[rkagerer]

ECH - if I understand correctly it's effective for sites hosted on big providers like Cloudflare, AWS, etc, but doesn't add much value when it comes to self-hosted domains or those on a dedicated server, as you'd still see traffic going to whatever IP and be able to infer from that which domain the user's browswer is talking to. I'm hoping someone can explain that I missed something.

And while we're explaining things... ODoH (indirectly mentioned in the article via the Encrypted DNS link) comes with a big bold warning it's based on the fundamental premise that the proxy and the target servers do not collude. When both are operated by the same company, how can you know they aren't colluding? Is there some mechanic in the protocol to help protect users from colluding servers?

[jeroenhd]

> When both are operated by the same company, how can you know they aren't colluding?

You don't. At best the client can check domain names and IP addresses, but that's hardly a guarantee.

To solve that problem, you can combine multiple parties. For example, you can use https://odoh1.surfdomeinen.nl/proxy as a proxy (operated by SURF [1]) to use the Cloudflare servers for lookup.

I think for ODoH to work well, we need a variety of companies hosting forwarding services. That could be ISPs, Google/Microsoft/etc. or some kind of non-profit.

[1]: https://www.surf.nl/en

[musicale]

> That could be ISPs, Google/Microsoft/etc. or some kind of non-profit.

Or Apple[1,2].

[1] Oblivious DNS over HTTPS, https://www.ietf.org/rfc/rfc9230.txt

[2] About iCloud Private Relay, https://support.apple.com/en-us/102602

[dietr1ch]

I don't know the implementation details, but it should be doable in a way that degrades back into encrypted DNS where at least you get rid of a MitM. Someone else already mentioned that making sure that the 2 servers have different owners may help, but if people are after you it's probably not enough.

I'm thinking that maybe I'd like to be able to avoid mentioning the server I'm interested on, and simply send a hash of it (you can cut a prefix such that a bunch of matches are found, but not too many)

[ekr____]

Yes, that's correct about ECH. In general, there's no real way to conceal your browsing behavior if you are connecting to an IP address that isn't shared. So either you use ECH to something like Cloudflare or you connect to some proxy/VPN/etc. so that the local network can't see the final IP address.

[apitman]

> ECH - if I understand correctly it's effective for sites hosted on big providers like Cloudflare, AWS, etc, but doesn't add much value when it comes to self-hosted domains or those on a dedicated server

Yeah, and unfortunately it increases the moat such companies have. They can offer a privacy screen that smaller orgs just can't match.