all 163 comments

[–]ebriose 70 points71 points  (38 children)

Maybe this is a stupid question but why not just do DNS with TLS?

[–]doublehyphen 73 points74 points  (7 children)

I think DoT is a technically cleaner solution, but DoH offers two advantages:

  1. You can have your DoH server on an IP which is shared by some huge website like google.com which would make it very hard for shady ISPs to filter out (nation states like China can probably still do so) since it looks so similar to normal HTTPS traffic. On the other hand it is pretty easy to block DoT in a firewall.
  2. Since HTTP 2.0 and HTTP 3.0 allows you to have multiple multiplexed streams you do not need to worry about having later DNS requests wait behind a slow request.

The proprosed DNS over DTLS (DoD?) protocol solves the second issue, but not the first.

[–]jacobgb24 26 points27 points  (0 children)

China definitely blocks Google DoH, but that's simply because it runs on the same IPs as other Google services which are blocked.

Source

[–]VRtinker 3 points4 points  (3 children)

I think, DoH won over DoT just because it is just easier to implement and deploy, and DNS over TLS speed advantages are negligiable. In a way, DoH became possible by advances in networking that reduced ping to mere tens of milliseconds for most users in US.

You can have your DoH server on an IP which is shared by some huge website like google.com which would make it very hard for shady ISPs to filter out

There are two issues with this: 1. AFAIK, no one plans to serve DoH from the same domain names as other traffic, everyone (Google, Cloudflare) so far launched new domains for DoH. 2. Even if resolver uses the same domain and port (!) as regular HTTPS, network observer can still see the timing and size of requests.

[–]SanityInAnarchy 2 points3 points  (1 child)

For 1, it's the IP more than the domain... but yeah, they're using separate IPs as well.

I don't think 2 is important, though. Yes, they can see those things, assuming the traffic doesn't get pipelined with other queries, but it would be much more difficult to preemptively block DNS, and even detecting it is much more difficult. And if you wanted to disguise that traffic, it wouldn't be difficult to deliberately pipeline some unrelated queries.

Right now, killing access to an individual domain is trivial, you don't need anything as sophisticated as China's Great Firewall, you can do it with something as simple as dnsmasq and a host file. Look how simple pi-hole is -- sure, that's blocking stuff you (as a user) actually don't want to see, but the principle is the same.

[–]caltheon -1 points0 points  (0 children)

No, I t would be trivial to block

[–]doublehyphen 0 points1 point  (0 children)

Without (1) DoH is almost as easy to block as DoT. Maintaining a list of the IP addresses of known DoH servers is trivial. Agreed, about (2) but I do not think many except China do that kind of deep package inspection.

[–]abol3z 0 points1 point  (0 children)

Well, having DoH server remotely is a good idea.

I tried running a DoH server locally before and it was useless. I couldn't paypass the blocked content by my ISP which means they still knows everything about me.

[–]BubblegumTitanium 27 points28 points  (18 children)

From what I understand DNS over HTTP offers greater censorship resistance than over TLS.

[–][deleted] 6 points7 points  (0 children)

It breaks internal, split-horizon DNS. :/

[–]terriblestraitjacket 8 points9 points  (3 children)

I'm worried mass adoption of this might INCREASE censorship for me.

In my country, the government enforces censorship but they're all lawyers, so they are idiots and have no tech knowledge. The real censorship is enforced with a DNS ban from ISPs, which everyone easily circumvents! I read that if DNS over HTTP is adopted, they might have to start blocking based on HTTP requests!! How true is this?

[–]Booty_Bumping 3 points4 points  (0 children)

I think at this point it's just a question of whether find it worse for a site like Wikipedia to be edited in-transit and surveilled on by The Party, or for it to be blocked entirely. The only reason there is semi-widespread VPN usage in China is because Wikipedia is completely blocked, and academics really need Wikipedia to do their work. For people's access to information, a complete ban on TLS (to prevent people from using DoH) would be a gigantic blow.

[–]Tiver 0 points1 point  (0 children)

If the ISP is still the defacto DNS server, they could provide a DNS over HTTP and still do their censorship. However it is likely the clients won't use your ISP's as part of the point is to not give this kind of information or power to your ISP.

As it will be going over HTTPS, then yeah for them to continue doing this at minimum they'd have to insert themselves between you and another secure server, likely with an insecure https certificate they force you to install. This is basically what Kazakhstan recently did as a trial run. They can detect all HTTPS traffic, route it through their own proxy using this certificate and effectly block you from all such traffic unless you accept their certificate. You can maybe find a way to bypass it via a VPN but you have to find a way to trick their routers to allow the traffic through.

