I don't think taking control from OS would benefit them given they effectively have control of more than two thirds of the mobile market share globally¹ so they are shooting themselves in the foot as much as anyone else – so I assume there are practical reasons², or purely technical ones, for DoH being their preferred choice (assuming that are pushing a preference).

And anyway, there is nothing that says applications have to implement DoH instead of letting the OS do that, Chrom{e|ium} and FF have gone that way in part because base OS support wasn't (isn't?) commonly available/enabled.

----

[1] A less than two thirds if you only count the US, as some published figures do, because Apple does rather better there compared to global averages.

[2] isn't dnscrypt's standard still officially a work-in-progress?

[chgs]

If it was implemented at an OS level and respected standard configuration then fine, DoH, DoT, whatever, I’m happy.

However it wasn’t, and it doesn’t defer to the OS or the network. I can’t set a dhcp option on my network to tell my dozens of clients what dns server to use, I have to manually adjust each browser. I additionally get different reaults depending what I use, my browser will contact a different server than any other application.

That’s broken behaviour which benefits AdTech companies like Google.

[dspillett]

> I can’t set a dhcp option on my network to tell my dozens of clients what dns server to use, I have to manually adjust each browser.

But at that point, you are effectively the ISP trying to control how users do DNS, in a way that might enable you to track/block/redirect. You might be trustworthy to your users so that is fine, but that isn't the case for every user's relationship with their service providers.

Is there an arrangement that would stop less trusted networks from tracking/redirecting/blocking DNS requests without (accidentally) helping AdTech by making DNS-based blocking harder?

[chgs]

As I run the OS I can choose to accept the hint or override the dns servers.

[dspillett]

Completely forgot to take to this a week ago (busy times…) but this more recent (that is touching in the same issues of inconvenience for some and whether it should take precedence over safety concerns of others) reminded me: https://news.ycombinator.com/item?id=41471510#41472889

[codedokode]

> doesn’t defer to the OS or the network

First, you can disable encrypted DNS, second you can set up your own DNS server and setup browser to use it. And your own DNS server will respect DHCP config.

Personally I would like OS to completely ignore DHCP config (like proxy or DNS server address) because those features can be misused for malicious purposes.

[pwdisswordfishz]

> That’s like saying the entire point of TLS is to prevent users from looking at the traffic being sent to a website.

In the case of mobile apps, it is.

[dotancohen]

Can you clarify that statement?

[oarsinsync]

A lot of mobile apps use TLS connections when communicating with their backends.

You can MITM the traffic, and continue to deliver the traffic using a self signed certificate that you’ve trusted on your mobile device, and boom, you can capture the traffic at your proxy point and be happy.

A lot of mobile apps use certificate pinning to ensure that the backend certificate matches what the app expects. Now your self signed certificate, even though it’s trusted at the OS level, no longer matches the certificate that the app is expecting, and no data is exchanged after TLS handshake fails.

[gkbrk]

A lot of mobile apps use TLS with certificate pinning, so even if the user installs a system-wide root CA, the app doesn't accept it and won't let the user look at what data is being sent to the servers.