[koito17]

HTTPS is not necessary to encrypt DNS traffic. DNS-over-TLS exists, but it has much less traction compared to DNS-over-HTTPS. I am guessing the reason is that HTTPS traffic all goes through port 443, so "censorship" of DNS becomes tricky, since DNS traffic becomes a bit harder to distinguish from ordinary web traffic.

Encapsulating DNS packets in HTTP payloads still feels a bit strange to me. Reminds me a bit of DOCSIS, which encapsulates ethernet frames in MPEG-2 Transport Stream packets (this is not a joke).

[baq]

Everything other than 80 and 443 is blocked by default, anything-over-https is just a matter of time. With a properly configured TLS MITM proxy only certificate pinning will prevent snooping, but it’ll also prevent connectivity, so you might call it a win for security/privacy, or a loss for the open internet if it’s you who needs to VPN to a safe network from within such an environment…

[wkat4242]

A port number does not force a certain protocol. You can run everything you want over port 443.

And yeah I also think it's a really bad idea to run everything over https. But I don't think it'll happen.

[baq]

You can. The client side enterprise proxy/firewall really doesn’t want you to, though. Just a fact of life.

[wkat4242]

Yeah I wasn't really thinking of enterprise in this whole discussion though. After all, it's about pi-hole.