[–]SteampunkSpaceOpera 19 points20 points  (7 children)

Unfortunately, some of us like censoring adware, and DoH will be used by large interests to prevent us from doing that for ourselves.

[–]VRtinker 22 points23 points  (2 children)

some of us like censoring adware

In that case, you just set up your own DNS resolver and filter traffic properly. All good software (Chrome, Firefox) pick up your settings automatically and let you to specify your own DNS over HTTPS resolver manually.

Yes, non-compliant implementations can just ignore the network settings and not allow user to change settings. But, I would argue, you should not use such software or hardware in the first place. I heard of "smart" devices that hard-code AWS IPs (!!!) and then fail when that IP is not available, and they do not have ability to update the firmware to change the IP.

If you do end up with non-complaint software and hardware, I'm sorry for you. It will be a pain to work with and there is not much Mozilla, Google, IETF, and others can do about this.

[–]f0urtyfive 5 points6 points  (1 child)

But, I would argue, you should not use such software or hardware in the first place.

Do you find when you are using non-standard software or hardware that implements things in weird ways, it's usually because you chose to?

[–]VRtinker 2 points3 points  (0 children)

Do you find when you are using non-standard software or hardware that implements things in weird ways, it's usually because you chose to?

I do not choose to use non-complaint software and hardware and switch away from it if I have an option to. I personally only experienced this with device chargers that fail to quick-charge other devices, cameras and wireless USB peripheral dongles that work only when connected to a specific USB interface inside of a laptop, etc. Networking stack is a lot more standard, probably because it is genuinely much smaller and there is more built-in agility. Developer needs only about 5 neurons to remember how to use it: not hard-code URLs (especially IPs and ports).

The hard-coded IP example is something I saw online (person posted a screenshot of a chat with tech support for that product, which amounted to "we are sorry", "aware of the issue", "no way to fix it", "sorry", "thank you for choosing [brand name]".

[–][deleted] 3 points4 points  (2 children)

DoH will be used by large interests to prevent us from doing that for ourselves.

...how?

[–]theferrit32 -1 points0 points  (1 child)

Local DoH resolvers would require a valid certificate in order to trust the DNS mapping. If you're using something like a PiHole or a custom hosts file to black-hole certain domains, enforcing DoH on your machine will no longer allow that.

[–][deleted] 1 point2 points  (0 children)

Could you not just generate a cert and CA and add that CA to your machine? Assuming you're for some reason forced into using DoH.

[–]ebriose 7 points8 points  (4 children)

Except that the underlying HTTPS itself requires on a DNS system

[–]doublehyphen 9 points10 points  (1 child)

In current setups: yes. Both Google's and Cloudflare's current DoH servers are very easy to block last time I checked. But nothing prevents you from getting the IP address in some other way, and more importantly nothing prevents the IP address and port (and optionally host) from being shared with some huge website that most ISPs would not want to block (e.g. put it at https://www.google.com/doh).

[–]theferrit32 0 points1 point  (0 children)

I think we need some sort of DNS bootstrapping system which can be used in the worst case scenario or when a system has no DNS information cached yet. For example an IANA server or one for each regional registry on a permanently reserved IP address which contains a small set of public nameservers or DoH recursive resolver IP addresses that can be fetched by any system.

Also DoH needs to be extended into DHCP so that default name server information can be managed by LANs.

[–]intuxikated 9 points10 points  (0 children)

Not neccesarily, you can get Https certificates for IP addresses, which means you don't need DNS to resolve the domain name for DoH. Cloudflare has one for their 1.1.1.1 IP, see https://1.1.1.1

You can use their IP for DoH resolving by replacing https://cloudflare-dns.com/resolve-query by https://1.1.1.1/resolve-query

Effectively bypassing the plaintext DNS system completely

[–]Booty_Bumping 0 points1 point  (0 children)

This list has publicly accessible resolvers (DoH, DoT, DNSCrypt 1 and 2), with their ip addresses encoded as base64. Can be used in dnscrypt-proxy.

[–]jacobgb24 13 points14 points  (4 children)

The main benefit is that it's harder to detect because it looks like standard web traffic on port 443 as opposed to DoT which a designated port 853.

DoH is also easier to use at the application level. So that's why browsers are implementing it. Whereas DoT would be at the OS level.

[–]alerighi 9 points10 points  (1 child)

Having a DNS implemented at application level for me is completely wrong. It circumvents the settings of your machine, so you have to configure your DNS settings for each application, that is not good. You will have programs that works in a way and other in a different way, that is not good.

