[roelschroeven]

DoH means that each application does its own DNS queries, instead of using the OS's functionality. Whether that includes reading /etc/hosts is up to the application, and it looks like high profile applications like Chrome and Firefox don't read /etc/hosts.

> The entire point of these technologies is to prevent your ISP and everyone else along the way from knowing which websites you visit.

More correctly, the point is to shift all that from one organization to another. Maybe you trust Google or Mozilla more than you trust your ISP, but I don't think it's the same for everyone.

You could even argue that your ISP can already see which hosts you connect to, so using it's DNS resolvers doesn't add much information for them. Using DoH means that both your ISP and another party can see that.

[bad_user]

Excluding leaks, the ISP does not see the hostnames, what it sees are the IPs you're connecting to. 20% of internet traffic goes through Cloudflare, so at least for those, the IPs are meaningless.

Both privacy and security are layered, and perfect is the enemy of good. Securing the DNS is an obvious first step, forcing the Internet to HTTPS by default was another. Google and Mozilla have contributed to better privacy. People that want more privacy, depending on needs, can also use a VPN or for the more extreme cases, something like Tor.

Not sure what you mean about having to trust Google or Mozilla. I'm not using either Google's or Mozilla's DoH servers. But yes, I would trust them more than my local ISP. Google, at least, proved quite competent in handling whatever data they collect.

[dingaling]

> Excluding leaks, the ISP does not see the hostnames

Unfortunately they can, either through the unencrypted hostname passed in SNI or in the cert returned by the server .

[codedokode]

In TLS 1.3 server certs are encrypted. And while browsers support ECH (Encrypted Client Hello) to encrypt SNI, almost no server supports it. Cloudflare has ECH disabled globally for some "issues" they do not disclose [1].

[1] https://developers.cloudflare.com/ssl/edge-certificates/ech/

[grishka]

> DoH means that each application does its own DNS queries, instead of using the OS's functionality.

HUH?! No! You aren't supposed to implement DNS on the application level! Most modern OSes support some form of DNS over TLS at the system level. You should use that.

[chgs]

You’re not but that’s the point. Google realise they don’t control the OS (in many cases) and thus struggle to monetise it.

I don’t have a problem with doing dns lookups over http, or any other protocol you want to use, if I configure my OS resolver to do that.

When people don’t like DoH they tend to mean they have a problem with bypassing the OS.

Theres then the concept of DoH, network admins have a harder job blocking it without MitMing traffic (and in some cases installing new root certificates and thus reducing security for users).

I’m less concerned about that. The argument for DoH often goes to “I don’t trust my network but I do trust Google” but I can see why some don’t trust their network. Personally I’d tunnel all traffic if I were on an untrusted network.

As someone who doesn’t trust Google (as their income comes from selling my personal data against my will) but does trust my network (as I am the network admin) I lean in the “anti DoH” camp, but regardless of which camp, DNS should be configured at the OS level (whether that’s a manual choice to use Google or cloudflare or whatever, or to accept the network hints)

[bad_user]

What you mean is that network admins have a harder time controlling people's devices.

I have a DoH server set in my Chromium browser, installed on my corporate laptop, and I love it, because my DNS queries don't leak to my network admin.

[wahern]

The perspective is significantly different when you're both the user and network admin. From your vantage point, you're picking the lesser of two evils.[1] But there's a third option that keeps you in even greater control, yet it's increasingly becoming more onerous to preserve. It's something like a collective action problem.

[1] Or at least you think you are. If your employer is running provisioning and "security" malware, I wouldn't take any bets on what they're logging or not logging.

[account42]

Should and what browsers actually do is completely different then.