Quick thoughts on DoH

Zlg[1] and slugmax[2] have recently phlogged about DNS over HTTPS (or

DoH[3]). I learned about DoH relatively recently in the course of

research for an article I was writing (which hopefully many of you

will get to read some day, which is about all I can say about that

project for now!). I have yet to develop a strong stance on whether I

am "for" or "against" DoH. But during my research I was struck by the

fact that the web is full of what I considered to be poorly written

and poorly argued "hit pieces" explaining why DoH does everything

wrong and is the work of the devil. There was so much of this stuff,

and it was of such low quality, that I genuinely suspect somebody with

financial motives to discourage DoH adoption has been paying people to

write them.

One argument which often comes up is that DoH adoption is being pushed

by big shady surveillance friendly coporations like Google and

Cloudflare - which, to be fair, is a good reason to be suspicious of

anything - and in particular that early adopters of DoH like Android

and Mozilla are silently.

I totally understand the concern that many people will never change

those defaults, and so those few providers will swallow up a large

amount of traffic (which is not too different to how many people use

their ISPs DNS provider, and so big ISPs get a huge share of traffic).

But it seems to me this is a poor argument against DoH as a protocol,

which after all is no more centralised than HTTPS is. There are

already non-commercial and privacy-centric DNS providers supporting

DoH (some are listed here[4]), and presumably there will be more in

the future. Reconfiguring your browser to use one of these instead of

Cloudflare is probably no more effort than disabling DoH entirely

(which for many people will result in falling back to plaintext DNS).

Doing this shows support for improving DNS security (which is sorely

needed) without supporting centralisation or commercialisation.

None of this is to say DoH isn't without problems and is better than

alternative solutions. I'm still not sure where I stand on that. But

it would be a shame to potentially throw out the baby with the

bathwater because of default settings.

[1] gopher://zaibatsu.circumlunar.space:70/0/~zlg/0015_disable-doh.txt

[2] gopher://republic.circumlunar.space:70/0/~slugmax/phlog/2020-02-29-comments-on-dns-over-https

[3] https://en.wikipedia.org/wiki/DNS_over_HTTPS

[4] https://www.privacytools.io/providers/dns/