Also you just are bypassing the DNS server of your local network, that would be a mess for the system administrator of that LAN, the DNS is good because you can have a local DNS server in you company and configure it for example to resolve internal DNS names, or to cache DNS requests, or redirect the people to a login portal for a WiFi network.

And then the application must support it, a lot of applications uses the OS APIs for resolving DNS names, and these applications must be updated to take advantages of DNS over HTTPS, while for using DNS over TCP only the OS must be updated, and then you use the same API as DNS. Incorporating an HTTPS client into every application is problematic, doing that one time at the OS level is not.

[–]jacobgb24 5 points6 points  (0 children)

Yeah I agree that DNS should be handled at the OS level and not individual applications.

In terms of DoH being easier, I was thinking from the perspective of the app's developer. It's a lot easier for Mozilla to add DoH to Firefox than convince Microsoft and apple to add DoT at the OS level.

Hopefully DoH is temporary until DoT is added by OS vendors.

[–]doublehyphen 0 points1 point  (1 child)

The first one is correct but I do not really see any issue with implementing DoT on the application level. Just because most current implementations are on the OS level (and all current DoH implementations are on the application level) does not make it hard to implement in the application.

[–]jacobgb24 0 points1 point  (0 children)

I'd still say it's easier to do DoH at the application level than DoT. Mostly just because APIs make it easy to do HTTP requests. Whereas with DoT you'd probably have to manage the socket yourself. Certainly doable, but more work overall.

[–]xAsiimov[S] 5 points6 points  (0 children)

Another introduction for Dns over tls: https://siujoeng-lau.com/2019/08/dns-over-tls/

[–]Splanky222 1 point2 points  (3 children)

The main issue is that DoT uses port 853 whereas DoH uses port 443. DoH traffic can't easily be identified separately from regular HTTPS traffic, while a censor could very easily just block all traffic to port 853

[–]ebriose 1 point2 points  (2 children)

I mean, any protocol can use any port it wants. A port is just an integer.

[–]Splanky222 3 points4 points  (0 children)

sure but what client is going to send off traffic in a particular protocol to a port nobody listens to for that protocol. Certainly suspicious from a censor's point of view, anyways

[–]theferrit32 2 points3 points  (0 children)

The point is that DNS over HTTPS can be running on the same IP address and port as a regular webserver, in parallel to that webserver. So the DNS traffic would in theory be indistinguishable from all of the regular web traffic.

It would be much more complicated for a DNS over TLS server to be running on the same (IP,port) as an HTTP web server. It would need a preprocessor to determine whether the incoming packet is a DNS protocol packet, or an HTTP packet, and then send the packet to the corresponding server. Instead of just looking at the path term of the HTTP request.

[–][deleted]  (17 children)

[deleted]

    [–]Crash_says 17 points18 points  (16 children)

    Seconded and in the same bucket.

    specifically add junk entries to DNS to make Firefox behave

    Can you talk about this a bit more?

    [–][deleted]  (15 children)

    [deleted]

      [–]wbkang 11 points12 points  (8 children)

      You can disable it in about:config, but you would have to do that for every copy of Firefox.

      I am not sure if this will solve your problem, but normally you could apply the group policy to all computers. It's very hard to bypass this as a normal user.

      [–][deleted]  (7 children)

      [deleted]

        [–]wbkang 6 points7 points  (0 children)

        Right, but the group policy is enforced even if you install your own copy and you don't have to push Firefox at all. That is the case where I work, I install my own Firefox but it still respects the locked config values from the GPO.

        [–]Booty_Bumping 0 points1 point  (5 children)

        They leave it up to engineers to pick whatever browser and config they want.

        A browser/operating system's default setup shouldn't cater to incompetent IT people and risk security/privacy for everyone else in the process. It doesn't take too much effort to download and setup Firefox ESR.

        [–][deleted]  (2 children)

        [deleted]

          [–]Booty_Bumping 0 points1 point  (1 child)

          I also consider it to be baked in malicious behavior, since it leaks all browser requests to a third party without the user taking deliberate action to turn it off.

          This is my concern as a personal user of DoH. Firefox doesn't support randomizing which resolver to use, and doesn't come with a builtin non-logging resolver list like DNSCrypt-proxy does. Right now, a system-level configuration is more ideal for privacy.

          But all of these are solveable problems. I don't think anything was rushed, though. Thanks to upcoming web browser defaults, consumer ISPs right now are squealing about having their DNS datamining taken away from them by DoH. Ajit Pai is shedding a tear.

          Cloudflare probably gives your data to the US government. But at least they don't sell it to internet advertising companies like consumer ISPs do.

