Hacker News new | ask | show | jobs
by diogocp 409 days ago
Your comment makes no sense. The DoH providers can still log requests and sell them.

DoH protects against intermediaries spying on your requests and potentially forging responses. Exactly the same as HTTPS.

Sending anything in clear text over the internet in 2025 is criminally negligent.
2 comments
koito17 409 days ago
HTTPS is not necessary to encrypt DNS traffic. DNS-over-TLS exists, but it has much less traction compared to DNS-over-HTTPS. I am guessing the reason is that HTTPS traffic all goes through port 443, so "censorship" of DNS becomes tricky, since DNS traffic becomes a bit harder to distinguish from ordinary web traffic.

Encapsulating DNS packets in HTTP payloads still feels a bit strange to me. Reminds me a bit of DOCSIS, which encapsulates ethernet frames in MPEG-2 Transport Stream packets (this is not a joke).

link
baq 409 days ago
Everything other than 80 and 443 is blocked by default, anything-over-https is just a matter of time. With a properly configured TLS MITM proxy only certificate pinning will prevent snooping, but it’ll also prevent connectivity, so you might call it a win for security/privacy, or a loss for the open internet if it’s you who needs to VPN to a safe network from within such an environment…
link
wkat4242 409 days ago
A port number does not force a certain protocol. You can run everything you want over port 443.

And yeah I also think it's a really bad idea to run everything over https. But I don't think it'll happen.

link
baq 409 days ago
You can. The client side enterprise proxy/firewall really doesn’t want you to, though. Just a fact of life.
link
wkat4242 408 days ago
Yeah I wasn't really thinking of enterprise in this whole discussion though. After all, it's about pi-hole.
link
wkat4242 409 days ago
Yes but in the US the ISPs are the intermediary. And the big DoH providers like Cloudflare have better privacy protection.

Here the ISPs are intermediairs too, but we have laws to prevent them from using our data using DPI etc. And even if you use their DNS.

I agree encryption is important but DoT is much better then. DoH mainly took off because of this in the US.

link