You do realise DoH requires handing all your DNS queries to a company like cloudflare right? I'd say that's pretty villainous. If you think firefox are being the good guys here, you're wrong.
Conversation
No, you can use any DoH nameserver you like, including your own on a VPS or safely use any one over Tor.
1
1
20
If you think that >0.001% of people will do that you're lying to yourself.
This is further centralisation of the Internet, and frankly we've seen the negative impacts of that already.
Wake up!
2
1
4
Vast majority of users are behind CGN that negates any ability of DoH provider to track whose queries are whose.
2
1
4
Bullshit! It's HTTPS, they can easily fingerprint the headers.
1
1
Huh? If a DoH client implementation sends any distinct headers that's a bug. Certainly there's no need to.
2
1
3
DNS-over-TLS does have the advantage of a lighter and more efficient implementation but DNS-over-HTTPS doesn't add any substantial attack surface in practice as long since it's already present. Using regular HTTPS traffic over port 443 also makes it more censorship resistant.
1
1
1
I still want FF to ship with DNS over Tor as the default. Tor capacity can't handle everyone's content traffic, but DNS traffic is plausible to handle, and with ESNI it would end content blocking.
1
1
1
They could improve the Tor network by asking people to opt-in to being a relatively low bandwidth relay. As long as the DNS server is a hidden service, it wouldn't put more burden on exit nodes which is the main bottleneck largely because it's so risky to run one in practice.
1
2
2
I don't think it will actually end content blocking, because they can move on to having their blocking maintain a list of IP addresses refreshed from DNS instead. It makes things harder and in many cases there will be some collateral damage due to centralization like Cloudflare.
1
1
Similarly, they can still see the IP being connected to and in many but not all cases that's as good as seeing the domain name. The collateral damage can deter some of the blocking but I don't think it stops it in general. For IPv6, there's also generally not IP reuse like that.
There are some potential privacy issues with DNS-over-TLS and DNS-over-HTTPS due to implementations reusing connections. It mostly applies to using DNS-over-{TLS,HTTPS} with a VPN or Tor though. Without a VPN or Tor source IP address is enough to tie together the requests anyway.
1
1
Show replies