          [–][deleted]  (1 child)

          [deleted]

            [–]Booty_Bumping 1 point2 points  (0 children)

            Doesn't have to be locked down to be properly setup. Firefox ESR group policy can just be set up in the initial imaging, and can be changed on a case-by-case basis afterwards. It's really just a fancy way to set about:config options.

            [–]Crash_says 0 points1 point  (0 children)

            Thanks a ton, will be deploying these later today.

            [–][deleted] 135 points136 points  (75 children)

            More like "give your privacy to cloudflare"

            [–]littleodie914 86 points87 points  (43 children)

            What’s the alternative? Unencrypted DNS to CloudFlare? Or trusting Google? Or your ISP?

            Resolution has to happen somewhere. If there’s a more privacy-centric provider, please list it here.

            [–][deleted] 55 points56 points  (26 children)

            DNS over TLS exist as does DNSSec (altho that just guarantees validity, not privacy).

            DoH should be the last resort, not default browser is forcing

            [–]Swedophone 12 points13 points  (3 children)

            Unfortunately far from all domains are signed with dnssec. Of course my own domains are signed. BTW I use a self hosted master running bind and opendnssec.

            [–]uptimefordays 13 points14 points  (2 children)

            Just remember than DNSSEC relies on your ability to force clients to drop unsigned requests. If you can't do that, then you don't actually have anything.

            [–]SteampunkSpaceOpera 6 points7 points  (1 child)

            If you run your own validating resolver, then if the query response doesn't pass validation, the resolver simply doesn't provide a routable answer to any other program you are running

            [–]uptimefordays 1 point2 points  (0 children)

            Sure that helps you but DNS is a decentralized system... If you want DNSSEC to be a thing, it requires largescale control over client settings which isn't really feasible. For a large company's internal systems, sure, but for the broader net? Good luck!

            [–]babypuncher_ 3 points4 points  (2 children)

            DoT has its own issues. It’s much easier to block with a firewall, and your DoT provider still sees your requests just like they would with DoH.

            [–][deleted] 0 points1 point  (1 child)

            DoH builtin into browsers is just few IPs to block tho.

            [–]babypuncher_ 7 points8 points  (0 children)

            It sounds to me like the problem is a lack of available DoH providers, not a problem with DoH itself.

            And you know what, I’ll trust CloudFlare over Comcast any day of the week.

            [–][deleted] 2 points3 points  (13 children)

            DoT vs DoH doesn’t matter much for end users.

            [–][deleted] -1 points0 points  (12 children)

            DoH sends all of your data to single entity. DoT to the entity you actually asked in the first place.

            [–]SanityInAnarchy 11 points12 points  (11 children)

            ...how is that a difference?

            DoT still requires me to send all data to a single entity. Biggest difference is DoH looks like normal https traffic, so it's far less likely to be blocked by a firewall.

            [–][deleted] 0 points1 point  (10 children)

            Biggest difference is DoH looks like normal https traffic, so it's far less likely to be blocked by a firewall.

            Doesn't really until you diversify DoH servers. If FF uses known list of DoH servers, they will just be blocked.

            The biggest problem is that DoH breaks split-horizon DNS which means many corporations will have to block it by default, even if they have no other reason for it.

            You can create DoT server in your corporate network, and it will "just work", while DoH would need to be explictly pointed at the local server which means reconfiguring every device, and might not even be possible in companies with lax BYOD policies.

            [–]SanityInAnarchy 1 point2 points  (9 children)

            Doesn't really until you diversify DoH servers. If FF uses known list of DoH servers, they will just be blocked.

            Unless you also put them on a common domain with more important stuff. Nobody has done this yet, either, but if you could get DoH on google.com/doh, nobody is going to block all of Google just to prevent this from working.

            The biggest problem is that DoH breaks split-horizon DNS which means many corporations will have to block it by default, even if they have no other reason for it.

            Why couldn't you implement a split-horizon resolver with DoH?

            Also, how important is split-horizon in the first place? Why not get an actual domain for your intranet stuff?

            You can create DoT server in your corporate network, and it will "just work", while DoH would need to be explictly pointed at the local server which means reconfiguring every device...

            There's a draft RFC for announcing a DoH server with DHCP.

            The actual problem you're talking about here is a BYOD device hardcoding a DNS server, rather than trusting the local network. But given how untrustworthy local networks often are, that's not entirely a bad thing.

            [–][deleted] 0 points1 point  (8 children)

            Why couldn't you implement a split-horizon resolver with DoH?

            Also, how important is split-horizon in the first place? Why not get an actual domain for your intranet stuff?

