In my house I want DNS resolution to be performed by my own DNS resolver (https://github.com/NLnetLabs/unbound), after I block ad domains.
DoH circumvents that.
That counterargument ignores the fact that you can be the owner of an endpoint but not be permitted, by manufacturer's policy, to control the software running inside. That's what you get for purchasing a proprietary device.
So, as the network operator and owner of the endpoints in the world of DoH (and pinned certificates), you end up being left with the decision to "vote with your wallet" and simply not purchase devices that don't afford you influence on name resolution (or whatever functionality we're talking about)
The counterargument goes on to say that the manufacturers of these sealed-box devices can functionally do this today anyway simply by implementing their proprietary name resolution (content delivery, etc) protocol.
It was all fun while it lasted.
We used to have a decentralised Internet with a truly open and engineering-led garden of interoperable protocols. However during the past decade and a half we've seen a massive change. We find ourselves in a situation where only https matters. It's a catch 22 type of situation, where anything else better be able to tunnel over it, otherwise many users will be left out since it's all that is supported, because it's what others tunnel over.
While this happened, the browser organizations grew politically strong and now controls not only the public key infrastructure that underpins https but also standardization of https itself.
The only exception to this is dns. Together with ip itself it follows the open meritocratic process that gave us decentralised planet wide internetworking. Unfortunately, it is closely tied with the domain name system, which is controlled by a parallel organization which isn't as open and meritocratic.
So basically we have three stakeholders of political value in the Internet ecosystem today. Us proponents of open and permissionless internetworks closely align with one, one is a gray area, and one is a conglomerate of private companies.
It is really healthy for the Internet if Mozilla, Microsoft and Cloudflare took control over dns resolving on a wide scale? Even apart from the obvious privacy issues?
They may mean well, but it logically follows that when dns is centralized among a few actors, they also will have an unproportionally large say in the evolution of the system. They could even tack on some extra top domains or other extensions that they could resolve. All in good faith of course. But that would, in time, bring over any remaining users of the old decentralized system.
It's not as if similar things hasn't happened before, in other contexts. So, yes, I will be one of the holdouts and keep resolving my own dns queries. It's not harder than "apt-get install unbound". It's the way the distributed domain name database was designed to work, and for good reason.
Since anyone can run a DoH server as well, how is that "politically" worse than DNS?
EDIT: Right, so I think I figured it otu: the issue is with locked DoH DNS servers where one can't MITM them anymore due to encryption and not being able to fake the server certificates.
It makes the assertion that because SOME of us don't know how to change our DNS servers, they (Mozilla, Cloudflare, other proponents of DoH) need to take control away from us and need to send our DNS lookups to, usually, them.
The justifications are ridiculous, but the harms introduced by DoH are much, much worse than the thing they're trying to say makes DoH useful.
Taking control away from the owner of networks is a good thing. Control is supposed to reside with the owner of endpoints. To see why, imagine if your ISP started to MITM all of your connections that went over their network.
> don't know how to change our DNS servers
It's not a case of "don't know how". It's a case of "can't, because even if you change the setting, $evil_isp will hijack the queries anyway".
What you need for this is some kind of encrypted DNS. What you don't need is for it to be implemented in the way DoH commonly does it.
What you should have is a router, which hands itself out as the DNS server via DHCP, takes the client's plaintext DNS request and does an encrypted query -- ideally directly to the authoritative servers for that domain, but at least to something of your choosing. Or, you configure your device to do this itself for every application using the system DNS. These all work fine, because the device owner can reasonably change them -- you configure it in one place for every application or your whole LAN at once.
The problem with DoH is that it puts it into each individual application, and then its infeasible for the device owner to change it because it's a million settings in a million places and some applications don't support changing it at all. Worse, you get evil applications where the endpoint device is the thing controlled by Evil Corp and the local network is the thing the device owner is using to block spyware. At which point "the network" needs to be able to block this or malware and evil IoS garbage can operate with impunity.
The claimed workaround is that browsers try to resolve a particular name with the system DNS and then turn of DoH if it resolves in a particular way, but now you're back to this:
> It's a case of "can't, because even if you change the setting, $evil_isp will hijack the queries anyway".
Because then $evil_isp can just resolve that name in that way to go back to doing the MITM. At which point you've lost any benefit of the device doing this against a truly malicious ISP, or it becomes an excuse to remove this "feature" and then the device owner can't do it either.
This is the wrong way to do it.
It takes control away from the owner of networks, even when we're the owner of those networks. Should DoH start to become more common, blocking it will become a Sisyphean task.
It takes control away from the owner of endpoints. Sure, you can go and change the settings in Firefox to turn off DoH after they've turned it on without asking and without telling us, but what happens when applications and Trojans start doing DoH lookups, skipping our system's configured DNS? So yes, your statement about control residing with the endpoints is correct, but DoH removes control, doesn't add it.
For the case of "can't, because even if you change the setting, $evil_isp will hijack the queries anyway", that's FUD. There are many, many better ways to deal with evil ISPs.
Encouraging the world to send all of their DNS lookups to a centralized entity like Cloudflare (who, by every right, are precisely in a position to be an evil ISP) is such an incredibly shortsighted idea that I have to think that you haven't thought out the implications of a world where DoH is dominant.
If you care to learn, consider things without DoH: you can edit your hosts file. You can choose your DNS servers. You can run a local recursive resolving DNS server. You can block ads and advertisingware using your DNS server and/or something like Pihole. You can block all DNS queries to the outside world on your network so that they all go through your own resolvers.
Next, consider a world where DoH is commonplace: you have no control over DNS lookups on your own system. Your only choice is to not run binaries that might do things you don't like. Want to block ads or adware, or adult sites, or conspiracy sites, or any of a number of other things on the Windows system that your child uses? Now Edge doesn't let you. Want to block the Trojans and phishing sites that Google serves through their ad network? Chrome doesn't let you. "Just don't run binaries that do that" is one heck of an ask for people who don't know how to set their own DNS or who have an evil ISP.
You can block common DoH servers, until Cloudflare puts them on the same address as the endpoints for their millions of hosting customers. But what happens when apps do DoH lookups using random Amazon AWS or Google Cloud servers? How do you block them? Do you block ALL https?
You see, you'd give up freedom, and have everyone else give up their freedom, for some abstract "safety" from ISPs that use your DNS data. You'd apply a shitty fix for 1% of the people to 100% of the people, rather than create tools for the 1% to circumvent their evil ISPs.
The fact that you'd choose this makes me think that either you want big, evil companies like Cloudflare to win, or you really don't understand the issues.
Just like this article above does a good job explaining the lack of security in the cloud, we really could use a good article explaining how completely inane the idea of DoH is.
