> On the other hand, if you actually control your devices DoH shouldn't be a problem, you can have them talk to whichever servers you prefer regardless of the protocol.
I already do tell the devices I control which DNS servers to use via DCHP and IPv6 RA. Firefox is choosing to ignore that by default, and now I have to go through extra steps to solve a problem that Mozilla created by not simply re-using the previous solution (gethostbyname(3)).
At the very least if they had simply used the already existing DoT, instead of inventing a new protocol (DoH), I could have monitored port 953 traffic and see which devices were broken. Now I have to figure out devices trying to sneak through my policies.
It's good that they didn't use DoT, because then it would be too easy for adversaries who want to do censorship or surveillance to just block port 853.
Do you think that DoH prevents adversaries from doing censorship and/or surveillance?
> DoH encrypts precisely zero data that is not already present in unencrypted form. As it stands, using DoH only provides additional leaks of data. SNI, IP addresses, OCSP and remaining HTTP connections still provide the rest. It is fake privacy in 2019.
> DoH encrypts precisely zero data that is not already present in unencrypted form.
What's the point in locking my front door if I leave my window open? And what's the point in closing my window while my front door is unlocked?
This argument is circular. If you want to secure something that is widely insecure, then you have to start somewhere. It's not like people are ignoring SNI and IP addresses. They're just being handled in separate efforts than DNS is.
> Think that ESNI will save you? Well that's being blocked
If you're working with the assumption that any serious attempt to secure hostnames will eventually be blocked, then what's the point of anything at all? Should we just completely give up on security/privacy because the state won't allow it?
We can address ESNI blocks as a separate effort from DNS. We don't have to do literally everything at the same time, it's OK for us to gradually move towards better security and address each problem one at a time.
> Do you think that DoH prevents adversaries from doing censorship and/or surveillance?
Given the amount of complaining I'm seeing from multiple network operators on this very article, yes, there's a pretty strong likelyhood that it helps. Because if it didn't, then network operators wouldn't be complaining about it.
How do you square "DoH is useless" with these kinds of comments in your own linked articles?
> In a paper published last month, the SANS Institute, one of the world's largest cyber-security training organizations, said that "the unmitigated usage of encrypted DNS, particularly DNS over HTTPS, could allow attackers and insiders to bypass organizational controls."
> "The trend is unmistakable: DNS monitoring will get harder," the Dutch agency said.
> The Internet Watch Foundation (IWF), a British watchdog group with a declared mission to minimize the availability of online child sexual abuse content, also criticized both Google and Mozilla, claiming the browser makers were ruining years of work in protecting the British public from abusive content by providing a new method for accessing illegal content.
Does DoH make blocking/monitoring content harder or not? Is the UK lying when it says that DoH will make it harder for them to block content at the ISP level?
Sounds like eSNI is useless waste of effort since its intended audience can't use it.
Meanwhile eSNI/ECH breaks network visibility into the networks I'm responsible for managing (at home and work). If I'm supposed to be a good netizen and make sure that I quickly hunt down malware that's gotten on my network(s), blocking tools and techniques to do just that seems… silly.
> Meanwhile eSNI/ECH breaks network visibility into the networks I'm responsible for managing (at home and work).
Well, don't worry about it, since apparently no one can use it and it'll get blocked, right?
I don't understand the simultaneous argument of "this won't be usable because governments will all block it" and "this is going to make it impossible for me to monitor my network." Both of those arguments can't be correct at the same time; if your government won't block eSNI, then it'll be a privacy boost in your country and it's a realistic path for privacy advocates to pursue. If your government does block eSNI, then why are your worried about your personal network?
I already do tell the devices I control which DNS servers to use via DCHP and IPv6 RA. Firefox is choosing to ignore that by default, and now I have to go through extra steps to solve a problem that Mozilla created by not simply re-using the previous solution (gethostbyname(3)).
At the very least if they had simply used the already existing DoT, instead of inventing a new protocol (DoH), I could have monitored port 953 traffic and see which devices were broken. Now I have to figure out devices trying to sneak through my policies.