💾 Archived View for zaibatsu.circumlunar.space › ~solderpunk › phlog › quick-thoughts-on-doh.txt captured on 2022-03-01 at 15:22:19.
⬅️ Previous capture (2020-09-24)
-=-=-=-=-=-=-
Quick thoughts on DoH --------------------- Zlg[1] and slugmax[2] have recently phlogged about DNS over HTTPS (or DoH[3]). I learned about DoH relatively recently in the course of research for an article I was writing (which hopefully many of you will get to read some day, which is about all I can say about that project for now!). I have yet to develop a strong stance on whether I am "for" or "against" DoH. But during my research I was struck by the fact that the web is *full* of what I considered to be poorly written and poorly argued "hit pieces" explaining why DoH does everything wrong and is the work of the devil. There was so much of this stuff, and it was of such low quality, that I genuinely suspect somebody with financial motives to discourage DoH adoption has been paying people to write them. One argument which often comes up is that DoH adoption is being pushed by big shady surveillance friendly coporations like Google and Cloudflare - which, to be fair, is a good reason to be suspicious of anything - and in particular that early adopters of DoH like Android and Mozilla are silently. I totally understand the concern that many people will never change those defaults, and so those few providers will swallow up a large amount of traffic (which is not too different to how many people use their ISPs DNS provider, and so big ISPs get a huge share of traffic). But it seems to me this is a poor argument against DoH as a protocol, which after all is no more centralised than HTTPS is. There are already non-commercial and privacy-centric DNS providers supporting DoH (some are listed here[4]), and presumably there will be more in the future. Reconfiguring your browser to use one of these instead of Cloudflare is probably no more effort than disabling DoH entirely (which for many people will result in falling back to plaintext DNS). Doing this shows support for improving DNS security (which is sorely needed) without supporting centralisation or commercialisation. None of this is to say DoH isn't without problems and is better than alternative solutions. I'm still not sure where I stand on that. But it would be a shame to potentially throw out the baby with the bathwater because of default settings. [1] gopher://zaibatsu.circumlunar.space:70/0/~zlg/0015_disable-doh.txt [2] gopher://republic.circumlunar.space:70/0/~slugmax/phlog/2020-02-29-comments-on-dns-over-https [3] https://en.wikipedia.org/wiki/DNS_over_HTTPS [4] https://www.privacytools.io/providers/dns/