On DNS-over-HTTPS, we need to dig deeper.

Everything here is right on the mark, but from what I have read, there are deep technical and environmental concerns that suggest DNS- over-HTTPS has seriously problematic side effects compared to DNS-over-TLS. I get the impression that there is a large chunk of the discussion goes in the direction of “if those ISPs want to block this DoH thing, it must be good”. The prevalence of “bad objections” does not automatically make the target of those objections “good”. Or an alternate cliche – the enemy of my enemy is not automatically my friend.

Bert’s blog entry heads in that direction, although he doesn’t really touch on the side effects of DoH being widely implemented. And the last current comment there (Dec5,8:06) falls straight into the pit, suggesting that if too much centralization is the problem, widespread DoH would deal with it. The comment even treats DNS-over-HTTPS and DNS-over-TLS as equivalent, when a careful and wider reading suggests that the two are anything but equivalent either as individual solutions or widespread solutions.

Trying looking up what Paul Vixie has written, and follow some of those threads. Look up the use of DNS-over-HTTPS for exfiltration. A lot of it relates to enterprise concerns, which although valid, might seem to be out of scope for small scale users. Think through what those same concerns mean on a home network of a few computers, a few phones, a few smart TVs, and a half dozen IoT devices.

A notable part of the problem is that the one thing DNS-over-HTTPS does do – prevent on the wire interception – causes significant small-network problems down the road. As an example, on my home network, I use a subscribed DNS service – and any attempts to use port 53 to go around the router’s DNS server are blocked. This means I can review logs and see what requests are being made. With DNS-over-HTTPS, DNS is now on port 443, so DNS is indistinguishable from browser traffic. This might be good for your browser – but it is also good for any malware on your system or small network, and also good for any unsavoury IoT devices that someone has hooked up.

Remember that it is possible to use recursive DNS to exfiltrate data, not just to contact a C&C server. Now the malicious stuff doesn’t even need a matching website – they can just exfiltrate using Google or CloudFlare.

In my view, the worst part is that at least I can deal with the centralization issues on my end by making specific choices in my browser, in my system, and in my network, both with DNS destination and protocol choices, and maybe even with a VPN. But if DNS-over-HTTPS becomes widespread, I can do almost nothing to deal with the negative side effects that follow relating to malicious use of the protective features. Even a VPN would still basically tunnel any malicious DNS-over-HTTPS traffic out to an endpoint, where it can continue on it’s way, while remaining invisible to me the entire time.