[itopaloglu83]

DOH prevents malicious network providers from blocking DOT traffic to enforce their own DNS services for “efficiency” reasons.

Most ISPs just want to sell your data and with encrypted client hello and DOH they’re losing visibility into what you’re doing.

[toast0]

Don't you just intercept traffic to well know recursive resolvers? And then drop packets to ports other than 53?

[zamadatix]

That's the beauty of DoH - you don't have to pick a resolver which uses a dedicated IP. You can even stand your own up behind a CDN and blocking it would mean blocking HTTPS traffic to the CDN.

[toast0]

If I'm an evil monetizing ISP or a great firewall, I don't really need to catch 100% of the traffic I'm trying to prevent. If there's a handful of people who can circumvent my restrictions, that's fine. As long as I get all the people trying to use popular DNS, that's good enough.

If I really do need to get that last bit, there's always other analysis to be done (request/response size/cadence, always talks to host X before making connections to other hosts, etc)

[zamadatix]

Not 100% of people need/care about such workarounds either though, so it works out.

For true government level interest in what you are doing, it's a much harder conversation than e.g. avoiding ISPs making a buck intercepting with wildcard fallbacks and is probably going to need to extend to something well beyond just DoH if one is convinced that's their primary concern.

[itopaloglu83]

Well, that’s T-Mobile for you.

They force you to stay behind their NAT and recently started blocking VPN connections to home labs even.

[1vuio0pswjnm7]

Except encrypted client hello (ECH) is just a draft and isn't being used server side on the public www

If I'm wrong then please provide some examples of servers that support ECH

[1vuio0pswjnm7]

Why does SNI even exist

Whoever designed TLS did not expect third parties, so-called "content delivery networks", "cloud providers", etc., wanting to offer hosting to an unlimited number of customers ($$) on a limited pool of IP addresses

Problem of cleartext SNI was solved in 2011, well before "QUIC" existed

http://curvecp.org/addressing.html

Without TLS and without SNI anyone can host multiple HTTPS sites on a single IP address

[itopaloglu83]

ISPs and other networks operators are continuously losing insights into the traffic they carry with each privacy oriented technology improvements and they just don’t want to become commodity providers because they can make billions of dollars selling everything from information to prioritized traffic etc.