[jeroenhd]

Thanks to the ossification of the internet, every new protocol or protocol extension needs to be over HTTPS.

DoT works fine, it's supported on all kinds of operating systems even if they don't advertise it, but DoH arrived in browsers. Some shitty ISPs and terrible middleboxes also block DoT (though IMO that should be a reason to switch ISPs, not a reason to stop using DoT).

On the hosting side, there are more options for HTTP proxies/firewalls/multiplexers/terminators than there are for DNS, so it's easier to build infra around DoH. If you're just a small server, you won't need more than an nginx stream proxy, but if you're doing botnet detection and redundant failovers, you may need something more complex.

[arbll]

> though IMO that should be a reason to switch ISPs, not a reason to stop using DoT If you have that choice, there's many countries that really want to control what their citizens see and can access at this point. If we had DoH + ECH widely adopted it would heavily limit their power.

[ori_b]

> Thanks to the ossification of the internet, every new protocol or protocol extension needs to be over HTTPS.

If someone can tell you're using HTTPS instead of some other TLS-encrypted protocol, that means they've broken TLS.

[toast0]

> If someone can tell you're using HTTPS instead of some other TLS-encrypted protocol, that means they've broken TLS.

Lots of clients just tell the world. ALPN is part of the unecrypted client hello.

[kassner]

I’d say nowadays 443/tcp is the only port that you’ll find open in any usable network, anything else is part of a corporate network whack-a-mole game. So while DoH and DoT traffic shouldn’t be distinguishable, 853/tcp is surely a weird port in the grand scheme of things.