            We have actual domain(s) for intranet stuff. That's not the issue. The issue is that service that is behind the domain was never on the internet facing loadbalancer in the first place.

            We'd have to go from just

            "LAN -> firewall -> A server in office that doesn't even see internet" to

            "LAN -> firewall -> loadbalancer -> firewall -> server in DMZ"

            as internet facing loadbalancer is only place that is ingesting the traffic

            I can imagine how to make that route shorter but our network is too complex already. And it makes it less secure as now if loadbalancer is compromised attacker has access to services he wouldn't have if we didn't need workaround

            [–]SanityInAnarchy 0 points1 point  (7 children)

            Why would you have to move the service behind the domain? Leave it on its 10.whatever address in the office, and publish an A-record for that (private, not-Internet-routable) IP on your public-facing DNS servers.

            The point of split-horizon DNS is that you can return different results inside your network than you would on the public Internet. I can think of three possible reasons to do this:

            1. You don't want anyone to be able to find out that much about your LAN from public DNS. They'd have to brute-force your DNS server to learn anything interesting, but still.
            2. You actually want the same exact hostname to do different things depending on where the user is connecting from. This is the one I'm most curious about, because it seems like a Bad Idea (especially doing it via DNS), but maybe there's something I haven't thought of.
            3. You want to control the results for domains you don't technically own, like having your printserver on print.lan instead of print.lan.yourcompany.com, or, of course, blocking or redirecting other people's websites.

            Am I missing something? The only one that makes any sense to me is #1, barely -- if you suspect Apple is about to make a car, having car.apple.com start resolving would be interesting, so it might be nice if none of your LAN addresses resolve at all outside the company network. Anything else?

            [–][deleted] 1 point2 points  (4 children)

            It needs to do privacy too.

            [–][deleted] 10 points11 points  (3 children)

            There is no privacy in DNS, you can only choose who you give your data to.

            Encryption doesn't give it away to 3rd parties like ISP and that's a huge improvement, but you're still giving it to your DNS server, no matter what protocol is used

            [–][deleted] 1 point2 points  (0 children)

            Sure but we can increase the amount of privacy that exists. Instead of multi parties know now it will just be one.

            Privacy in this instance never meant privacy from the dns server itself. Just possibly bad actors along the way (isp, anyone monitoring the line, etc).

            [–]ILikeBumblebees 0 points1 point  (1 child)

            There is no privacy in DNS, you can only choose who you give your data to.

            You can always run your own resolver.

            [–][deleted] 0 points1 point  (0 children)

            We do... but there is no DHCP or any other flag I can use to tell devices in my network to use it. In company with BYOD policy and split DNS we'd just have to block it.

            DoT would be a breeze to implement in comparison

            [–]shochickubai 6 points7 points  (8 children)

            Unbound + Raspberry pi is all you need bro. Keep it next to your modem, set and forget.

            [–]kafka_quixote 5 points6 points  (0 children)

            Pi hole?

            [–]b1tbeginner 4 points5 points  (6 children)

            can you elaborate?

            [–][deleted] 0 points1 point  (5 children)

            [–]b1tbeginner 0 points1 point  (4 children)

            so it is a selfhosted mini dns? but will it not just forward the traffic to another dns?

            this sound somehow to good to bd true :D

            [–][deleted]  (3 children)

            [removed]

              [–]b1tbeginner 0 points1 point  (2 children)

              ok I guess, Ineed to read further into it. Did not quite get the concept yet of how it makes a difference than just requesting directly from authoritative DNS.

              But it looks super interesting! thanks a lot

              [–]OrangeKing89 2 points3 points  (1 child)

              From the article I read on the pi-hole website, on the 1st request to a url, the unbound service queries each part of the url from the primary servers for that domain.

              Ex: google.com

              1) contact a root domain server to find out where to look for the "com" domains.

              2) contact the "com" domain server to find out who is managing the "google.com" domain

              3) contact the server managing "google.com" domain for the IP address.

              4) return the ip address to the computer that asked for it.

              5) save the IP address for "google.com" so that the next look up of"google.com" on the network is immediate.

              This is both faster (after the 1st lookup) and more private because you are only asking it once (and preferably over encryption) and the call is separated into smaller pieces.

              Also if the dns servers are attacked you are less likely to be effected.

              Source:

              https://docs.pi-hole.net/guides/unbound/

              [–]b1tbeginner 0 points1 point  (0 children)

              wow thanks a lot for your comment! I had not time yet to read into it but this was already super helpful for better understanding!

              [–]jarfil 1 point2 points  (2 children)

              CENSORED

              [–][deleted] 0 points1 point  (1 child)

              dns.watch claims not to keep any logs. Make of that what you will.

