I was just collecting arguments. This collection has absolutely nothing to do with my personal opinion or any opinion at all. To be honest I feel torn about it. I see both sides. And I'm really hoping more DoH providers will enter the game.
yes, no more blocking anything via host files or pihole
DoH means that firefox sends the DNS request with the encrypted https-header. No way for the OS or anything outside the browser to interfere. Firefox never read the hosts file, only the OS resolver does and the OS will be out of the picture. See here for example https://www.reddit.com/r/firefox/commen ... y_firefox/
DNS resolve is transferred from the system level to the application level
Up to now the OS did the resolving, protected by the necessary permissions, With the change this will be done by firefox, which runs in the userspace. We'll see a whole new type of attacks against the browser. And we have to rely on the browser security mechanism.
concentrating DNS lookup data at the ISP vs. concentrating data at the DoH provider
The DNS data is collected at the DNS requiry endpoint which is either the ISP (many local units) or the remote DoH provider (centralized worldwide). Which version enhances privacy depends on several factors which are probably different for different people from different areas. Some countries might punish you for using cloudflare/google, others might do exactly the opposite, depending on the position of the surveiller.
Cloudflare is already a very powerful player in the market because they are the endpoint of a high share of the worldwide SSL-connections because they act as a man-in-the-middle for all their clients (which covers, I don't know, 30%? 50%? of the internet traffic - its hard to get numbers).
censorship via DNS blocking will become centralized too
Actually, I have to correct myself, as long as there are only 3 DoH providers (all US) this is not true. Those 3 decide whether anything gets blocked.
Surveillance issues get also centralized
Certain agencies will not just stop doing their work. They will have only 3 endpoints to retrieve all their worldwide metadata, without having to tap into underwater cables or to ask other governments. Since cloudflares already powerful mitm position its the perfect target for a gag order. google is too for obvious reasons.
DNS based forensic investigation (f.e. of botnets) becomes impossible for most countries
Even if privacy is highly valued, criminal intent still exists and needs to be prosecuted. With the proposed change future forensic investigation will worldwide depend on the cooperation of practically only 2 US DoH providers.
kurotsugi wrote:everything else is _and AFAIK should be_ same
Well that's not the case. The security mechanism will change from the OS to the browser. Is that wise? And the whole power system will change towards cloudflare and google. Even if they don't act with malicious intent is it wise to give such a powerful position to just 2 companies that are already powerful? cloudflare and google will become single points of failure and that is never wise in IT.
Edit: AFAIK opendns is cisco and I won't even discuss their service since that company is totally discredited by all their security f..ups in the router business.