I have discovered that my ISP dns server is flaky so I replaced the router ISP setting with using quad9.
That gives me consistent performance.
I also need to mention that my ISP provided router is rubbish in regards to configuration options so I have my own router on top of that that does all the real routing. I got a tplink router that I used to install openwrt. This allows me to keep my internal network settings when I change flat or ISP router.
Depending on your OS you can either have several browsers with different configuration or several accounts with different configuration.
For example in a Linux system you can have your main account with DOH and a test account where you do not have DOH and the main system resolver is used.
If this is too much work for you, then you can do the same in one account but with different browsers. In my case I have firefox as my main browser and chromium for testing or for those sites that need a chrome like browser. Firefox is now enabled for DOH but chromium is not.
That answered my question. You’re just in a technical bind looking for reliability. I use Google + CloudFlare over TLS at the moment with load balancing fixing up the other issue I’ve had in the past but I have a Linux-based router where I can load in packages.
Another one I’ve seen popping up is filtering/restrictions on ISPs to stop their customers from using DNS providers. Some of them even going as far as opening up VPN tunnels.
I haven’t seen an ISP in UK yet that restricts dns service, if that was the case that would indeed be a huge problem and it would justify changing ISP or using a vpn. ISPs filter certain types of sites either according to their own internal rules or government policies.
As it is using quad9 with caching on my router solves the unreliability problem for me.
I see “old-wives-tales” persisting everywhere about using encrypted DNS.
It has been around for a lot longer than the browser implementations, and there are many DoH and DoT resolvers to choose from.
DNSCrypt currently lists 218 encrypted resolvers (172 with DNSSec).
Among them you will find cloudflare and quad9.
Opting for DoH will not centralise DNS in any way. Only picking the same DNS will do that (encrypted or not).
For some reason that concern does not seem to have been mentioned when people all over the net are in a rush to tell you to swap to cloudflare or Quad9 anyway.
Once they offer encryption finally people start pointing out the issue that was there already.
The browsers (and a few other tools) that currently offer DoH are somewhat misleading the public into thinking this is how it is intended to work.
What we have now is a stopgap to fix an oversight in the network infrastructure, which if we knew back then what we know now, we would all be using encrypted DNS since HTTPS was born, if not before.
Your and the ISPs worries are a moot point.
It is coming like it or not and eventually the only non-encrypted DNS will be run by ISPs and Governments that can’t be trusted.
It will be where it is supposed to be, in the OS as a replacement for the current DNS service (though much simpler than DNSCrypt).
Once you have it at OS level you can stop worrying about network admin or breaking things, and devs can stop shoe-horning support into their software.
The ISPs complaints are all things we don’t want them to be doing.
They either sniff your data and sell it, collect it on behalf of Government snooping projects, or block/redirect your access to sites.
Network admin should be hosting their own encrypted resolver so internal traffic can be in the clear as needed.
Yes HOSTS blocking is currently bypassed by the current system in the browsers.
Once in the OS it will respect your HOSTS file.
Until then using DNSCrypt is your best option, as it gives you a way to use blocklists, whitelists and redirection lists.
Even once Microsoft, Apple and Linux have encrypted DNS as standard, I will probably still use DNSCrypt due to the flexibility it offers.
Encrypted DNS on its own is not enough.
Browsers or the OS need to also show errors like they do with certificate errors or we are still wasting our time.
In case you have any doubts about where we are headed and why.
I think you have some important things to say. Can you also explain it like I’m five?
I agree that system level DNS encryption implementation is the best way to solve the issue. I was not aware about dnscrypt, so thanks for bringing that up.
I will definitely take a look at it.
The router that my provider gives me is actually very good, for a home router. In Germany most Telcos provide an AVM Fritz!Box series router, which are generally very good, receive regular software and security updates for at least 5 years and provide a lot of functionality - most of the ones provided by the telcos also have built in DECT for wireless telephones, analogue ports for cabled telephones and faxes and they act as a VOIP PABX on top of their other duties.
Mine also has 802.11ac wireless and provides VPN, NAS and some other services. But I just use the VOIP functionality and the rest passes through to my real router, a Ubiquiti USG, because I use multiple VLANs.
As the ISP is not allowed to do anything with the data they “collect”, i.e. marketing and reselling the data, because of GDPR, there is less worry about the DNS traffic being misused, at least on home networks, but I prefer to use a reputable DNS provider on principle.
I wish providers in UK/Greece were offering decent home routers. They are usually very mediocre with little space for customization and definitely no software updates.
