Exactly this. I build a DNS security product that works at the router level. Everything is secure on home networks running the product and it uses DoT for privacy so that ISPs can’t view your data—no browser intervention needed. Browsers interfering with user-configured defaults is incredibly presumptuous. I’m worried browsers are becoming less user-agent and more platform-agent...
Great. Now I've taken my laptop out of my house (where I'm using your router) to the coffee shop downstairs where they use an ISP provided gateway... And the ISP is spying on me again. Until DNS request is encrypted there are no solutions outside of a wholly self-managed network.
I’m unsure why this has to be set at the browser level instead of the OS level. What happens to all the DNS calls made by non-browser services on your laptop?
I believe it is due to technical problems of switching everything to DoH. Moreover if we think about it, I'll see that it is not a Google or Mozilla problem, it is a problem of OS developers. For example, it might be done by gethostbyname using DoH to resolve names. But it is up to libc developers, and it would lead to other problems, like system after update stopped working, due to custom configuration incompatible with DoH.
Mozilla and Google become unsatisfied with gethostbyname but they cannot change that part of OS. So they are solving their problems on their side.
FWIW, Chrome using an upgrade list only checks the system config (doesn't do any "do I eventually end up using 8.8.8.8" checks), so it shouldn't upgrade DoH even if your backend resolver is a third-party.
