I’d like to get your take on DoH. I use an Asus router with Merlin firmware… and “Merlin” (Eric) has been very vocal that DoH “breaks” DNS and that Firefox shouldn’t be enabling it by default. Thoughts?
P.S. I tried to add a tag of DNS but it wouldn’t let me.
Not crazy that we’re shoving yet another thing over HTTPS. I’d prefer DNSCrypt, and maybe an extreme measure of rewriting DNS to use its own protocol instead of TCP or UDP. This will be especially important as we start to include additional information in DNS (Eg. DANE).
There’s a pretty good presentation by Geoff Huston of APNIC about the problem with fragmentation and DNS.
That’s a matter of perspective, I suppose. If DNS means a specific protocol, currently usually implemented over UDP, then obviously, doing it over TCP is going to be viewed as a pretty big change.
If, on the other hand, DNS means the service of getting the IP address for a thing… then it’s not that big of a deal, right? DOH is just another way to ask a question and get the answer.
Personally I’m all for DOH because it allows me to be sure it’s one less thing my ISP has to collate, repackage and sell about me. It’s a bit like a very light VPN… they still see what IPs I connect to, and I’m sure that gives that lots to know about me… but it definitely makes it one step more private.
This article is talking about ISP’s being worried about Google’s approach to DOH:
I think most people are in agreement about not wanting ISPs to data mine our DNS look ups. One of the downsides of using a centralized non-ISP resolver is that that often CDNs send you to CDNs based on what ASN/network your resolver’s IP uses to look look up DNS records via the CDNs nameserver.
There’s also the whole downside of shoving it into TCP, which is going to return slower than if it were UDP.
I think the end goal is clear, avoid ISPs from data mining DNS.
Could there be a better architecture?
What is most consumers ran our own DNS resolvers, communicated with the root servers / and domain name servers over some encrypted protocol.
@MikeInCA , To me, DNS over HTTPS could close the biggest privacy gap we have on the internet today! If we think about recent history, Lets Encrypt has some serious impact on ensuring https across the web. It’s about 80% of our surfing now. However, DNS is the next low hanging fruit to gap-fill because of a bullseye on its back. Anyone along the path between your network to your DNS resolver can collect information about which sites you visit. This means that eavesdroppers can still profile your online activity and make a list of sites you visited, or a list of who visits a particular site. Malicious DNS resolvers, or on-path routers, can also tamper with your DNS request, blocking you from accessing sites or even routing you to fake versions of the sites you requested. If you didn’t know, TWiET has spent a bunch of time on the subject. (e.g. One Example ) If you caught any of the DoH TWiET episodes, you probably remember the discussion we had about DNS over HTTPs, and how Google plans to test DNS over HTTPS in its Chrome 78 canary builds. It will help, but it means the browser will need to fall back to standard DNS routes when DoH is not supported. In fact, many ISPs/Internet service providers and participants in the standardization process have expressed strong concerns about the development of the protocol. ISPs are concerned that DoH will complicate the use of captive portals. Some countries, like the UK, use DNS to police what sites people can surf, and this would cripple their efforts. Members of civil society have also expressed concerns over plans for browsers to automatically use specific DNS resolvers, overriding the resolver configured by the operating system. Honestly, there will be tons of hurdles to get over including political and geopolitical ones.
I don’t understand what you mean, it could never be “not supported”… it can’t be blocked.
Good point, Thanks @MikeInCA ! There are different layers of support. It’s true you don’t need the Browser or OS to support it, but if neither do, you are tunnelled through potentialy insecure pipelines. I read this article a while back that talked a bit about it. It makes sense that you could install a local DNS proxy on your local box, but mobile platforms don’t support that just yet.
For those who aren’t aware, Firefox is making DoH the DEFAULT in their browser which a huge change.
The default rules. From what I’ve read and watched about DNS over HTTPS, I support it. I’m always for things being more secure, and Cloudflare’s site makes a very compelling case. But my second reason for using it, and why I setup Cloudflare DNS over HTTPS on all our home computers, is because the internet now seems to load faster. 
Wait what? How exactly?
I presume multiple browsers were configured to use DoH on multiple computers?
Oh… so he didn’t set up the computers to use DoH but just the browsers… big difference. It’s not so easy at the OS or network level. I’ve been looking at PI-Hole via a Docker container.
I am using Firefox and DoH via Quad9
And I also took the step to go into about:config and search for “trr” and set network.trr.bootstrapAddress to “9.9.9.9”
No regrets yet.
But there’s a lof of DNS calls other than just the browser. Not a complete solution.
No, true. But on the other hand, do you really care if your ISP knows your IoT lightbulb is pinging HQ to check for FW updates?
Hint: if you REALLY do, set up a VPN.
Exactly, its only get websites your browser points to there are other things that also call out all the time, dropbox onedrive, (just a small drop in the tub there) then all these IOT devices, So what i did was set up bind on my home server and everything points to it, that goes out to the root servers. now it may not be a secure as https since its not encrypted, but unless someone is reading all the packets and pretty much would be my isp no one else has it.
If you tail a log of dns requests you would be surprised at how many calls there are all day log.
No, that’s all bad. So to answer your first question, yes I want all DNS to be private because that’s where ISP monetization is. A VPN is very primitive and creates all kinds of other issues unless you get into split tunneling and that’s got challenges too.
Isn’t that kinda the whole point?
Well, your packets are still going to IP addresses that your ISP can categorize. They haven’t had to yet, but they will start if more people hide their DNS. So again, if you care enough, it’s VPN or bust.
I can’t wait until the first ISP finds some kludge to block their customers from being on their network if they can’t verify that you’re using the ISP DNS only.