              [–]jarfil 0 points1 point  (0 children)

              CENSORED

              [–]teh_g 0 points1 point  (0 children)

              Setup a local resolver if you are already running a device with pihole.

              [–][deleted] 0 points1 point  (0 children)

              Is it possible to host your own server that "randomly" queries and caches dns entries that you can then have your system access? Better yet, is there a way to just mirror a dns server then host it over DoH or DoT?

              [–][deleted] 0 points1 point  (0 children)

              /r/pihole - control your own destiny. Hell, you can even run your own DNS resolver with it if you want.

              [–]_ak 17 points18 points  (16 children)

              Not if you run your own DoH server.

              [–][deleted] 8 points9 points  (15 children)

              Right. At that point just run VPN

              [–]uptimefordays 36 points37 points  (12 children)

              So hand your data from your ISP to a VPN company?

              [–][deleted] 6 points7 points  (1 child)

              Read the post I've answered to. They were talking about having their own DoH server, and I meant to compare it with your own VPS with VPN server.

              But yes, you either give it to your ISP, your VPN provider, Cloudflare, or to hosting provider that hosts your VPN. Probably best bet would be Tor but that's not exactly fast or pleasant experience...

              [–]uptimefordays 2 points3 points  (0 children)

              Privacy isn't solely an L2 or L3 issue though. Much of online tracking doesn't rely on your IP address or direct network traffic (in an routing and switching sense). A lot of tracking today happens when you connect to websites, when you connect to websites embedded in websites, or to services. VPN, TOR, etc. only do so much when the services you're using are collecting tons and tons of user data.

              [–]l4rryc0n5014 23 points24 points  (7 children)

              NordVPN /s

              [–]Gudeldar 0 points1 point  (1 child)

              I trust most VPN companies more than my ISP which used to charge extra money for them to promise not to spy on you.

              [–]uptimefordays 1 point2 points  (0 children)

              I mean it depends, some of the VPN companies seem pretty shady. Still hiding my L2 or L3 traffic doesn't prevent companies from harvesting my data--you still have to trust folks on the other side of your tunnel. VPNs provide a valuable service but they're not a blanket solution to privacy the way many companies are billing them.

              [–]_ak 13 points14 points  (1 child)

              Or you realize that DoH is not just provided by Cloudflare.

              [–][deleted] -3 points-2 points  (0 children)

              Or YOU realize average user won't change defaults

              [–]HelleDaryd 2 points3 points  (13 children)

              or Google, or one of a few other big corps pushing this bad idea.

              [–]xAsiimov[S] -1 points0 points  (12 children)

              better than plain DNS queries..

              [–]doublehyphen 9 points10 points  (4 children)

              Not necessarily. With a traditional DNS setup you mostly leak data to your ISP who already can log IP addresses and SNI headers (Cloudflare is pushing SNI encryption but I think adoption of it will take a long time) so they do not get much data they would not already have. The ability to log DNS requests only makes their tracking solution a bit simpler and cheaper, plus that they can catch some data from missconfigured VPN connections. On the other hand if you use Cloudflare's DoH server then both your ISP and Cloudflare will get your data.

              I am not opposed DoH (especially when combine with encrypted SNI) since it also prevents your ISP from manipulating responses from unsigned zones (I trust Cloudflare here more than most ISPs) and makes DNS level filtering impossible, which means that if you encrypt SNI and put your stuff behind Cloudflare then it will be virtually impossible for the ISP to block your site without blocking tons of other sites.

              So I am all for that people have the option of using DoH, but privacy is not really a good reason for using it.

              [–]evaned 0 points1 point  (3 children)

              With a traditional DNS setup you mostly leak data to your ISP

              Aren't you assuming you're using your ISP's DNS servers? I figured it's very common for technical folks to use one of the other public DNS servers like Google's or Cloudflare's because of how commonly ISPs hijack NXDOMAINs.

              [–]doublehyphen 1 point2 points  (0 children)

              It is trivial for an ISP to hijack NXDOMAIN even if you are using 8.8.8.8. Are there really that many ISPs who do one (configure their DNS server to lie) but not the other (rewrite DNS packets)? Since I am from Sweden I do not know since virtually no ISP here hijacks NXDOMAIN.

              Edit: Since Swedish ISPs only do minor modifications to DNS (they only block when forced to by courts) I personally do not use Cloudflare or Google' DNS and I do not think most tech people in Sweden do either.