And that sums up my views on DoH. On the move, it isn’t a bad solution, at present. But I think that it is wrong to use DoH, we should be concentrating on DoT with DNSSEC. There is already a “legal” (as in following the internet standards) way of doing secure DNS lookups, so why break 2 protocols to do something that they were never designed to do?
You can use anyone you choose or roll your own. I use AdGuard DNS over DoH.
It’s just like regular DNS you can use whoever you want.
@CrimsonChin if your comment was directed at me, I can but if you ask about something.
The following will have sections of education, so digest what you can and ask what you want.
Not long ago I wrote a blog about using encrypted authenticated DNS, primarily to dispel some long standing misinformation or irrelevant info, but also to show Steve Gibson the main features and advantages of using DNSCrypt compared to in-app solutions or the OS default.
DNSCrypt can be used with almost all OSs and routers that allow replacement software.
Many people opt to use it as their Pi-hole.
It can be used as a client or server solution, so home users and network admin have plenty of options.
One of the main advantages a lot of people may like, is the way it dynamically uses the resolvers from a large list https://dnscrypt.info/public-servers
The default mode is to automatically use whichever DNS is currently fastest for you from the filtered list you have.
This may be cloudflare, google or Quad9 or it may not. You don’t need to worry.
You can disable automatic mode and manually select your preferred resolvers, or even just 1.
For Windows users the “Simple DNSCrypt” distro is simple enough for all to use out of the box, as the defaults are suitable for most users.
To replace the DNS in the OS when run as a local client, it does not do anything fancy or disruptive.
It runs as a local proxy which will be accessed as a localhost DNS in the IP settings for each network connection.
For those not sure why we need something like this, and why it is so difficult
Currently DNS lookups are easily read, intercepted and changed for false results.
DNSSec helps with a few things such as validation, but few sites are configured to use it even though it is commonly available and cloudflare have made it standard.
To work properly you and the site you visit must both be using DNS that uses it.
Even then, no browsers have a way to detect or notify users that the connection is possibly subject to a man-in-the-middle attack.
Browser makers won’t add the feature, because site owners don’t enable it, because browsers don’t support it, because site owners… oh we seem to be in a stalemate where both want the other to make the first move.
Encrypted DNS has the obvious benefit of keeping the data secret, but only from the outside. The DNS host can see in.
This is why you also need authentication and validation to go with it.
You need to know that you are actually talking to the DNS you expect and trust.
As using certificates, authentication and validation is built into browsers it is easier to implement encrypted DNS there, hence we are seeing it there (Yandex browser was the first by adding DNSCrypt).
The DNS services in OSs can’t do this yet, but just as it is standard in browsers we can expect a very similar system in the OS, especially if based on the existing certificate system used by the OS and browsers.
DNSCrypt does not use certificates but does use public key crypto.
The keys are distributed with the daily updated resolver list.
Finally, as noted by others DoH is not the only option, but if Microsoft only add DoH support it may end up killing off the others which is not good.
DoT is a much better option for some users and the main rival, however you should have a look at the advantages and disadvantages all the encrypted systems have, in this handy comparison.
https://dnscrypt.info/faq
I have installed dnscrypt in one of my systems works fine and it’s quite straightforward.
Thanks for bringing it up.
Dr.Flay saves the day again. Looks like you can install DNSCrypt on OpenWrt as well (always do a backup first).
https://openwrt.org/docs/guide-user/services/dns/dnscrypt_dnsmasq_dnscrypt-proxy
It’s also in the latest Asus Merlin firmware. https://www.asuswrt-merlin.net/
OK people, are we ahead of the game now 
For those of you curious to know if it is working, take it off auto mode and select only the cloudflare resolver.
Visit the https://1.1.1.1/help page and you should see it is functioning.
You can be sure that as things move on and standards are implemented, that DNSCrypt will adopt or absorb whatever is useful.
Using encrypted DNS this way keeps it a user choice all the way, and all of it is open source so can be inspected.
A privacy side benefit I see from using a dynamic pool of resolvers, is that as you will hop around several of them hosted by different people, your DNS footprint becomes diffused, and any agency trying to monitor you must control them all.
To have a look at it in motion try using these
https://www.grc.com/dns/dns.htm
Hey Dr. Flay how to do that? I don’t can’t find any interface.
I installed this one- dnscrypt-proxy-win64-2.0.36
I guess that all depends on the interface you have for it.
Windows users have Simple DNSCrypt.
For other OSs you need a suitable GUI or to do it via CLI (which is what the GUI solutions do, sending preformatted CLI string to the shell).
I should really put Mint back on 1 of my rigs and have a look at the Linux options which I have been told are available.
Perhaps some Tux lovers here may be able to find and recommend something ?