[somat]

DoH is intended to be indistinguishable from HTTPS traffic, if the application specifies a specific DoH server a DNS based ad block will not work.

Right now The ad companies have not really figured this out and DoH largely works like port 53 DNS did. But give it a few years. They will up their game and our ability to mitm our own dns queries will vanish. I will miss it.

[SparkyMcUnicorn]

Freedom of DNS choice has nothing to do with DoH.

And you can definitely mitm a non-configurable DoH resolver if you absolutely needed to do that, as long as you can add your own trusted CA on a device.

[tremon]

> Freedom of DNS choice has nothing to do with DoH

The attack vector that DoH offers is that data exfiltration companies will start shipping their own DNS resolver in javascript to work around DNS-based filtering. They can't do this with regular DNS because the network traffic can still be observed and blocked independently, but how will you block a browser from accessing specific https URLs without MITM'ing all traffic?

So yes, DoH does have something to do with DNS choice: it can completely subvert the OS-provided domain resolver service as well as the browser-configured one.

[SparkyMcUnicorn]

Are you suggesting that Chrome is going to allow individual websites to override the browser DNS settings? And also skip bootstrapping?

I'm very confused by this comment.