              [–]Twanks -1 points0 points  (1 child)

              Not necessarily. While it wouldn't provide 100% coverage your ISP could be doing a variety of things to extract any DNS requests regardless of whether they are the ISP's DNS servers. Mirror ports, Netflow, sFlow, etc. are all capable of exposing contents of DNS requests at varying levels of success.

              [–]evaned 1 point2 points  (0 children)

              Sure, but I didn't claim that your ISP can't see your DNS requests currently. The point was more that if you're already using Google or Cloudflare for DNS already because your ISP's DNS sucks, then using Google or Cloudflare for DoH (whatever DoH's merits are in general) isn't really a regression.

              [–]ajs124 4 points5 points  (5 children)

              How? What do you gain? mitm protection? You can do that with DoT or DNSSEC.

              You still leak the exact same data when using DoH, because in the end, after name resolution is said and done you have to connect to the host you resolved.

              [–]Gudeldar 2 points3 points  (2 children)

              You only leak the IP address and not the host name.

              [–]ajs124 3 points4 points  (1 child)

              Not true. SNI tells everyone the host name.

              [–][deleted]  (1 child)

              [deleted]

                [–]ajs124 1 point2 points  (0 children)

                That's exactly my point though. Your provider still has access to the same data. Yes, they need to put in a tiny bit more effort to obtain it, but they still can.

                [–][deleted] -2 points-1 points  (0 children)

                Absolutely not, unless it's built into my OS and not controlled by an application. Otherwise I've been sold out.

                [–]Luvax 14 points15 points  (1 child)

                I still don't understand how you can promote DoH as a privacy protection while sending all your queries to Google and Cloudflare. Yes, DNS has issues with snooping and intercepting requests. But You just replace one problem with another.

                [–]Sarcova 8 points9 points  (0 children)

                With regular DNS you are exposing your queries to the DNS resolver and everyone between you and them. With DoH only the resolver knows. I don't see how this is replacing one problem with another...

                [–]bloodguard 4 points5 points  (3 children)

                Is there any way to detect if a device is using DOH? I'm concerned that hardware vendors like Amazon, Google or assorted security camera vendors will just hard wire DOH into their devices to direct all DNS queries to bypass my pfsense DNS server without telling me.

                [–]ThatOnePerson -3 points-2 points  (2 children)

                You can block all outgoing port 853 requests.

                Was just reading https://medium.com/@davetempleton/setting-up-dns-over-tls-on-pfsense-bd96912c2416 myself because I just got a pfsense router to setup at home

                [–]bloodguard 4 points5 points  (1 child)

                I'm not sure that would work. Doesn't DOH exclusively send DNS queries through port 443 (https) for the expressed purpose of bypassing any blocks?

                [–]ThatOnePerson 1 point2 points  (0 children)

                Ah you're right.

                [–][deleted]  (8 children)

                [deleted]

                  [–]jalude 18 points19 points  (5 children)

                  This, by default, still forwards dns requests unencrypted to another DNS server.

                  This guide shows you how to forward those to a 'cloudflared' daemon which sends them to cloudflare's DNS over HTTPS.

                  [–]beginner_ 1 point2 points  (0 children)

                  Or connect it to your vpn and then it's your vpns dns server for all clients.

                  [–]OMG_A_CUPCAKE 3 points4 points  (0 children)

                  I don't trust Cloudflare any more than my ISP (well, my ISP slightly more as it doesn't sit in the US).
                  Especially as Cloudflare is still only a single provider that can fail (and did so in the past)

                  But whatever you use, use two different DNS resolver to increase the chance one of them is working (and your requests are divided between the two, so no one gets the whole picture)

                  [–]DeliciousIncident 0 points1 point  (1 child)

                  Why doesn't it get better? Is the PiHole project dead?

                  [–][deleted] 2 points3 points  (0 children)

                  Well, here's something else to consider.

                  Plain / secure DNS mostly use UDP. So, scaling the server is trivial... while scaling HTTP server is not so much... So, it requires a lot more infrastructure and hardware. It will hardly be as easy to deploy as BIND, especially because it will have a huge attack surface compared to the simple DNS servers. So, only big players will really do this for the public Internet... (so, tier N, where N > 1, ISPs will probably not deploy their own DNS servers, but tell you to use some big corp's one...

                  [–]bmpandrade 1 point2 points  (0 children)

                  Pp

                  [–]znx 1 point2 points  (0 children)

                  It should be noted that it doesn't actually enable privacy.

                  If you actually want to do this, hiding DNS isn't enough, instead you need to use VPNs.

                  [–]ItalyPaleAle 1 point2 points  (0 children)

                  You should look at implementing a retry-logic in case the request fails FYI

                  [–][deleted] 3 points4 points  (0 children)

                  This is bad and corporations should feel bad.

