[Xelbair]

The entire point of DoH is to take away control of DNS from the OS vendor to the browser.

There were other encrypted standards(dnscrypt for example) that didn't require you to do that, but the one that bypasses the OS was forced by adtech monopolist in charge.

[dspillett]

No, the point of DoH is to take control of DNS from ISPs (and related middlemen) and give it back to site/service owners (so their settings are not overridden for whatever reason) and the end-user (so their habits are not as easy to disrupt or track at the ISP level).

> but the one that bypasses the OS was forced by adtech monopolist in charge.

Assuming by “adtech monopolist in charge” you mean Google, I don't think taking control from OS would benefit them given they effectively have control of more than two thirds of the mobile market share globally¹ so they are shooting themselves in the foot as much as anyone else – so I assume there are practical reasons², or purely technical ones, for DoH being their preferred choice (assuming that are pushing a preference).

And anyway, there is nothing that says applications have to implement DoH instead of letting the OS do that, Chrom{e|ium} and FF have gone that way in part because base OS support wasn't (isn't?) commonly available/enabled.

----

[1] A less than two thirds if you only count the US, as some published figures do, because Apple does rather better there compared to global averages.

[2] isn't dnscrypt's standard still officially a work-in-progress?

[chgs]

If it was implemented at an OS level and respected standard configuration then fine, DoH, DoT, whatever, I’m happy.

However it wasn’t, and it doesn’t defer to the OS or the network. I can’t set a dhcp option on my network to tell my dozens of clients what dns server to use, I have to manually adjust each browser. I additionally get different reaults depending what I use, my browser will contact a different server than any other application.

That’s broken behaviour which benefits AdTech companies like Google.

[dspillett]

> I can’t set a dhcp option on my network to tell my dozens of clients what dns server to use, I have to manually adjust each browser.

But at that point, you are effectively the ISP trying to control how users do DNS, in a way that might enable you to track/block/redirect. You might be trustworthy to your users so that is fine, but that isn't the case for every user's relationship with their service providers.

Is there an arrangement that would stop less trusted networks from tracking/redirecting/blocking DNS requests without (accidentally) helping AdTech by making DNS-based blocking harder?

[chgs]

As I run the OS I can choose to accept the hint or override the dns servers.

[dspillett]

Completely forgot to take to this a week ago (busy times…) but this more recent (that is touching in the same issues of inconvenience for some and whether it should take precedence over safety concerns of others) reminded me: https://news.ycombinator.com/item?id=41471510#41472889

[codedokode]

> doesn’t defer to the OS or the network

First, you can disable encrypted DNS, second you can set up your own DNS server and setup browser to use it. And your own DNS server will respect DHCP config.

Personally I would like OS to completely ignore DHCP config (like proxy or DNS server address) because those features can be misused for malicious purposes.