[xrmagnum]

I find it problematic that this article recommends disabling DoH, which leaves users with unencrypted DNS — still centralized (e.g. to Google’s 8.8.8.8 or an ISP) and now vulnerable to man-in-the-middle attacks. Replacing one form of centralization with another while giving up encryption doesn’t improve privacy — it worsens it.

If the goal is to reduce centralization, a better approach would be to use encrypted DNS (DoH or DoT) with resolver rotation or randomization. That way, users retain privacy from local networks and ISPs without concentrating all DNS traffic in a single provider’s hands.

[exiguus]

If you're looking to implement encrypted DNS with multiple servers or providers, consider using unbound, which supports TLS resolvers and can operate in recursive mode. Alternatively, you might opt for AdGuard DNSProxy or dnscrypt-proxy, both of which support DNS over HTTPS (DoH), DNS over TLS (DoT), and DNSCrypt. You can run these tools on your local network or computer and configure your resolve.conf to point to them.

[tptacek]

It is problematic; it's a post from 2018 that did not age well at all.

[josephcsible]

It wasn't correct even when it was originally posted.

[tptacek]

I agree, but I remember the controversy at the time about browser vendors usurping DNS and want to avoid as much of that argument as I can.

(I have weirdly strong and specific ideas about DNS security.)

[WhyNotHugo]

Disabling DoH in your browser’s settings should make it fall back to you system’s resolver.

You’ll only be vulnerable to a MitM attack if your system’s resolver is insecure and also vulnerable to a MitM attack.

[sammy2255]

(which all are by default)

[WhyNotHugo]

That's a pretty serious security issue, which affects every other process on your host.

[NewJazz]

No, plenty of OSs ship encrypted DNS resolvers by default.

[josephcsible]

Zero mainstream OSs ship encrypted DNS resolvers by default, unless you count ones that will automatically fall back to insecure DNS, which defeats the purpose since a network attacker can cause that.

[piskov]

DoT is explicitly mentioned as a better alternative

[josephcsible]

DoT is strictly worse than DoH. It doesn't actually fix any of the author's issues with DoH, and it has the gigantic downside that it's trivial for hostile networks to block.