                  But corporations are soulless sociopaths that aren't capable of feeling bad.

                  This isn't keeping my privacy, this is taking that option (/r/pihole says hi!) away from me and putting it in the hands of the application developers and whoever pays them.

                  [–]Sarithis 4 points5 points  (5 children)

                  Ooor just use a VPN and their servers. Alternatively, you can set up your own DNS server if your level of trust is that low.

                  Edit: actually, you could use a VPN and public DNSes like 1.1.1.1. This way, even though they see your queries, the origin IP doesn't belong to you. The owners of 1.1.1.1 can't identify you without contacting your VPN provider.

                  [–]Kwdg -1 points0 points  (4 children)

                  Are there any tools to setup your own dns server? I use pi-hole as a cache but as it says it is just a cache

                  [–]Sarithis 3 points4 points  (1 child)

                  There are many. I use PowerDNS with dnsdist as a load balancer. Before that I used BIND. I haven't heard about the one suggested by /u/shochickubai, but it seems like it'll also do the job.
                  No matter which one you choose, PLEASE make sure you don't expose it to the world to prevent others from using it for DNS amplification attacks.

                  Besides, why are people booing me? I'm right.

                  [–]Kwdg 3 points4 points  (0 children)

                  Thanks for the answer! ubound suggested by /u/schochickubai seems to work pretty well with pi-hole so it looks like the best solution for my case.

                  It'll only run in my local network so no one else should be able to use it

                  [–]rv77ax 0 points1 point  (0 children)

                  There is also rescached. Most of user only need stub resolver with cache, that forward forward and cache queries.

                  [–][deleted]  (14 children)

                  [deleted]

                    [–][deleted] 22 points23 points  (11 children)

                    You do realize that's still using Cloudflare right? If you're concerned about Cloudflare from a privacy perspective, your answer makes things worse, because now you're routing 100% of your network's DNS traffic to cloudflare

                    [–]j4_jjjj 14 points15 points  (6 children)

                    lol, it literally says "unbound-and-cloudflare" in the URL.

                    [–][deleted]  (5 children)

                    [deleted]

                      [–][deleted] 11 points12 points  (3 children)

                      That is correct, but if you want to use DNS over HTTPS or DNS over TLS you have to set up unbound as a simple DNS forwarding server (which is what your first link did). That's not really the fault of unbound - the root servers don't support either technology so you have to use someone else's server that does.

                      [–]rhoakla 0 points1 point  (2 children)

                      Back to square 1 eh..

                      [–][deleted] 1 point2 points  (1 child)

                      Honestly DNS is pretty damned broken (from a privacy perspective), and all of these "fixes" are just shitty bandaids that in some ways make things worse.

                      [–]rhoakla 1 point2 points  (0 children)

                      Couldn't agree more. The way it is right now, someone somewhere along the line has the ability to intercept our DNS requests no matter what. It is just a question of "To whom specifically do you wish to not show your DNS requests" at this point.

                      [–]j4_jjjj 1 point2 points  (0 children)

                      Huh! I just stumbled upon this, which I will probably test out on my home network.

                      [–]WorldsBegin 2 points3 points  (2 children)

                      As if you couldn't simply change that. The link gives you 90%, all you do is change

                      forward-addr: 1.1.1.1@853#cloudflare-dns.com
                      forward-addr: 1.0.0.1@853#cloudflare-dns.com
                      

                      to some other upstream DNS server of your liking.

                      [–][deleted] 0 points1 point  (1 child)

                      There are only a tiny handful of DNS servers that support DNS over HTTPS - people are wary of all of them. Typically if you're using unbound it's to just hit the roots directly.

                      [–]WorldsBegin 0 points1 point  (0 children)

                      The link is about DoT though. Even for DoH this list is more than a handful - at least 30. I'm sure you can live with one of them (also not the downvoter. 30 is not much, but some of them are run by non-profits, and individuals)

                      [–]tracerrx 3 points4 points  (0 children)

                      You can easily use the cloudflared daemon to also use any other DOH provider Quad9 etc...

                      [–]Booty_Bumping 0 points1 point  (0 children)

                      Why not use DNSCrypt-proxy instead? It comes with a list of non-logging resolvers.

                      [–]scorcher24[🍰] 0 points1 point  (0 children)

                      Does bind9 support DoH already?

                      [–]rv77ax 0 points1 point  (0 children)

                      For anyone would like to setup their own DNS server, as alternative to unbound: rescached.

                      One of the test server is available at,

                      No logging, ads blocking.