> Taking control away from the owner of networks is a good thing. Control is supposed to reside with the owner of endpoints. To see why, imagine if your ISP started to MITM all of your connections that went over their network.

What you need for this is some kind of encrypted DNS. What you don't need is for it to be implemented in the way DoH commonly does it.

What you should have is a router, which hands itself out as the DNS server via DHCP, takes the client's plaintext DNS request and does an encrypted query -- ideally directly to the authoritative servers for that domain, but at least to something of your choosing. Or, you configure your device to do this itself for every application using the system DNS. These all work fine, because the device owner can reasonably change them -- you configure it in one place for every application or your whole LAN at once.

The problem with DoH is that it puts it into each individual application, and then its infeasible for the device owner to change it because it's a million settings in a million places and some applications don't support changing it at all. Worse, you get evil applications where the endpoint device is the thing controlled by Evil Corp and the local network is the thing the device owner is using to block spyware. At which point "the network" needs to be able to block this or malware and evil IoS garbage can operate with impunity.

The claimed workaround is that browsers try to resolve a particular name with the system DNS and then turn of DoH if it resolves in a particular way, but now you're back to this:

> It's a case of "can't, because even if you change the setting, $evil_isp will hijack the queries anyway".

Because then $evil_isp can just resolve that name in that way to go back to doing the MITM. At which point you've lost any benefit of the device doing this against a truly malicious ISP, or it becomes an excuse to remove this "feature" and then the device owner can't do it either.

This is the wrong way to do it.